This document provides an overview of Semgrep, a lightweight static code analysis tool. It discusses Semgrep's history and key features like fast scanning, easy to write rules syntax resembling code, and support for many languages. The document demonstrates writing Semgrep rules through examples and references external rule sets. It also covers limitations like lack of multi-file analysis and how Semgrep can be used via editors, CLI and CI/CD integration.

1. LIGHTWEIGHT STATIC
CODE ANALYSIS WITH
SEMGREP
Nikhil Sahoo

2. WHOAMI
SECURITY SOFTWARE
ENGINEER
@MICROSOFT
EX- SECURITY
CONSULTANT,
DELOITTE
CERTS: OSCP,
EWPTX, CRTP
ACKNOWLEDGED
AND RECEIVED
HOFS FROM
MULTIPLE ORGS:
ORACLE, DELL,
MICROSOFT, SAP,
SONY ETC.
LINKEDIN:
HTTPS://WWW.LINKE
DIN.COM/IN/NIKHIL-
SAHOO-87204B106/
NIKHILSAHOO.COM

3. AGENDA
• History
• What is Semgrep?
• SAST Tools Slider
• Rule Syntax
• Writing Rules | Demo
• Usage
• Limitations
• QnA

4. HISTORY: SGREP (SYNTACTIC GREP)
• Initially called Sgrep/Pfff
• Written By Yoann Padioleau at Facebook for analyzing PHP code
• Was used to Enforce Best Practices
• Easy for developers to organize and understand the rules
• Joined R2C and renamed Sgrep to Semgrep
• Goal was to match based on semantics of the code
Reference: https://semgrep.dev/blog/2021/semgrep-a-static-analysis-journey

5. WHAT IS SEMGREP?
• Fast and lightweight static analysis tool to find bugs and enforce code
standards.
Reference: https://semgrep.dev/

6. PROS
• Opensource
• Rules look like the code you already write; no abstract syntax trees, regex
wrestling
• Scans in minutes
• Does not require a build
• Hunt Bugs at scale
• Supports many languages
• Very easy to write custom rules

7. SAST SLIDER
https://instagram-engineering.com/static-analysis-at-scale-an-instagram-story-8f498ab71a0c
Devskim
Semgrep
CodeQl

8. REGEX PROBLEMS
https://www.explainxkcd.com/wiki/images/1/10/perl_problems.png
False
Positives

9. REGEX PROBLEMS

10. CODE IS NOT A STRING, IT’S A TREE
🧶 String != 🌲Tree

11. INTERNALS
https://r2c.dev/static/00125f77fba64f5350b367c373c4e849/1132d/semgrep-flow.png

12. RULE SYNTAX
https://semgrep.dev/docs/writing-rules/rule-syntax/

13. DEMO WRITING SEMGREP RULES
HTTPS://SEMGREP.DEV/PLAYGROUND/NEW

14. ELLIPSIS
• Ellipsis Operator: “…”
• Find all PHP Command Injection Functions
• Solution:
https://semgrep.dev/orgs/nikhil1232/editor/s/nikhil1232:owasp-php-
command-inj
• Reference: https://www.stackhawk.com/blog/php-command-injection/

15. METAVARIABLE
• Metavariable Operator: “$X”
• Find all user exploitable PHP Preg_Replace Functions
• Solution:
https://semgrep.dev/orgs/nikhil1232/editor/s/nikhil1232:owasp-
metavariable-pregreplace
• Reference:
https://bitquark.co.uk/blog/2013/07/23/the_unexpected_dangers_of_preg
_replace

16. CATCHING ATTRIBUTES
• Scenario 1: Find all functions vulnerable to CSRF
• Solution: https://semgrep.dev/orgs/nikhil1232/editor/s/nikhil1232:owasp-
csrf-mvc
• Scenario 2: Broken Access Control
• Solution: https://semgrep.dev/orgs/nikhil1232/editor/s/nikhil1232:owasp-
missing-or-broken-authorization
• Reference: https://www.stackhawk.com/blog/net-csrf-protection-guide-
examples-and-how-to-enable/, https://github.com/returntocorp/semgrep-
rules/blob/develop/csharp/dotnet/security/audit/missing-or-broken-
authorization.cs

17. DEEP EXPRESSION
• Deep Expression Operator: “<… [your pattern]…>”
• Scenario: XML Parser allows resolving external resources
• Solution:
https://semgrep.dev/orgs/nikhil1232/editor/s/nikhil1232:owasp-
xmltextreader
• Reference: https://rules.sonarsource.com/csharp/RSPEC-2755,
https://pvs-studio.com/en/blog/posts/csharp/0918/

18. METAVARIABLE REGEX
• Scenario: App not validating the expiration time of a JWT
• Solution:
https://semgrep.dev/orgs/nikhil1232/editor/s/nikhil1232:owasp-jwt-no-
expiry
• Reference: https://github.com/returntocorp/semgrep-
rules/blob/develop/csharp/lang/security/ad/jwt-
tokenvalidationparameters-no-expiry-validation.cs

19. METAVARIABLE COMPARISON
• Scenario: Improper Regex Timeout
• Solution:
https://semgrep.dev/orgs/nikhil1232/editor/s/nikhil1232:owasp-regex-
dos-infinite-timeout
• Reference: https://github.com/returntocorp/semgrep-
rules/blob/develop/csharp/lang/security/regular-expression-dos/regular-
expression-dos-infinite-timeout.cs,
https://rules.sonarsource.com/csharp/RSPEC-6444

20. TAINT ANALYSIS
• Scenario: PHP Reflected XSS
• Solution:
https://semgrep.dev/orgs/nikhil1232/editor/s/nikhil1232:owasp-php-xss-
taint
• Reference: https://rules.sonarsource.com/php/RSPEC-5131

21. PATTERN-SANITIZERS
• Scenario: Path.Combine() Path Traversal
• Solution:
https://semgrep.dev/orgs/nikhil1232/editor/s/nikhil1232:owasp-path-
combine
• Reference: https://www.praetorian.com/blog/pathcombine-security-
issues-in-aspnet-applications/

22. GENERIC PATTERN MATCHING
• Scenario: Debugging Enabled(Web.Config)
• Solution:
https://semgrep.dev/orgs/nikhil1232/editor/s/nikhil1232:owasp-net-
webconfig-debug
• Reference: https://portswigger.net/kb/issues/00100800_asp-net-
debugging-enabled

23. LIMITATION
Multi File Analysis:
DeepSemgrep

24. USAGE
Semgrep in Editors
• IntelliJ IDEA: semgrep-idea-plugin
• Microsoft Visual Studio Code: semgrep-vscode
• Vim: semgrep.vim
CLI
Docker

25. SEMGREP ON PUSH
https://semgrep.dev/docs/semgrep-ci/overview/

26. TOOLS
• Semgrep: https://github.com/returntocorp/semgrep
• Semgrep External Rules: https://github.com/returntocorp/semgrep-rules
• Semgrep Playground: https://semgrep.dev/playground
• CodeQL: https://codeql.github.com/
• Devskim: https://github.com/microsoft/DevSkim

27. REFERENCES
• https://semgrep.dev/docs/
• https://www.youtube.com/watch?v=kb8oo7Wyk84
• https://youtube.com/watch?v=O5mh8j7-An8
• https://semgrep.dev/playground/
• https://rules.sonarsource.com/
• https://semgrep.dev/blog/2021/semgrep-a-static-analysis-journey
• https://github.com/returntocorp/semgrep-rules

28. THANK YOU