If you want the best introduction to writing Semgrep rules, use the interactive, example-based Semgrep rule tutorial.
Do it live!
Write and share rules directly from the Playground. You can also write rules in your terminal and run them with the Semgrep command line tool.
You can write rules that:
- Automate code review comments
- Identify secure coding violations
- Scan configuration files
- See more use cases in Rule ideas.
This rule detects the use of
is when comparing Python strings.
is checks reference equality, not value equality, and can exhibit nondeterministic behavior.
The following articles guide you through rule writing basics or can provide you with needed references:
- Pattern syntax describes what Semgrep patterns can do in detail, and provides example use cases of the ellipsis operator, metavariables.
- Rule syntax describes Semgrep YAML rule files, which can have multiple patterns, detailed output messages, and autofixes. The syntax allows the composition of individual patterns with boolean operators.
- Contributing rules gives you an overview of where and how you can contribute to Semgrep Registry rules. This document also provides some information about tests and appropriate metadata information you may use for your rules.
Looking for ideas on what rules to write? See Rule ideas for common use cases and prompts to help you start writing rules from scratch.