Semgrep

Semgrep, Inc
Formerlyr2c
IndustryComputer Security
Founded2017
Founder
  • Isaac Evans
  • Luke O'Malley
  • Drew Dennison
Websitesemgrep.dev Edit this on Wikidata
Semgrep OSS
Developer(s)Semgrep, Inc.
Initial releaseFebruary 6, 2020; 4 years ago (2020-02-06)[1]
Stable release
1.97.0 Edit this on Wikidata / November 20, 2024; 29 days ago [2]
Repository
Written inOCaml (core) and Python (CLI)
TypeStatic program analysis
LicenseLGPL v2.1
Websitesemgrep.dev Edit this on Wikidata

Semgrep, Inc. (formerly r2c[3]) is a cybersecurity company based in San Francisco. The company develops the Semgrep AppSec Platform (a commercial offering for SAST, SCA, and secrets scanning) and actively maintains the open-source static code analysis tool semgrep OSS.

Semgrep has stable support for over 30 languages including C#, C, C++, Go, Java, JavaScript, JSON, Python, PHP, Ruby, and Scala. Language support on semgrep OSS is community driven and does not support interprocedural or interfile analysis.[4]

The name is a combination of semantic and grep, referring to semgrep being a text search command-line utility that is aware of source code semantics.[5]

Services

Semgrep, Inc. provides a continuous integration service (called Semgrep CI), rule-writing tools (called the Semgrep Playground and editor), and a rule library (called Semgrep Registry) free of charge for both commercial and open source users.[6]

Semgrep rules are similar to source code and do not require knowledge of a domain specific language to write. Both open source and commercial rules can be forked and customized to a user's codebase, however only commercial users are able to customize commercial rules. All users are free to fork and modify open source (community) rules.[7]

History

Semgrep was based on sgrep, an open source part of pfff, a program analysis library developed at Facebook in 2009. Pfff was inspired by Coccinelle, an open-source utility for programs written in C. Yoann Padioleau, the original author of sgrep and a contributor to Coccinelle, joined r2c in 2019.[8][9][10] sgrep was forked from pfff by r2c, and in 2020 the sgrep fork was renamed semgrep to avoid name collisions with existing projects.[11][12][13]

Redpoint Ventures and Sequoia Capital backed r2c in an unannounced seed round and later funded a $13 million Series A round in 2020. The company's product portfolio consisted only of Semgrep OSS and its ecosystem at the time.[14][15]

Semgrep, Inc. announced in 2023 that it had raised a $53 million Series C funding round with Lightspeed Venture Partners leading the investment and participation from previous investors Felicis Ventures, Redpoint Ventures, and Sequoia Capital. The company has raised a total of $93 million, including their Series C financing.[3]

The Open Web Application Security Project (OWASP) listed Semgrep in its source code analysis tools list.[16] As of 2023 April, Semgrep has 132 contributors and over 9000 stars on GitHub.[17] From Docker Hub the Docker image has been pulled more than 60 million times.[18]

Usage

Semgrep can be installed with Homebrew[19] or pip.[20] Additionally it can run without installation on Docker. Analysis can be done without the need of custom configuration, and by utilizing rulesets created by Semgrep Inc. and open source contributors. The tool also allows users to write their own patterns and rules through the CLI using a pattern language unique to semgrep. A free online rule editor and a tutorial are also available.[21][22]

See also

References

  1. ^ "Release – sgrep 0.4.0 – returntocorp/semgrep". Github.com. Retrieved 2021-02-03.
  2. ^ "Release 1.97.0". 20 November 2024. Retrieved 2 December 2024.
  3. ^ a b Miller, Ron (2023-04-18). "Semgrep (formerly r2c) lands $53M investment to grow code security platform". TechCrunch. Retrieved 2023-04-19.
  4. ^ "Supported languages | Semgrep". semgrep.dev. 2024-05-22. Retrieved 2024-05-29.
  5. ^ Nagy, Bence. "Detect complex code patterns using semantic grep" (PDF). owasp.org (Presentation). p. 2. Retrieved 2021-02-02.
  6. ^ "Write custom rules | Semgrep". semgrep.dev. 2024-05-16. Retrieved 2024-05-29.
  7. ^ "Write custom rules | Semgrep". semgrep.dev. 2024-05-16. Retrieved 2024-05-29.
  8. ^ Lauerman, Alex (2020-10-29). "A Brief Introduction to Semgrep (part 1)". TrustFoundry.
  9. ^ "Previous version of Semgrep's README.md file on GitHub". GitHub. Retrieved 2021-02-02.
  10. ^ "Semgrep: Lightweight static analysis for many languages". Hacker News. Retrieved 2021-02-02.
  11. ^ "Pull request of Semgrep on GitHub". GitHub. Retrieved 2021-02-02.
  12. ^ "Previous version of Semgrep's README.md on GitHub". GitHub. Retrieved 2021-02-02.
  13. ^ Salecha, Rohit (2020-08-13). "Semgrep A Practical Introduction". NotSoSecure.com.
  14. ^ "Redpoint and Sequoia are backing a startup to copyedit your shit code". TechCrunch.com. 2020-10-29. Retrieved 2021-02-02.
  15. ^ "Forbes Cybersecurity Awards 2020: Corellium, The Tiny Startup Driving Apple Crazy". Forbes.com. 2020-12-27. Retrieved 2021-02-02.
  16. ^ "OWASP Source Code Analysis Tools". Owasp.com. Retrieved 2020-02-02.
  17. ^ "Semgrep on GitHub". GitHub.
  18. ^ "Semgrep on Docker Hub". Retrieved 2023-04-19.
  19. ^ "Semgrep on Homebrew Formulae". Retrieved 2021-02-03.
  20. ^ "Semgrep on pypi.org". Python Package Index. Retrieved 2021-02-03.
  21. ^ "Semgrep Documentation – Getting started". semgrep.dev. Retrieved 2021-02-02.
  22. ^ Lancini, Marco (2020-12-12). "Semgrep for Cloud Security". marcolancini.it.