If you want the best introduction to writing Semgrep rules, use the interactive, example-based Semgrep rule tutorial.
Do it live!
You can write and share rules directly from the live editor. You can also write rules in your terminal and run Semgrep via a standalone CLI or Docker.
You can write rules that do things like:
- Automate code review comments
- Identify secure coding violations
- Scan configuration files
- And more! Check out more use cases here.
This rule detects the use of
is when comparing Python strings.
is checks reference equality, not value equality, and can exhibit nondeterministic behavior.
- Pattern syntax describes what Semgrep patterns can do
in detail, and provides example use cases of the ellipsis
operator, metavariables, and more.
- Rule syntax describes Semgrep YAML rule files, which can have multiple patterns, detailed output messages, and autofixes. The syntax allows the composition of individual patterns with boolean operators.
Looking for ideas on what rules to write? See Rule examples for common use cases and prompts to help you start writing rules from scratch.