Rule examples
Not sure what to write a rule for? Below are some common questions, ideas, and topics to spur your imagination. Happy hacking! đź’ˇ
Common use cases
Below are common use cases with sample rules to get you thinking.
| Use case | Semgrep rule |
|---|---|
| Ban dangerous APIs | Prevent use of exec |
| Search routes and authentication | Extract Spring routes |
| Enforce the use secure defaults | Securely set Flask cookies |
| Enforce project best-practices | Use assertEqual for == checks, Always check subprocess calls |
| Codify project-specific knowledge | Verify transactions before making them |
| Audit security hotspots | Finding XSS in Apache Airflow, Hardcoded credentials |
| Audit configuration files | Find S3 ARN uses |
| Migrate from deprecated APIs | DES is deprecated, Deprecated Flask APIs, Deprecated Bokeh APIs |
| Apply automatic fixes | Use listenAndServeTLS |
| Ban importing bad packages | Ban imports matching a regex |
Rule prompts
Try answering these questions to uncover important rules for your project.
- From recent post mortems: what code issues contributed to it?
- [XYZ] is a (security, performance, other) library that everyone should use, but they don’t consistently.
- When you review code, what changes do you frequently ask for?
- What vulnerability classes from bug bounty submissions reoccur (or appear in different places of the codebase)?
- Are there eng / perf patterns? Consistent exception handlers?
- What issues were caused by misconfigurations in Infrastructure-as-Code files (JSON)?
- What are some “invariants” that should hold about your code - things that should always or never be true (e.g. every admin route checks if user is admin)?
- What methods/APIs are deprecated and you’re trying to move away from?