Original Post: Scanning Shell Scripts With Semgrep
Semgrep has introduced experimental support for Bash scripting to help catch common shell syntax errors and unsafe command usages. Highlights include:
-
Detecting Forbidden Commands: Options to flag the usage of blacklisted commands.
-
Variable Splitting:
- Addresses misunderstandings around variable expansion, especially related to the
IFSvariable that determines string separators. - Provides examples and solutions for handling
IFSsafely and checking for unquoted variables that may cause splitting.
- Addresses misunderstandings around variable expansion, especially related to the
-
Iterating over
lsOutput: Implements rules like ShellCheck’s SC2045 to detect improper iterations. -
Bash Parsing Status:
- Current parsing success rate is around 92%.
- Supported constructs include simple commands, pipelines, various loops, function definitions, assignments, and simple/double-quoted variable expansions.
- Semgrep patterns supported: ellipsis, metavariables, deep ellipsis.
- Limitations:
- Doesn’t yet match file redirections, background jobs, or scripts with unconventional extensions.
- Lacks understanding of certain command syntaxes and array accesses.
- Arithmetic expressions and C-style loops are not yet supported.
Overall, while the feature is still evolving, it aims to provide essential functionality to improve the robustness and safety of shell scripts.
Go here to read the Original Post