Static CodeScan to capture your code smells

Semgrep is an open-source software and it supports nearly 30 languages. There is an active community that creates and maintains a large code base of custom rules. Rules are written in the YML file with simple pattern matches and messages. It is an elegant and effective tool to start your experiment in security vulnerability testing and CI check automation integration.

The docker version of this open-source software is adding more value to adopt it in CI pipeline automation and code verification.

Semgrep Docker

docker run — rm -v “${PWD}:/src” returntocorp/semgrep semgrep — config=”p/ruby-on-rails-xss”

Custom rules

rules:
  - id: improper_logging
    pattern: puts "..."
    message: Found puts instead of logs
    languages:
      - ruby
    severity: WARNING

Execute

docker run --rm -v "${PWD}:/src" returntocorp/semgrep semgrep --config="xyz.yml"

Installation reference

Semgrep OSS Engine | Semgrep