#security
Rulesets (102)
Scan code for potential security issues that require additional review. Recommended for teams looking to set up guardrails or to flag troublesome spots for further review.
Default ruleset for Python, curated by Semgrep.
Ajin AbrahamRules from the preeminent Node.js security scanner, NodeJSScan.
Default ruleset for JavaScript, curated by Semgrep.
Vasilii ErmilovMost common clientside JavaScript XSS vulnerabilities
Default ruleset for Go, curated by Semgrep.
Use Semgrep as a universal linter to identify vulnerabilities in your code base with the bandit (https://github.com/PyCQA/bandit) rule pack.
Grayson HardawayDefault ruleset for Django, by Semgrep
Default ruleset for TypeScript, curated by Semgrep.
Use Semgrep as a universal linter to identify vulnerabilities and code smells in your code base with the FindSecBugs (https://find-sec-bugs.github.io/) rule pack.
React security rules.
r2cCross-site scripting (XSS) secure defaults for Express.js
r2cRule pack for detecting insecure transport in node js
Scan code for potential security issues that require additional review. Recommended for teams looking to set up guardrails or to flag troublesome spots for further review.
r2cSecure defaults for XSS in Go.
Selected rules from eslint-plugin-security, a security plugin for ESLint, rewritten in Semgrep.
r2cSecure defaults for XSS prevention for Ruby on Rails
Default ruleset for Java, curated by Semgrep.
r2cSecure defaults for XSS prevention
r2cr2c Java security rules, combined
Colleen DaiEnsure your code communicates over encrypted channels instead of plaintext.
Selected rules from Hadolint, a Dockerfile linter, rewritten in Semgrep.
r2cSecure XSS defaults for HttpServlets+JSP.
r2cRule pack for detecting insecure transport in java spring.
Selected rules from phpcs-security-audit, a security checker for PHP, rewritten in Semgrep.
Default ruleset for Ruby, curated by Semgrep.
Rules for detecting secrets checked into version control
Grayson HardawayRuleset accompanying Semgrep OWASP presentation.
r2cRule pack for detecting insecure transport in java stdlib.
Grayson HardawaySecurity checks for nginx configuration files.
r2cSecure defaults for XSS prevention in Django
r2cScan for runtime errors, logic bus, and high-confidence security vulnerabilities. Recommended for use in CI to block serious issues from reaching production.
Drew DennisonRules for OWASP security checks for python
r2cRule pack for detecting insecure transport in node js
Default ruleset for C and C++, curated by Semgrep.
Use recommended rulesets specific to your project. Auto config is not a ruleset but a mode that scans for languages and frameworks and then uses the Semgrep Registry to select recommended rules. Semgrep will send a list of languages, frameworks, and your project URL to the Registry when using auto mode (but code is never uploaded).
Selected rules from Hadolint, a Dockerfile linter, rewritten in Semgrep.
Security checks for docker-compose configuration files.
Grayson HardawaySecurity rules for GitHub Actions workflow files
Security checks for kubernetes configuration files.
Default ruleset for Terraform, curated by Semgrep.
Written by the Trail of Bits security experts. See https://github.com/trailofbits/semgrep-rules for more.
Default ruleset for Apex, curated by Semgrep. Includes rules contributed by nCino. Semgrep Pro >= 1.44.0 is required to run rules in this ruleset.
Brakeman ruleset curated by Semgrep.
Scan code for uses of functions listed on Microsoft's list of banned functions. These functions are error-prone and typically have a safer replacement function.
r2cOmni pack for insecure transport rules
r2cRule pack for detecting insecure transport in java spring.
Alpha ruleset for C/C++. Scan code for potential security issues that require additional review. Recommended for security engineers or consultants who don't mind false positives and are looking to flag troublesome spots for further review.
Alpha ruleset for C/C++. Scan code for uses of functions listed on Microsoft's list of banned functions. These functions are error-prone and typically have a safer replacement function.
Alpha ruleset for C/C++. This ruleset is intended to produce low false positives, and safe for use in CI/CD pipelines.
Scan C++ code for potential security issues that require additional review. Recommended for security engineers or consultants who don't mind false positives and are looking to flag troublesome spots for further review.
Default ruleset for C#, curated by Semgrep.
C# interfile rules
The CWE Top 25 is an industry-recognized report of top application security risks. Use this ruleset to scan for CWE Top 25 vulnerabilities.
electron desktop app
Default ruleset for Elixir, curated by Semgrep.
Use Semgrep as a universal linter to identify vulnerabilities and code smells in your code base with the eslint rule pack.
Default ruleset for Express.js, written by Semgrep.
Use Semgrep as a universal linter to identify vulnerabilities in your code base with the bandit (https://github.com/PyCQA/bandit) rule pack.
Use Semgrep as a universal linter to identify vulnerabilities and code smells in your code base with the eslint rule pack.
Vasilii ErmilovSecure defaults for Command injection prevention
Vasilii ErmilovInsecure usage of most popular headless browser APIs
r2cRuleset by r2c
Colleen DaiEnsure your code communicates over encrypted channels instead of plaintext.
Vasilii ErmilovSecure defaults for Command injection prevention
Vasilii ErmilovSecure defaults for Command injection prevention
A ruleset of javascript and typescript rules made for OWASP Juice Shop.
Default ruleset for Kotlin, curated by Semgrep.
Security checks for lockfiles.
r2cScan for runtime errors, logic bus, and high-confidence security vulnerabilities. Recommended for use in CI to block serious issues from reaching production. Supports Python, Java, JavaScript, and Go.
r2cScan for runtime errors, logic bus, and high-confidence security vulnerabilities. Recommended for use in CI to block serious issues from reaching production.
r2cScan for runtime errors, logic bus, and high-confidence security vulnerabilities. Recommended for use in CI to block serious issues from reaching production.
r2cScan for runtime errors, logic bus, and high-confidence security vulnerabilities. Recommended for use in CI to block serious issues from reaching production.
Colleen DaiSQL injection guardrails. Checks for non-constant SQL queries and other SQLi.
Mobile Security FrameworkWritten by the MobSF team. See https://github.com/MobSF/mobsfscan for more.
Nextjs security rules.
Colleen DaiOWASP Java Benchmark ruleset, a subset of java rules for faster results.
Grayson HardawayRuleset for OWASP SF
The OWASP Top 10 is an industry-recognized report of top web application security risks. Use this ruleset to scan for OWASP Top 10 vulnerabilities.
Default ruleset for PHP, curated by Semgrep.
PHP Laravel framework ruleset by Semgrep
Play framework ruleset by Semgrep
Alpha ruleset for Python. This ruleset is intended to produce low false positives, and safe for use in CI/CD pipelines.
Vasilii ErmilovSecure defaults for Command injection prevention
Grayson HardawayPython Meetup Check Ruleset
React rules which contain best practices and general code-smells, should not be run in CI/CD.
React rules available to team tier customers, this rule-pack would be the most recommended due to higher accuracy of sources.
Vasilii ErmilovSecure defaults for Command injection prevention
Secure defaults for XSS prevention for Ruby on Rails
General purpose ruleset for Rust. Includes audit-oriented rules, which might lead to false positives.
Default ruleset for Scala, curated by Semgrep.
Use Semgrep as a universal linter to identify vulnerabilities and code smells in your code base with the Security Code Scan (https://security-code-scan.github.io/) rule pack.
Ruleset for smart contract security, contributed by Decurity (https://www.decurity.io/).
Use Semgrep to scan for supply chain-related issues.
Default ruleset for Swift, curated by Semgrep.
Rule pack for detecting insecure transport in java spring.
Test pinned rules.
Test pinned rules.
Test pinned rules.
Test pinned rules.
Wordpress audit ruleset, ported from WPScan