Semgrep Pro rules
This article provides an overview of rules provided exclusively by Semgrep, Inc. called Semgrep Pro rules. These high-confidence, professionally maintained rules are a proprietary addition to Semgrep Registry.
The goal of Pro rules is to provide a set of well-supported rules with improved coverage across languages and vulnerability types. Semgrep Pro rules are written using Semgrep’s latest features and, in general, target users who are looking to produce highly accurate, actionable findings.
Types of rules in the Semgrep Registry by author
- Community rules - reviewed by the Semgrep team, these rules consist of contributions from Semgrep’s community. Community rules encompass a wide array of rules, including many that are made for security auditors.
- Third-party rules - created directly by external contributors such as Trail of Bits, GitLab and many more.
- Private rules - rules authored and published by your own organization, for use only by your organization.
- Pro rules - proprietary rules created by the Semgrep team targeted for security and software engineers who need accurate findings. These rules provide increased coverage for many programming languages and use the latest Semgrep features.
Semgrep Pro rules content
Semgrep Pro rules provide improved coverage for many languages, including Java, JavaScript, TypeScript, Python, PHP, Ruby, C#, Swift, and Go.
Semgrep Pro rules provide improved findings across many languages on specific classes of vulnerabilities, such as injection vulnerabilities, deserialization, XXE, and many others, as well as increased support for frameworks and technologies such as Express, Spring, Java Servlets, Laravel, Go net/http, React, Next.js, and Angular.
Semgrep's Security Research team plans to keep improving coverage by adding support for more languages and popular frameworks, as well as reducing potential false positives by monitoring rules’ performance.
Scan with Semgrep Pro rules
Your Semgrep AppSec Platform account already includes Pro rules that are likely to be widely useful, as they are included in the Default ruleset. These Pro rules run on all your scans.
- To make the most out of Pro rules, ensure that you are running cross-file analysis.
- Rules that don't apply to your target repository's language or framework are skipped automatically even if they are in your Policies page. For example, if your repository contains JavaScript code and you have added Go rules, the Go rules are unused. Unused rules do not add to scan time.
Change rule modes or disable Pro rules in Semgrep AppSec Platform
Like any other rule or ruleset, you can disable Pro rules or change their rule mode to leave comments for developers or potentially block a PR.
- Sign in to Semgrep AppSec Platform.
- Navigate to Rules > Policies.
- Under Source, click Pro to view all the Semgrep Pro rules currently in your Policies.
- Find and select the rules you want to disable or change.
- Click Change modes and select one of the provided options.
You can find all previously added Semgrep Pro rules in your Policies page, so if you want to re-enable Pro rules or adjust the mode again in the future, use the Source > Pro filter as described previously.
Add Semgrep Pro rules in CLI or CI
For CLI users: You must be logged in.
In some cases, you may want to run a scan with a specific set of Pro rules:
- Go to Semgrep Registry.
- Click Visibility > Pro rules.
- Optional: Apply additional filters by entering search terms in the search box or selecting filters from drop-down boxes.
- For a single rule, click the Rule's card > Run locally. For rulesets, click the card.
- Copy and paste the command to your CLI or CI configuration file. You can add several rulesets.
Figure. A ruleset consisting of Pro and non-Pro rules. Copy and paste the snippet under Test and Run Locally to your CLI or CI.
Not finding what you need in this doc? Ask questions in our Community Slack group, or see Support for other ways to get help.