Semgrep Pro Engine overview
Introduction
Go beyond single file analysis to detect vulnerabilities across files and functions, using Semgrep Pro Engine. By design, Semgrep open-source software (OSS) Engine can only analyze interactions within a single function. This limited scope makes Semgrep OSS fast and easy to integrate into developer workflows. Semgrep Pro Engine gives security teams the option to tradeoff speed for better results and deeper analysis.
Semgrep Pro Engine includes interfile analysis and interprocedural analysis, which finds vulnerabilities that aren't detectable with Semgrep OSS. By analyzing interactions across files and across functions, Semgrep Pro Engine can reduce noise, uncover new vulnerabilities, and make results easier to understand. Build trust with your developers by only showing them high-confidence results that are easy to fix.
Semgrep Pro Engine is a proprietary extension of Semgrep OSS. Just like Semgrep OSS, Semgrep Pro Engine runs on raw source code and it doesn't require compiled code for its analysis.
Semgrep Pro engine language support
Refer to Supported languages to see languages supported by Semgrep Pro Engine. Semgrep Cloud Platform users can also check language support on the Settings page.
Using and running Semgrep Pro Engine
This section guides you through the Semgrep Pro Engine installation and helps you to scan your projects both in CLI and with the Semgrep Cloud Platform (SCP).
Installing Semgrep Pro Engine in CLI
- Local installation of Semgrep CLI. See Getting started with Semgrep OSS Engine to install Semgrep CLI.
- Team tier or higher of Semgrep Code. If you want to try Semgrep Pro Engine, get in touch with us through our contact page.
To install and run Semgrep Pro Engine in the CLI, follow these steps:
- Log in to Semgrep Cloud Platform with the following command:
semgrep login
- Follow the link that Semgrep CLI printed on the command line.
- To install Semgrep Pro Engine use the following command:
semgrep install-semgrep-pro
- Optional: To test Semgrep Pro Engine, use the following command in the root directory of the codebase to scan:
semgrep --pro --config "p/default"
- Optional: If you prefer not to send usage metrics to Semgrep, run the following command:See Semgrep Privacy Policy for details of what is being sent to Semgrep.
semgrep --pro --config "p/default" --metrics off
Let us know what you think about the results in the Semgrep Community Slack.
Updating Semgrep Pro Engine in CLI
To update Semgrep Pro Engine to the latest version, follow these steps:
Update Semgrep OSS engine with the following command:
- macOS
- Linux
- Windows Subsystem for Linux (WSL)
- Docker
brew upgrade semgrep
Alternatively:
python3 -m pip install --upgrade semgrep
python3 -m pip install --upgrade semgrep
python3 -m pip install --upgrade semgrep
docker pull returntocorp/semgrep:latest
Log in to Semgrep Cloud Platform:
semgrep login
Update the Semgrep Pro Engine:
semgrep install-semgrep-pro
The command to update Semgrep Pro Engine is the same as the command to install Semgrep Pro Engine.
Enabling Semgrep Pro Engine in Semgrep Cloud Platform
- An existing Semgrep Cloud Platform account. See Signing in to SCP.
- Team tier or higher of Semgrep Code. If you want to try Semgrep Pro Engine, get in touch with us through our contact page.
To enable Semgrep Pro Engine in the Semgrep Cloud Platform, follow these steps:
- Sign in to Semgrep Cloud Platform.
- Select Settings.
- Enable the Semgrep Pro Engine beta toggle.
- Ensure that you have the default ruleset added in your Rule Board. If this ruleset is not added, go to https://semgrep.dev/p/default, and then click Add to Rule Board. For best results, place this ruleset in the Monitor column.
- Optional: If you don't have any projects added to your organization, follow the procedures described in Scanning a repository to scan a new project with Semgrep Pro Engine. Ensure that your project's language is supported by Semgrep Pro Engine.
To test Semgrep Pro Engine on a purposefully vulnerable repository, fork the juice-shop repository, and then add it to SCP by following the steps described in section Adding or onboarding a new project (repository).
Creating interfile analysis rules
Interfile analysis rules you use in Semgrep Pro Engine require the interfile: true
key included under the rule metadata
key. See the following example. This key signals Semgrep Pro Engine to use the rule for interfile analysis.
Example of interfile: true
key:
rules:
- id: dangerous-call-to-employees-pro-engine-example
metadata:
interfile: true
patterns:
- pattern: dangerous("Employees")
message: Call of dangerous on employees table
languages:
- js
severity: WARNING
Additional information
Types of Semgrep Pro Engine analysis
- Interfile analysis
- The interfile analysis gathers context across multiple files to help security engineers deeply understand their organization's security issues. Semgrep Pro Engine reduces noise and detects new vulnerabilities that Semgrep OSS Engine can't find. Interfile analysis runs on nightly scans. These scans may take longer to complete and can use more memory than Semgrep OSS Engine scans. See the available languages for interfile analysis in Semgrep Pro Engine supported languages.
- Interprocedural analysis
- Interprocedural analysis keeps the fast scan times of Semgrep OSS Engine while also finding new vulnerabilities that cross functions within a single file. Interprocedural analysis improves results in pull requests (PRs) or merge requests (MRs) through CI scans. The interprocedural analysis is available for all languages listed as GA on the Supported languages page
Semgrep Pro Engine CI scan issues
To provide reliably completed scans, Semgrep Pro Engine can fall back to the use of Semgrep OSS Engine. This ensures that in the vast majority of cases, scans run successfully.
If a scan uses more than 5 GB of memory during pre-processing, the scan uses Semgrep OSS Engine to ensure lower memory consumption. Similarly, if the Semgrep Pro Engine scan doesn't complete after 3 hours, the Pro Engine times out and Semgrep OSS rescans the repository. Typically, this is because the repository is very large.
If 1-2 repositories cause CI scan issues, modify your config file to use semgrep ci --oss-only
. This overrides the Semgrep CI settings for these repositories, and always runs these scans with Semgrep OSS.
If many repositories cause scan issues:
- Disable the Semgrep Pro Engine beta toggle in the Settings page of your organization.
- Contact the Semgrep team in the Semgrep Community Slack so we can help you to fix the issue and create a plan for your organization.
Difference between Semgrep Pro Engine and join mode
Semgrep Pro Engine is different from join mode, which also allows you to perform interfile analyses by letting you join on the metavariable matches in separate rules. Join mode is an experimental feature which is not actively developed or maintained. You may encounter many issues while using join mode.
Feedback for Semgrep Pro Engine
The team at Semgrep is excited to hear what’s on your mind. As you explore Semgrep Pro Engine, we want to know what you'd like to be able to capture with it. We believe that this deeper analysis helps users find more vulnerabilities, build trust with developers, and enforce code standards quickly. Let us know what you think about the results in the Semgrep Community Slack.
Find what you needed in this doc? Join the Semgrep Community Slack group to ask the maintainers and the community if you need help.