Rule examples

Not sure what to write a rule for? Below are some common questions, ideas, and topics to spur your imagination. Happy hacking! 💡

Common use cases

Below are common use cases with sample rules to get you thinking.

Use case Semgrep rule
Ban dangerous APIs Prevent use of exec
Search routes and authentication Extract Spring routes
Enforce the use secure defaults Securely set Flask cookies
Enforce project best-practices Use assertEqual for == checks, Always check subprocess calls
Codify project-specific knowledge Verify transactions before making them
Audit security hotspots Finding XSS in Apache Airflow, Hardcoded credentials
Audit configuration files Find S3 ARN uses
Migrate from deprecated APIs DES is deprecated, Deprecated Flask APIs, Deprecated Bokeh APIs
Apply automatic fixes Use listenAndServeTLS
Ban importing bad packages Ban imports matching a regex

Rule prompts

Try answering these questions to uncover important rules for your project.

  1. From recent post mortems: what code issues contributed to it?
  2. [XYZ] is a (security, performance, other) library that everyone should use, but they don’t consistently.
  3. When you review code, what changes do you frequently ask for?
  4. What vulnerability classes from bug bounty submissions reoccur (or appear in different places of the codebase)?
  5. Are there eng / perf patterns? Consistent exception handlers?
  6. What issues were caused by misconfigurations in Infrastructure-as-Code files (JSON)?
  7. What are some “invariants” that should hold about your code - things that should always or never be true (e.g. every admin route checks if user is admin)?
  8. What methods/APIs are deprecated and you’re trying to move away from?