Skip to main content

Semgrep Pro Engine overview

Use Semgrep Pro Engine to detect vulnerabilities across files and folders.

By design, Semgrep open-source software (OSS) Engine can only analyze interactions within a single function, also known as intraprocedural analysis. This limited scope makes Semgrep OSS fast and easy to integrate into developer workflows. Semgrep Pro Engine gives security teams the option to trade off speed for better results and deeper analysis.

Semgrep Pro Engine includes cross-file (also called interfile analysis) and cross-function analysis (also called interprocedural analysis), which finds vulnerabilities that aren't detectable with Semgrep OSS. By analyzing interactions across files and functions, Semgrep Pro Engine can reduce noise, uncover new vulnerabilities, and make results easier to understand.

Semgrep Pro Engine is a proprietary extension of Semgrep OSS Engine. Like Semgrep OSS Engine, Semgrep Pro Engine runs on raw source code and doesn’t require compiled code for its analysis.

Language support

Refer to Supported languages to see languages supported by Semgrep Pro Engine.

Using and running Semgrep Pro Engine

This section guides you through the Pro Engine installation and helps you to scan your projects both in CLI and with Semgrep Cloud Platform (SCP).

Running Semgrep Pro Engine in Semgrep Cloud Platform

Prerequisite

This is the preferred method to run Semgrep Pro Engine. It enables you to view and triage your findings from a centralized location. Code is not uploaded.

To run Semgrep Pro Engine in the Semgrep Cloud Platform, follow these steps:

  1. Sign in to Semgrep Cloud Platform.
  2. Click Settings.
  3. Ensure that the Pro Engine beta toggle is enabled.
  4. Ensure that you have the default ruleset added in your Policies page. If this ruleset is not added, go to Semgrep Registry - Default ruleset page, then click Add to Policy. For best results, set this ruleset to the Monitor rule mode.
  5. Perform either of the following:
    1. If you don't have any repositories for scanning in Cloud Platform: Follow the procedures in Scanning a repository to scan a new repository with Semgrep Pro Engine. Ensure that your project's language is supported by Semgrep Pro Engine.
    2. If you have existing repositories in Semgrep Cloud Platform: Full scans now include Semgrep Pro Engine. You can trigger a full scan through your CI provider.

Pro Engine now runs on all full scans. Note that it does not support scanning on diff-aware (pull or merge request) scans.

Testing Semgrep Pro Engine

To test Semgrep Pro Engine on a purposefully vulnerable repository, fork the juice-shop repository, and then add it to SCP by following the steps described in Adding or onboarding a new project (repository).

Running Semgrep Pro Engine in CLI

Prerequisite

To run Pro Engine in the CLI, perform the following steps.

  1. Sign up or sign in to Semgrep Cloud Platform.
  2. For first-time users, click Create an organization. Note that you can further integrate organizations (orgs) with GitLab accounts and GitHub accounts, including personal and org accounts, after you complete this procedure.
  3. Click Settings > Pro Engine. DESCRIPTION
  4. Ensure that you are in the root directory of the repository you want to scan.
  5. In your CLI, log in to your Semgrep Cloud Platform account and run a scan:
semgrep login && semgrep ci

Updating Semgrep Pro Engine in CLI

To update Semgrep Pro Engine to the latest version, follow these steps:

  1. Update Semgrep OSS engine with the following command:

    brew upgrade semgrep

    Alternatively:

    python3 -m pip install --upgrade semgrep
  2. Log in to Semgrep Cloud Platform:

    semgrep login
  3. Update the Semgrep Pro Engine:

    semgrep install-semgrep-pro

Creating rules that analyze across files and functions

To create rules that analyze across files and functions, add interfile: true under the options key when defining a rule. This key signals to Semgrep Pro Engine to use the rule for both cross-function and cross-file analysis.

Pro Engine cross-function example

The following example shows how to define the interfile key (see the Rule pane) and the resulting cross-function analysis in the Test code pane.


Click Run to see the true positive in lines 27-30.

The Pro Engine performed cross-function analysis as the userInput() source was called in main() while the exec() sink was called in the DockerCompose class.

Interact with the rule widget to compare Semgrep OSS and Semgrep Pro Engine. In the Rule pane, you can remove the lines:

options:
interfile: true

This results in a failure to detect the true positive, because Semgrep did not perform cross-function analysis.

Additional information

Types of Semgrep Pro Engine analysis

Cross-file (interfile) analysis
  • Cross-file analysis finds patterns spanning multiple files to help security engineers deeply understand their organization's security issues. This analysis reduces noise and detects issues that Semgrep OSS Engine can't find.
  • Cross-file analysis runs on full scans. These scans may take longer to complete and can use more memory than Semgrep OSS Engine scans. See the available languages for cross-file analysis in Supported languages.
  • In Semgrep Pro Engine, cross-file analysis includes cross-function analysis as well.
Cross-function (interprocedural) analysis

Semgrep Pro Engine CI scan issues

To provide reliably completed scans, Semgrep Pro Engine can fall back to the use of Semgrep OSS Engine. This ensures that in the vast majority of cases, scans run successfully.

If a scan uses more than 5 GB of memory during pre-processing, the scan uses Semgrep OSS Engine to ensure lower memory consumption. Similarly, if the Pro Engine scan doesn't complete after 3 hours, the Pro Engine times out and Semgrep OSS rescans the repository. Typically, this is because the repository is very large.

If 1-2 repositories cause CI scan issues, modify your config file to use semgrep ci --oss-only. This overrides the Semgrep CI settings for these repositories, and always runs these scans with Semgrep OSS.

If many repositories cause scan issues:

  1. Disable the Pro Engine beta toggle in the Settings page of your organization.
  2. Contact the Semgrep team in the Semgrep Community Slack so we can help you to fix the issue and create a plan for your organization.

Difference between Semgrep Pro Engine and join mode

Semgrep Pro Engine is different from join mode, which also allows you to perform cross-file analyses by letting you join on the metavariable matches in separate rules. Join mode is an experimental feature which is not actively developed or maintained. You may encounter many issues while using join mode.

Feedback for Semgrep Pro Engine

The team at Semgrep is excited to hear what’s on your mind. As you explore Semgrep Pro Engine, we want to know what you'd like to be able to capture with it. We believe that this deeper analysis helps users find more vulnerabilities, build trust with developers, and enforce code standards quickly. Let us know what you think about the results in the Semgrep Community Slack.


Not finding what you need in this doc? Ask questions in our Community Slack group, or see Support for other ways to get help.