"The attack surface is the vulnerability. Finding a bug there is just a detail."
-- Mark Dowd
"Some details are more important than others."
-- Fedor G. Pikus
A collection of my Semgrep rules to facilitate vulnerability research.
# high priority scan (quick wins)
semgrep --severity ERROR --config "p/0xdea"
# high and medium priority scan (recommended)
semgrep --severity ERROR --severity WARNING --config "p/0xdea"
# full scan (might include marginal findings and more false positives)
semgrep --config "p/0xdea"
Alternatively, you can clone this GitHub repository locally and run:
# full scan
semgrep --config semgrep-rules/rules /path/to/source
# specific rule scan
semgrep --config semgrep-rules/rules/c/command-injection.yaml /path/to/source
[!TIP] Specify the
--no-git-ignoreswitch to scan files regardless of git tracking status or.gitignorerules.
For a better streamlined experience, I recommend saving the Semgrep scan output in SARIF format and using SARIF Explorer in VS code:
semgrep --sarif --sarif-output=/path/to/source/SEMGREP.sarif --config semgrep-rules/rules /path/to/source
code /path/to/source # then open the SEMGREP.sarif file in VS code with SARIF Explorer
See also the included SARIF output example.
Tested with Semgrep CLI 1.165.0.
Battle tested C (and sometimes C++) ruleset.
gets.strcpy, stpcpy, strcat.sprintf and vsprintf.scanf family.strncat.strncpy, memcpy, snprintf, and variants.sizeof operator on a pointer instead of its target.strncpy and stpncpy.snprintf and vsnprintf.strlcpy and strlcat.strlen to short might be dangerous.alloca.free.free.free on memory not in the heap.malloc, calloc, realloc, etc.putenv with a stack-allocated variable.system or popen.access, stat, lstat, etc.mktemp, tmpnam, tempnam.signal.setuid and seteuid.memset.rand and srand.scanf family.atoi, atol, atof.These rules are considered potentially too noisy and unsuitable for general use.
--time benchmarking against real-world code to spot slow rules in need of optimization.$ claude mcp add semgrep-rules \
-- python -m otcore.mcp_server <graph>