Home IconSemgrep CodePro Rules

Pro rules

Increase scan coverage for injection vulnerabilities, secrets, and other critical vulnerability types

Rules for popular languages and frameworks

Python Logojava iconGo-logoRuby LogoJS-logoTypescript-logoPHP ThumbnailC#Swift_logo

Find hardcoded secrets

More than 100 high-accuracy rules to find hardcoded secrets in Java, JavaScript, TypeScript, Python, C#, Swift, and Ruby.

csharp-secrets-registry1

Discover malicious deserialization mechanisms

60+ rules supporting 14 Python libraries/frameworks and 3 commonly used Java libraries, both standalone or in combination with Java Servlets and the Spring Framework

deserialization-ruleset

Detect XXE vulnerabilities

Detect XML external entity issues with support for common Java libraries and classes, to identify the many different ways they can be insecurely configured and used

xxe-ruleset

Advanced coverage

  • Compared to Community rules, Pro rules provide better coverage for Java, JavaScript, TypeScript, Python, PHP, Ruby, C#, Swift, and Go.

  • The combination of Pro rules running on Pro Engine provides high-confidence results with scans running across files.

pro+oss

Continuously monitored and updated

  • Rules are continuously updated by our Security Research team based on the rule performance and user feedback

taint-rule

Developer-focused

  • High-confidence rules typically use features such as taint tracking analysis with sets of sources, sinks, propagators, and sanitizers curated by our Security Research team.

  • By focusing on high confidence, Pro rules allow organizations to enhance their CI/CD pipelines with actionable security findings and avoid lengthy triage sessions.

commit a change

Learn more on the Semgrep blog

Need for speed: static analysis version

Brandon WuBrandon Wu

Powerfully autofixing code with Semgrep's new AST-based approach

Nat MoteNat Mote

Keep your rules simple with symbolic propagation

Iago AbalIago Abal

A deep dive into Semgrep Supply Chain

Kurt BobergKurt Boberg

Need for speed: static analysis version

Brandon WuBrandon Wu

Powerfully autofixing code with Semgrep's new AST-based approach

Nat MoteNat Mote

Keep your rules simple with symbolic propagation

Iago AbalIago Abal

A deep dive into Semgrep Supply Chain

Kurt BobergKurt Boberg

Need for speed: static analysis version

Brandon WuBrandon Wu

Powerfully autofixing code with Semgrep's new AST-based approach

Nat MoteNat Mote

Keep your rules simple with symbolic propagation

Iago AbalIago Abal

A deep dive into Semgrep Supply Chain

Kurt BobergKurt Boberg

Get Started With Semgrep Code

Use Pro Engine and Pro rules to find critical issues

Semgrep Logo

Code analysis at ludicrous speed

Products

Semgrep Code
Semgrep Supply Chain
Semgrep Cloud Platform
Semgrep Pro Engine

Community

Blog

Resources

Docs
ROI Calculator
Pricing
Getting Started With Semgrep
Registry
Playground
Book a demo
Help Center

Company

About
Careers
Contact us
Twitter-logo-greenSlack-logo-greenGitHub-logo-greenYoutube-logo-green

© 2023 r2c. Semgrep is a registered trademark of r2c.

TermsPrivacy