Semgrep — Pro rules

Optimized for Semgrep Pro Engine

Pro rules

Reduce false positives while increasing scan coverage for injection vulnerabilities and other critical vulnerability types

Improved coverage and developer-oriented results

Semgrep Pro rules are written to minimize false positives so findings can be presented to developers in their workflows, avoiding lengthy triage sessions.
Pro rules running on Pro Engine provide high-confidence results by leveraging interfile and interprocedural dataflow analysis.
High confidence rules use features like taint tracking with sources, sinks, propagators, and sanitizers curated by our Security Research team.

Rules for popular languages and frameworks:

Find injection vulnerabilities

More than 100 high-accuracy rules to find injection vulnerabilities in Java, PHP, JavaScript, Kotlin, Rust, and Swift.

Discover malicious deserialization mechanisms

60+ rules supporting 14 Python libraries/frameworks and 3 commonly used Java libraries, both standalone or in combination with Java Servlets and the Spring Framework.

Detect XXE vulnerabilities

Detect XML external entity issues with support for common Java libraries and classes, to identify the many different ways they can be insecurely configured and used.

Continuously monitored and updated

Rules are continuously updated by our Security Research team based on rule performance and user feedback.
Compared to Community rules, Pro rules provide better coverage for Java, JavaScript, TypeScript, Python, PHP, Ruby, C#, Swift, and Go.
Pro rule coverage for languages is continuously expanded by our Security Research team.

Customize and manage rules at scale

Rule syntax is intuitive and similar to source code so there's no need to learn new domain-specific languages to make tweaks.
Get a top-down view of fix and ignore rates to optimize rule policies and behaviors (monitor, comment, or blocking).