Semgrep Explained

Semgrep, Inc
Former Name:r2c
Industry:Computer Security
Founded:2017
Semgrep OSS
Logo Size:300px
Developer:Semgrep, Inc.
Released:[1]
Qid:Q105563018
Programming Language:OCaml (core) and Python (CLI)
License:LGPL v2.1
Genre:Static program analysis

Semgrep, Inc. (formerly r2c[2]) is a cybersecurity company based in San Francisco. The company develops the Semgrep AppSec Platform (a commercial offering for SAST, SCA, and secrets scanning) and actively maintains the open-source static code analysis tool '''semgrep OSS'''.

Semgrep has stable support for over 30 languages including C#, C, C++, Go, Java, JavaScript, JSON, Python, PHP, Ruby, and Scala. Language support on semgrep OSS is community driven and does not support interprocedural or interfile analysis.[3]

The name is a combination of semantic and [[grep]], referring to semgrep being a text search command-line utility that is aware of source code semantics.[4]

Services

Semgrep, Inc. provides a continuous integration service (called Semgrep CI), rule-writing tools (called the Semgrep Playground and editor), and a rule library (called Semgrep Registry) free of charge for both commercial and open source users.[5]

Semgrep rules are similar to source code and do not require knowledge of a domain specific language to write. Both open source and commercial rules can be forked and customized to a user's codebase, however only commercial users are able to customize commercial rules. All users are free to fork and modify open source (community) rules.[6]

History

Semgrep was based on sgrep, an open source part of pfff, a program analysis library developed at Facebook in 2009. Pfff was inspired by Coccinelle, an open-source utility for programs written in C. Yoann Padioleau, the original author of sgrep and a contributor to Coccinelle, joined r2c in 2019.[7] [8] [9] sgrep was forked from pfff by r2c, and in 2020 the sgrep fork was renamed semgrep to avoid name collisions with existing projects.[10] [11] [12]

Redpoint Ventures and Sequoia Capital backed r2c in an unannounced seed round and later funded a $13 million Series A round in 2020. The company's product portfolio consisted only of Semgrep OSS and its ecosystem at the time.[13] [14]

Semgrep, Inc. announced in 2023 that it had raised a $53 million Series C funding round with Lightspeed Venture Partners leading the investment and participation from previous investors Felicis Ventures, Redpoint Ventures, and Sequoia Capital. The company has raised a total of $93 million, including their Series C financing.[2]

The Open Web Application Security Project (OWASP) listed Semgrep in its source code analysis tools list.[15] As of 2023 April, Semgrep has 132 contributors and over 9000 stars on GitHub.[16] From Docker Hub the Docker image has been pulled more than 60 million times.[17]

Usage

Semgrep can be installed with Homebrew[18] or pip.[19] Additionally it can run without installation on Docker. Analysis can be done without the need of custom configuration, and by utilizing rulesets created by Semgrep Inc. and open source contributors. The tool also allows users to write their own patterns and rules through the CLI using a pattern language unique to semgrep. A free online rule editor and a tutorial are also available.[20] [21]

See also

External links

Notes and References

  1. Web site: Release – sgrep 0.4.0 – returntocorp/semgrep . Github.com . 2021-02-03.
  2. Web site: Miller . Ron . 2023-04-18 . Semgrep (formerly r2c) lands $53M investment to grow code security platform . 2023-04-19 . TechCrunch.
  3. Web site: 2024-05-22 . Supported languages Semgrep . 2024-05-29 . semgrep.dev . en.
  4. Web site: Detect complex code patterns using semantic grep. 2021-02-02. owasp.org. Nagy. Bence. 2. Presentation.
  5. Web site: 2024-05-16 . Write custom rules Semgrep . 2024-05-29 . semgrep.dev . en.
  6. Web site: 2024-05-16 . Write custom rules Semgrep . 2024-05-29 . semgrep.dev . en.
  7. Web site: A Brief Introduction to Semgrep (part 1). 2020-10-29. TrustFoundry. Lauerman. Alex.
  8. Web site: Previous version of Semgrep's README.md file on GitHub. . 2021-02-02.
  9. Web site: Semgrep: Lightweight static analysis for many languages. 2021-02-02. Hacker News.
  10. Web site: Pull request of Semgrep on GitHub. . 2021-02-02.
  11. Web site: Previous version of Semgrep's README.md on GitHub. . 2021-02-02.
  12. Web site: Semgrep A Practical Introduction. 2020-08-13. NotSoSecure.com. Salecha. Rohit.
  13. Web site: Redpoint and Sequoia are backing a startup to copyedit your shit code. 2020-10-29. 2021-02-02. TechCrunch.com.
  14. Web site: Forbes Cybersecurity Awards 2020: Corellium, The Tiny Startup Driving Apple Crazy. 2020-12-27. 2021-02-02. Forbes.com.
  15. Web site: OWASP Source Code Analysis Tools . Owasp.com . 2020-02-02.
  16. Web site: Semgrep on GitHub. .
  17. Web site: Semgrep on Docker Hub. 2023-04-19.
  18. Web site: Semgrep on Homebrew Formulae. 2021-02-03.
  19. Web site: Semgrep on pypi.org. 2021-02-03. Python Package Index.
  20. Web site: Semgrep Documentation – Getting started. 2021-02-02. semgrep.dev.
  21. Web site: Semgrep for Cloud Security. 2020-12-12. marcolancini.it. Lancini. Marco.

This article is licensed under the GNU Free Documentation License. It uses material from the Wikipedia article "Semgrep".

Except where otherwise indicated, Everything.Explained.Today is © Copyright 2009-2024, A B Cryer, All Rights Reserved. Cookie policy.