This repository contains Semgrep rules developed by Trail of Bits and made available to the public. They are part of our ongoing development efforts and are used in our security audits, vulnerability reseach, and internal projects. They will evolve over time as we identify new techniques.
To run individual rules from your terminal, navigate to the root folder of your project and run the following:
$ semgrep --config /path/to/semgrep-rules/semgreprule.yml
To run all rules:
$ semgrep --config /path/to/semgrep-rules/ .
Semgrep will run against all supported code files except for those in your .gitignore
file. If you want to run the rules against all files and directories, including those in your .gitignore
, add the --no-git-ignore
flag.
$ semgrep --config /path/to/semgrep-rules/ . --no-git-ignore
You can also tell Semgrep to ignore files and directories that match any pattern. For instance, if you want to tell Semgrep to ignore all Go test files you can run the following:
$ $ semgrep --config /path/to/semgrep-rules/ . --exclude='*_test.go'
Use -o
to output results to a file:
$ semgrep --config /path/to/semgrep-rules/hanging-goroutine.yml -o leaks.txt'
Rule ID | Language | What it Finds |
---|---|---|
anonymous-race-condition | Go | Race conditions within anonymous goroutines |
hanging-goroutine | Go | Goroutine leaks |
iterate-over-empty-collection | Go | Iterations over empty collection |
nil-check-after-call | Go | Possible nil dereferences |
questionable-assignment | Go | Possible unintentional assignment when an error occurs |
nondeterministic-select | Go | Nondeterministic select logic. |
servercodec-readrequestbody-unhandled-nil | Go | Possible incorrect ServerCodec interface implementation |
sleep-used-for-synchronizations | Go | Uses time.Sleep for goroutine synchronizations |
string-to-int-signedness-cast | Go | Integer underflows |
sync-mutex-value-copied | Go | Copying of sync.Mutex via value receivers |
waitgroup-add-called-inside-goroutine | Go | Calls to sync.WaitGroup.Add inside of anonymous goroutines |
waitgroup-wait-inside-loop | Go | Calls to sync.WaitGroup.Wait inside a loop |
tarfile-extractall-traversal | Python | Potential path traversal in call to extractall for a tarfile |