Original Post: Pain-free custom linting: why I moved from ESLint and Bandit to Semgrep
tldr: Semgrep is an easy-to-learn and prototype analysis tool that supports multiple languages.
Summary:
The author describes their experience with various AST-based (Abstract Syntax Tree) analysis tools and contrasts them with Semgrep, an open-source tool developed at r2c. Although familiar with writing complex Flake8, ESLint, and Go-AST rules, they found these methods non-intuitive and cumbersome. In contrast, Semgrep allows for more intuitive and faster rule-writing due to its simplicity and similarity to writing regular code.
Semgrep stands out for:
- Ease of Use: Allows reasoning about analysis similarly to writing code.
- Core Features:
- Metavariables track variables across scopes.
- Ellipsis Operator (
...) matches variable-length code patterns. - Smart Matching auto-determines the type of code pattern to match.
Writing rules in Semgrep requires significantly less boilerplate code and is adaptable across different programming languages, unlike other AST-based tools where rules can’t be easily transferred. Compared to grep-based tools like Ripgrep, Semgrep has structure awareness, reducing false positives.
Semgrep also offers advanced capabilities, such as:
- Type Hints
- Module Path Awareness
- Custom Post-Analysis Filtering
The author concludes by praising Semgrep’s efficiency, feature set, and ease of rapid prototyping with real code, expressing a preference for Semgrep over traditional AST-based methods.
Go here to read the Original Post