Semgrep's May 2022 updates: Introducing DeepSemgrep, plus new Playground, and self managed GitHub + GitLab support!

by Chinmay Gaikwad on May 11, 2022


Semgrep’s weekly release cadence lets us ship features quickly, but it falls short when it comes to highlighting larger features. This post looks back through the last few months to highlight the biggest new features that landed.

If you need a reminder: Semgrep is a fast, open-source static analysis tool for finding bugs and enforcing code standards. Semgrep App is a hosted application that helps your team make the most of Semgrep.


Static analysis tools are a key component of a modern security program and are used to analyze source code for vulnerabilities. However, SAST tools are often noisy, producing false positives and false negatives, because every organization’s use case, technology stack, and deployment platform is unique. Addressing the noise in such SAST tools can be a waste of already limited security team and developer time.

Semgrep is simple to tune and highly customizable; you can write rules specific to your use case in minutes, minimizing noise as well as deploying Semgrep in your preferred SCM tool. With Semgrep’s May launch, we’re introducing:

DeepSemgrep

Semgrep's design philosophy is to be fast and simple. That is why we focused on single-file analysis. However, many of you have asked for an extension to Semgrep that analyzes across files, because complex vulnerabilities often involve behavior that is only detectable when several source files are considered simultaneously. Recognizing the value of deeper vulnerability detection, today we're announcing DeepSemgrep for Java and Ruby. It's a proprietary extension to Semgrep that uses the exact same rules but performs deeper cross-file analysis. This analysis takes longer, but returns better results with zero rule changes.

For security engineers, this means:

  • fewer false negatives, for instance, with interfile constant propagation
  • fewer false positives (Semgrep can find more matches to a pattern), for instance, by proving that a variable resolves to a compile-time constant imported from another file or making taint analysis work interfile

We're thrilled to partner with early users and push Semgrep's analysis capabilities even further. If you'd like to join the private beta, request access here.

Feature Comparison

Semgrep DeepSemgrep
All existing Semgrep features (join mode, within-file taint mode, etc.) yes yes
Analyze across multiple files no yes
→ Interfile constant propagation no yes
→ Interfile type inference no yes
→ Interfile taint tracking no yes
License LGPL 2.1 proprietary
Rule syntax & schema no difference
Languages supported 24+ languages Ruby, Java

New Playground

Since the beginning, the Playground has been most users’ introduction to Semgrep rule writing. It’s the place where you can easily write rules, run them against your test code, and iterate on the results.

While the Playground is extremely popular, we’ve heard from the community that users want to see their rules and code side-by-side, have a more “developer-native” workflow (such as the ability to fork, save, and share rules), and have easy access to the Registry, much like is already possible in the Editor.

With this launch, we are making the Playground’s experience consistent with the Editor, so that you can access benefits of the Editor. The new Playground takes advantage of the Editor rule writing improvements and unifies these two feature’s so that bug fixes and development happen together.

Figure 1: New Playground (before signing in)

Figure 2: New Playground (after signing in)

Signing into the new Playground unlocks benefits such as saving a rule, sharing it, adding it to your Rule Board, etc. For more information, check out the documentation.

The old Playground will still be available and can be accessed using the top-right menu.

GitHub Enterprise and GitLab Self-Managed support

Semgrep can already be easily deployed on GitHub (Free, Pro, and Team) and GitLab SaaS. Today, we’re adding support for both GitHub Enterprise and GitLab Self-Managed for our Team-tier users. With this support, Semgrep App can now leave inline pull and merge request comments about security issues when scanning projects on GitHub Enterprise and GitLab Self-Managed.

Figure 3: Inline PR comments in GitHub Enterprise Figure 3: Inline PR comment in GitHub Enterprise

But wait, there’s more!

This launch also includes -

Autofix - Semgrep App users can now enable GitHub/GitLab Autofix suggestions to surface findings to developers in Semgrep’s pull and merge request comments, enabling them to accept code fixes from within the Github/GitLab UI.

Figure 4: Autofix in Semgrep App Figure 4: Autofix in Semgrep App

Default Ruleset (experimental) - Semgrep App now comes with a default ruleset that will provide the best results out-of-the-box without any additional configuration.

Figure 5: Default ruleset Figure 5: Default ruleset

Conclusion

A strong community of security engineers already appreciates Semgrep as an outstanding tool to find security vulnerabilities. Together, we’re working to make Semgrep even better. With the addition of features such as DeepSemgrep, the new Playground, and the support for GitHub Enterprise and GitLab Self-Managed, Semgrep moves closer to being the defacto static analysis tool used by security teams everywhere.

Please contact us if you’d like to learn more about deploying Semgrep in GitHub Enterprise or GitLab Self-Managed. If you’re excited about DeepSemgep, you can be among the first to get access to it!