Original Post: Semgrep: Stop grepping code
Summary:
Semgrep is an open-source, code-aware grep tool that allows users to easily match function calls, function arguments regardless of order, or sequences of function calls (e.g., A() after B()). The blog post is targeted at developers who have experience or interest in custom linters, grep expressions for code review, security scanning tools, or static analysis security testing (SAST).
Static analysis is crucial even with modern programming languages like Python, Rust, and JavaScript because most bugs are framework or project-specific and not language-specific. Traditional static analysis tools struggle with these project-specific issues and are often slow. Hence, developers turn to simpler tools like grep or linters, but these tools have their own limitations.
Semgrep aims to combine the simplicity and speed of grep with the accuracy of real parsers by transforming code and search patterns into Abstract Syntax Trees (ASTs) for precise matching. Unlike traditional grep, Semgrep is robust against syntactical variations and accommodates multiple programming languages (Python, JavaScript, Java, Golang, and C among others).
Semgrep offers three main abstractions for writing search patterns:
- Equivalences: Matches code with the same meaning even if it looks different.
- Ellipsis (…): Ignores parts of the code you don’t care about.
- Metavariables ($X): Matches expressions without knowing their exact form beforehand.
The post concludes by encouraging readers to run Semgrep on their code, join the mailing list for advanced features, or contact r2c, the company behind Semgrep, for commercial use cases.
Go here to read the Original Post