How to Use Semgrep

Getting started with Semgrep

In this guide, you will learn how to set up Semgrep and perform your first static analysis on your code to identify vulnerabilities. By the end, you will be equipped to enhance your application security effectively.

Step 1: Sign up and set up

1. Go to semgrep.dev.
2. Click on the “Get Started for Free” button on the homepage.
3. Sign up using your email or GitHub account. Follow the prompts to verify your email if necessary.
4. Once logged in, you will be taken to the Semgrep dashboard. You can choose to create a new project by clicking the “New Project” button.

Step 2: Your first scan

1. In your dashboard, click on the “New Project” button.
2. Enter a project name and select a repository to scan. You can connect your GitHub or GitLab account for easy access.
3. Choose the language of your codebase from the dropdown menu.
4. Select the default ruleset for the scan. You can start with the “Security” ruleset.
5. Click the “Scan” button to initiate the scan.
6. After a few moments, you will see the results showing any vulnerabilities detected in your code.

Step 3: Get better results

1. To refine your results, you can create custom rules. Click on the “Rules” tab in the left sidebar.
2. Click the “New Rule” button and follow the prompts to define your rule using YAML format.
3. Test your rule by running a scan on your codebase again.
4. Explore the “Documentation” section for additional tips on writing effective rules.

Pro tip

Use the “Patterns” library on the Semgrep website to find pre-built rules that match your needs. You can easily import these rules into your project to save time.

Common mistake to avoid

Avoid skipping the step of selecting the appropriate ruleset for your scan. Using a generic or incorrect ruleset may result in missed vulnerabilities or irrelevant findings. Always choose a ruleset that aligns closely with your project’s requirements.