After gathering traction on GitHub, open source security tool enjoys formal launch today

Software security start-up r2c has launched an open source static analysis tool that it hopes will become “the Burp Suite of source code analysis”.

Semgrep is a free and open source tool that scans an entire project on-demand or automatically in CI/CD on every build or commit, with all analysis carried out locally.

It’s based on Sgrep – a tool created at Facebook in 2009 by Yoann Padioleau and used internally to enforce nearly 1,000 secure coding practices. Now working at r2c, Padioleau has continued to develop the tool into its current form.

“What I think Burp Suite does right, which in my opinion has led it to being the de facto standard in web application security testing, is that it also comes with significant security expertise baked in, but further, it’s highly flexible and customizable to your current target,” Clint Gibler, r2c’s head of security research, tells The Daily Swig.

“Similarly, Semgrep aims to be useful out of the box, with hundreds of security rules… but crucially, it aims to be highly customizable and easily tunable to the code base being tested.”


RECOMMENDED Paranoid about Android: Vulnerability scanners tackle code obfuscation and false positives


Semgrep also makes it easy to write custom rules that don’t require a domain specific language.

“In Semgrep, rules look like the language you’re targeting. So, if you’re targeting JavaScript, your rule looks like JavaScript, if you’re targeting Python, it looks like Python,” he says.

“This empowers security engineers and developers to easily write rules specific to their organization and how their code works, rather than relying only on generic, one-size-fits-all rules.”


Semgrep is maintained by r2c of San Francisco

Reducing the review load

Semgrep runs on source code with no compilation required, and can scan large code bases in minutes.

It has more than 900 freely available rules that cover common languages and frameworks for OWASP Top 10-type security issues, performance, correctness, and more.

Currently Semgrep supports Go, Java, JavaScript, Python, Ruby, and TypeScript, with more languages planned.

The tool is aimed at pen testers, security researchers, application security engineers, CISOs, security managers, and developers. It has already acquired more than 2,000 GitHub stars, with community contributions and adoption from OWASP, and is in use in a number of companies.

“Semgrep reduced our review load by accurately pinpointing code we actually care about,” says Dropbox security engineer Po-Ning Tseng.

“It replaced the complex regex and ad-hoc AST walker with an intuitive syntax which, combined with the flexible and performant platform, analyzes our monolithic repos.”

And Jobert Abma, co-founder of HackerOne, praised Semgrep’s rule engine interface.

“We use a number of static code analysis tools and have written plenty of rules over the years,” he said. “The internal AST query interfaces those tools offer are often poorly documented and difficult to write, understand, and maintain.

“Semgrep’s interface makes it easy to rewrite complex matchers into one or two simple Semgrep rules that are easy to maintain by almost all engineers.”

Real-world security gains

Gibler says the Semgrep command-line interface and the hundreds of rules in the public registry will remain open source.

However, the company is also launching free ‘community’ and paid ‘teams’ versions of a SaaS application that manages Semgrep’s deployment and updating across thousands of repos and manages scanning policy, such as which rules are run on which repos, and what happens to the results. It also provides a dashboard for metrics.

Looking ahead, r2c plans to add additional programming languages, and to build additional advanced program analysis features to support secure-by-default enforcement features such as constant propagation and taint tracking.


Read more of the latest open source software security news


And, says Gibler, r2c is partnering with the OWASP community to create Semgrep rules for OWASP Cheat Sheets, aimed at making it easier for developers to follow secure coding best practices in their integrated development environment (IDE).

The company also hopes to provide Semgrep rules to help companies automatically and programmatically determine the security posture of their applications, and establish how they measure up to the security controls recommended by standards such as ASVS.

“We hope to demonstrate, empirically in practice, that Semgrep plus secure defaults can eliminate entire classes of vulnerabilities in real companies,” Gibler says.

And, he adds: “Like Burp Suite is to web application security testing, we hope to become the de facto, industry standard way security professionals search code and enforce security properties.”


READ MORE ReNgine: Open source recon tool automates intel-gathering process for pen testers