Preface
Lightweight static analysis for many languages. Find bug variants with patterns that look like source code.
Showcase
#+begin_src bash
cashmere@fedora:~/projects/stayemrs$ semgrep scan --config auto
┌──── ○○○ ────┐
│ Semgrep CLI │
└─────────────┘
METRICS: Using configs from the Registry (like --config=p/ci) reports pseudonymous rule metrics to semgrep.dev.
To disable Registry rule metrics, use "--metrics=off".
Using configs only from local files (like --config=xyz.yml) does not enable metrics.
More information: https://semgrep.dev/docs/metrics
Scanning 310 files (only git-tracked) with:
✔ Semgrep OSS
✔ Basic security coverage for first-party code vulnerabilities.
✘ Semgrep Code (SAST)
✘ Find and fix vulnerabilities in the code you write with advanced scanning and expert
security rules.
✘ Semgrep Supply Chain (SCA)
✘ Find and fix the reachable vulnerabilities in your OSS dependencies.
💎 Get started with all Semgrep products via `semgrep login`.
✨ Learn more at https://sg.run/cloud.
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 100% 0:00:00
┌─────────────────┐
│ 7 Code Findings │
└─────────────────┘
.nixpacks/Dockerfile
❯❯❱ dockerfile.security.missing-user-entrypoint.missing-user-entrypoint
By not specifying a USER, a program in the container may run as 'root'. This is a
security hazard. If an attacker can control a process running as root, they may have
control over the container. Ensure that the last USER in a Dockerfile is a USER
other than 'root'.
Details: https://sg.run/k281
▶▶┆ Autofix ▶ USER non-root ENTRYPOINT ["/bin/bash", "-l", "-c"]
3┆ ENTRYPOINT ["/bin/bash", "-l", "-c"]
❯❯❱ dockerfile.security.missing-user.missing-user
By not specifying a USER, a program in the container may run as 'root'. This is a
security hazard. If an attacker can control a process running as root, they may have
control over the container. Ensure that the last USER in a Dockerfile is a USER
other than 'root'.
Details: https://sg.run/Gbvn
▶▶┆ Autofix ▶ USER non-root CMD ["./bin/stayemrs"]
29┆ CMD ["./bin/stayemrs"]
src/mapbox/mod.rs
❯❯❱ generic.secrets.security.detected-jwt-token.detected-jwt-token
JWT token detected
Details: https://sg.run/05N5
34┆ .query("access_token", "sk.eyJ1IjoibWFwYm94amk3IiwiYSI6ImNtOGNraDJzcDI5Y2Y
ybHM4bGg2eDJjbDYifQ.a1UuwlORAPld9eIm4s-cqg")
templates/base.html
❯❱ html.security.audit.missing-integrity.missing-integrity
This tag is missing an 'integrity' subresource integrity attribute. The 'integrity'
attribute allows for the browser to verify that externally hosted files (for example
from a CDN) are delivered without unexpected manipulation. Without this attribute,
if an attacker can modify the externally hosted resource, this could lead to XSS and
other types of attacks. To prevent this, include the base64-encoded cryptographic
hash of the resource (file) you’re telling the browser to fetch in the 'integrity'
attribute for all externally hosted files.
Details: https://sg.run/krXA
12┆ <script type="module" src="https://unpkg.com/cally"></script>
templates/components/card_villa.html
❯❱ python.django.security.django-no-csrf-token.django-no-csrf-token
Manually-created forms in django templates should specify a csrf_token to prevent
CSRF attacks.
Details: https://sg.run/N0Bp
49┆ <form action="/listings/delete/{{listing.id}}" method="POST" class="inline
ml-1">
50┆ <button type="submit"
51┆ class="btn btn-error btn-sm text-black font-bold"
52┆ onclick="return confirm('Are you sure you want to delete this
listing?')">
53┆ Delete
54┆ </button>
55┆ </form>
⋮┆----------------------------------------
66┆ <form action="/listings/delete/{{listing.id}}" method="POST"
class="inline">
67┆ <button type="submit"
68┆ class="text-red-800 text-xs hover:underline"
69┆ onclick="return confirm('Are you sure you want to delete this
listing?')">
70┆ Delete
71┆ </button>
72┆ </form>
templates/dashboard/base.html
❯❱ html.security.audit.missing-integrity.missing-integrity
This tag is missing an 'integrity' subresource integrity attribute. The 'integrity'
attribute allows for the browser to verify that externally hosted files (for example
from a CDN) are delivered without unexpected manipulation. Without this attribute,
if an attacker can modify the externally hosted resource, this could lead to XSS and
other types of attacks. To prevent this, include the base64-encoded cryptographic
hash of the resource (file) you’re telling the browser to fetch in the 'integrity'
attribute for all externally hosted files.
Details: https://sg.run/krXA
9┆ <link rel="stylesheet" href="https://rsms.me/inter/inter.css" />
┌──────────────┐
│ Scan Summary │
└──────────────┘
Some files were skipped or only partially analyzed.
Scan was limited to files tracked by git.
Partially scanned: 9 files only partially analyzed due to parsing or internal Semgrep errors
Scan skipped: 4 files larger than 1.0 MB, 5 files matching .semgrepignore patterns
For a full list of skipped files, run semgrep with the --verbose flag.
Ran 107 rules on 301 files: 7 findings.
💎 Missed out on 1390 pro rules since you aren't logged in!
⚡ Supercharge Semgrep OSS when you create a free account at https://sg.run/rules.
⏫ A new version of Semgrep is available. See https://semgrep.dev/docs/upgrading
#+end_src