#security
Rulesets (88)

Scan code for potential security issues that require additional review. Recommended for teams looking to set up guardrails or to flag troublesome spots for further review.

Default ruleset for Python, curated by r2c.

Rules from the preeminent Node.js security scanner, NodeJSScan.

Default ruleset for JavaScript, curated by r2c.

Most common clientside JavaScript XSS vulnerabilities

Default ruleset for Go, curated by r2c.
Use Semgrep as a universal linter to identify vulnerabilities in your code base with the bandit (https://github.com/PyCQA/bandit) rule pack.

Default ruleset for Django, by r2c

Default ruleset for TypeScript, curated by r2c.
Use Semgrep as a universal linter to identify vulnerabilities and code smells in your code base with the FindSecBugs (https://find-sec-bugs.github.io/) rule pack.

Default ruleset for Flask, by r2c.

React security rules.

Cross-site scripting (XSS) secure defaults for Express.js

Rule pack for detecting insecure transport in node js

Scan code for potential security issues that require additional review. Recommended for teams looking to set up guardrails or to flag troublesome spots for further review.

Secure defaults for XSS in Go.
Selected rules from eslint-plugin-security, a security plugin for ESLint, rewritten in Semgrep.

Secure defaults for XSS prevention for Ruby on Rails

Default ruleset for Java, curated by r2c.

Secure defaults for XSS prevention

r2c Java security rules, combined

Ensure your code communicates over encrypted channels instead of plaintext.

Selected rules from Hadolint, a Dockerfile linter, rewritten in Semgrep.

Secure XSS defaults for HttpServlets+JSP.

Rule pack for detecting insecure transport in java spring.

Selected rules from phpcs-security-audit, a security checker for PHP, rewritten in Semgrep.

Default ruleset for Ruby, curated by r2c.

Rules for detecting secrets checked into version control

Ruleset accompanying r2c OWASP presentation.

Rule pack for detecting insecure transport in java stdlib.

Security checks for nginx configuration files.

Secure defaults for XSS prevention in Django

Scan for runtime errors, logic bus, and high-confidence security vulnerabilities. Recommended for use in CI to block serious issues from reaching production.

Rules for OWASP security checks for python

Rule pack for detecting insecure transport in node js

Default ruleset for C, curated by r2c.

Use recommended rulesets specific to your project. Auto config is not a ruleset but a mode that scans for languages and frameworks and then uses the Semgrep Registry to select recommended rules. Semgrep will send a list of languages, frameworks, and your project URL to the Registry when using auto mode (but code is never uploaded).

Selected rules from Hadolint, a Dockerfile linter, rewritten in Semgrep.

Security checks for docker-compose configuration files.

Security rules for GitHub Actions workflow files

Security checks for kubernetes configuration files.

Default ruleset for Terraform, curated by r2c.
Written by the Trail of Bits security experts. See https://github.com/trailofbits/semgrep-rules for more.

Brakeman ruleset curated by r2c.

Omni pack for insecure transport rules

Rule pack for detecting insecure transport in java spring.

Default ruleset for C#, curated by r2c.

The CWE Top 25 is an industry-recognized report of top application security risks. Use this ruleset to scan for CWE Top 25 vulnerabilities.

electron desktop app
Use Semgrep as a universal linter to identify vulnerabilities and code smells in your code base with the eslint rule pack.

Default ruleset for Express.js, written by r2c.
Use Semgrep as a universal linter to identify vulnerabilities in your code base with the bandit (https://github.com/PyCQA/bandit) rule pack.
Use Semgrep as a universal linter to identify vulnerabilities and code smells in your code base with the eslint rule pack.

Secure defaults for Command injection prevention

Insecure usage of most popular headless browser APIs

Ruleset by r2c

Ensure your code communicates over encrypted channels instead of plaintext.

Secure defaults for Command injection prevention

Secure defaults for Command injection prevention
A ruleset of javascript and typescript rules made for OWASP Juice Shop.

Default ruleset for Kotlin, curated by r2c.

Security checks for lockfiles.

Scan for runtime errors, logic bus, and high-confidence security vulnerabilities. Recommended for use in CI to block serious issues from reaching production. Supports Python, Java, JavaScript, and Go.

Scan for runtime errors, logic bus, and high-confidence security vulnerabilities. Recommended for use in CI to block serious issues from reaching production.

Scan for runtime errors, logic bus, and high-confidence security vulnerabilities. Recommended for use in CI to block serious issues from reaching production.

Scan for runtime errors, logic bus, and high-confidence security vulnerabilities. Recommended for use in CI to block serious issues from reaching production.

SQL injection guardrails. Checks for non-constant SQL queries and other SQLi.

Written by the MobSF team. See https://github.com/MobSF/mobsfscan for more.

Nextjs security rules.

OWASP Java Benchmark ruleset, a subset of java rules for faster results.

Ruleset for OWASP SF

The OWASP Top 10 is an industry-recognized report of top web application security risks. Use this ruleset to scan for OWASP Top 10 vulnerabilities.

Default ruleset for PHP, curated by r2c.

PHP Laravel framework ruleset by r2c

Play framework ruleset by r2c

Secure defaults for Command injection prevention

Python Meetup Check Ruleset

React rules which contain best practices and general code-smells, should not be run in CI/CD.

React rules available to team tier customers, this rule-pack would be the most recommended due to higher accuracy of sources.

Secure defaults for Command injection prevention

Secure defaults for XSS prevention for Ruby on Rails

General purpose ruleset for Rust. Includes audit-oriented rules, which might lead to false positives.

Default ruleset for Scala, curated by r2c.
Use Semgrep as a universal linter to identify vulnerabilities and code smells in your code base with the Security Code Scan (https://security-code-scan.github.io/) rule pack.

Use Semgrep to scan for supply chain-related issues.

Rule pack for detecting insecure transport in java spring.

Wordpress audit ruleset, ported from WPScan