Semgrep: custom as a feature and why do we start with it?
October 2, 2025·150 views

🛠 Semgrep: custom as a feature and why do we start with it?

Salute, let's begin

I'd like to talk about

Static Application Security Testing is an analysis method that checks static source code for vulnerabilities. This is a white box approach.

Now let's look at the tool itself, and let's start with a useful summary, such as

- Tool allows you to work with the application in a non-trivial mode: dataflow/taint tracking, inter-file chains

- Prioritizes dependency vulnerabilities by reachability

- Scales to custom to write your own policies

- Identification and validation of active secrets

- Analyzes code using syntax patterns

- Supports many languages (Python, JavaScript, TypeScript, Java, Go, C/C++, Ruby, etc.)

- baseline-commit

- To fix increments without delays in calculating diff, you don’t need to mess around

- Maybe in pre-commit

- License type: LGPL 2.1 (early versions were proprietary, now completely opensource)

- Report formats: JSON, SARIF, GitLab SAST, JUnit XML, Text, Emacs, Vim

In general, the tool is intended to be an open source that analyzes code using syntactic patterns, but it has a paid version that includes additional rules, makes deeper analysis, is flexible, and much more. But we didn’t even know that good things come at a cost. Licensed by the number of contributors, 40 American.

I will give commands for working with tools that will help you understand in more detail and learn how to use them

# Install via pip (or brew, docker)

python -m pip install semgrep

# Scanning the repository

semgrep scan --config auto # auto-detection of language and basic rules

semgrep scan --config p/python # Python rules only (options - p/gosec/ golang/ javascript/ dockerfile/ react/ secrets/ owasp-top-ten)

#CI/CD

semgrep ci # for using semgrep as part of a pipeline

semgrep scan --config "p/ci" --exclude "tests/" # directory exclusion

semgrep ci --allow--untristed-validators # allow work with untrusted rule sources other than semgrep.dev

semgrep ci --code # launch static analyzer from semgrep

semgrep ci --autofix # implement autofixes from the tool into the rule (experimental feature)

semgrep ci --dryrun # cancel automatic corrections to rules

# Output to SARIF (for GitHub Security)

semgrep scan --config auto --sarif -o results.sarif

# Docker

docker pull returntocorp/semgrep

docker run -v $(pwd):/src returntocorp/semgrep semgrep scan --config auto // start scanning

Well, let’s take a look at how integration occurs in the pipeline

CI/CD

semgrep_scan:

stage: security

image: returntocorp/semgrep

script:

- semgrep scan --config auto --sarif -o semgrep.sarif

artifacts:

reports:

sarif: semgrep.sarif

pipeline {

agent any

environment {

REPORT_DIR = 'semgrep-reports'

}

stages {

stage('Semgrep Scan') {

steps {

sh '''

docker run -v $(pwd):/src returntocorp/semgrep \

semgrep scan --config auto --json -o ${REPORT_DIR}/semgrep.json

'''

}

}

}

post {

always {

archiveArtifacts artifacts: '${REPORT_DIR}/**'

}

}

}

#toolchain #sast

#toolchain#sast
Open in Telegram