#security

r2c-security-audit

r2c

Scan code for potential security issues that require additional review. Recommended for teams looking to set up guardrails or to flag troublesome spots for further review.

python

r2c

Default ruleset for Python, curated by r2c.

nodejsscan

Ajin Abraham

Rules from the preeminent Node.js security scanner, NodeJSScan.

javascript

r2c

Default ruleset for JavaScript, curated by r2c.

clientside-js

Vasilii Ermilov

Most common clientside JavaScript XSS vulnerabilities

golang

r2c

Default ruleset for Go, curated by r2c.

bandit

Use Semgrep as a universal linter to identify vulnerabilities in your code base with the bandit (https://github.com/PyCQA/bandit) rule pack.

django

Grayson Hardaway

Default ruleset for Django, by r2c

typescript

r2c

Default ruleset for TypeScript, curated by r2c.

findsecbugs

Use Semgrep as a universal linter to identify vulnerabilities and code smells in your code base with the FindSecBugs (https://find-sec-bugs.github.io/) rule pack.

flask

Grayson Hardaway

Default ruleset for Flask, by r2c.

react

r2c

React security rules.

minusworld.express-xss

r2c

Cross-site scripting (XSS) secure defaults for Express.js

colleend.insecure-transport-nodejs

r2c

Rule pack for detecting insecure transport in node js

security-audit

r2c

Scan code for potential security issues that require additional review. Recommended for teams looking to set up guardrails or to flag troublesome spots for further review.

minusworld.go-std-xss

r2c

Secure defaults for XSS in Go.

eslint-plugin-security

Selected rules from eslint-plugin-security, a security plugin for ESLint, rewritten in Semgrep.

minusworld.ruby-on-rails-xss

r2c

Secure defaults for XSS prevention for Ruby on Rails

java

r2c

Default ruleset for Java, curated by r2c.

minusworld.omni-xss

r2c

Secure defaults for XSS prevention

mschwager.java-security-rules

r2c

r2c Java security rules, combined

insecure-transport

Colleen Dai

Ensure your code communicates over encrypted channels instead of plaintext.

dockerfile

r2c

Selected rules from Hadolint, a Dockerfile linter, rewritten in Semgrep.

minusworld.java-httpservlet-jsp-xss

r2c

Secure XSS defaults for HttpServlets+JSP.

colleend.insecure-transport-javaspring

r2c

Rule pack for detecting insecure transport in java spring.

phpcs-security-audit

r2c

Selected rules from phpcs-security-audit, a security checker for PHP, rewritten in Semgrep.

ruby

r2c

Default ruleset for Ruby, curated by r2c.

secrets

r2c

Rules for detecting secrets checked into version control

r2c-owasp-presentation

Grayson Hardaway

Ruleset accompanying r2c OWASP presentation.

colleend.insecure-transport-javastdlib

r2c

Rule pack for detecting insecure transport in java stdlib.

nginx

Grayson Hardaway

Security checks for nginx configuration files.

r2c

Secure defaults for XSS prevention in Django

r2c

Scan for runtime errors, logic bus, and high-confidence security vulnerabilities. Recommended for use in CI to block serious issues from reaching production.

Drew Dennison

Rules for OWASP security checks for python

r2c

Rule pack for detecting insecure transport in node js

r2c

Default ruleset for C, curated by r2c.

auto

r2c

Use recommended rulesets specific to your project. Auto config is not a ruleset but a mode that scans for languages and frameworks and then uses the Semgrep Registry to select recommended rules. Semgrep will send a list of languages, frameworks, and your project URL to the Registry when using auto mode (but code is never uploaded).

docker

r2c

Selected rules from Hadolint, a Dockerfile linter, rewritten in Semgrep.

docker-compose

r2c

Security checks for docker-compose configuration files.

github-actions

Grayson Hardaway

Security rules for GitHub Actions workflow files

kubernetes

r2c

Security checks for kubernetes configuration files.

terraform

r2c

Default ruleset for Terraform, curated by r2c.

trailofbits

Written by the Trail of Bits security experts. See https://github.com/trailofbits/semgrep-rules for more.

r2c

Brakeman ruleset curated by r2c.

r2c

Omni pack for insecure transport rules

r2c

Rule pack for detecting insecure transport in java spring.

r2c

Default ruleset for C#, curated by r2c.

r2c

The CWE Top 25 is an industry-recognized report of top application security risks. Use this ruleset to scan for CWE Top 25 vulnerabilities.

r2c

electron desktop app

Use Semgrep as a universal linter to identify vulnerabilities and code smells in your code base with the eslint rule pack.

r2c

Default ruleset for Express.js, written by r2c.

Use Semgrep as a universal linter to identify vulnerabilities in your code base with the bandit (https://github.com/PyCQA/bandit) rule pack.

Use Semgrep as a universal linter to identify vulnerabilities and code smells in your code base with the eslint rule pack.

Vasilii Ermilov

Secure defaults for Command injection prevention

Vasilii Ermilov

Insecure usage of most popular headless browser APIs

r2c

Ruleset by r2c

Colleen Dai

Ensure your code communicates over encrypted channels instead of plaintext.

Vasilii Ermilov

Secure defaults for Command injection prevention

Vasilii Ermilov

Secure defaults for Command injection prevention

A ruleset of javascript and typescript rules made for OWASP Juice Shop.

r2c

Default ruleset for Kotlin, curated by r2c.

r2c

Security checks for lockfiles.

r2c

Scan for runtime errors, logic bus, and high-confidence security vulnerabilities. Recommended for use in CI to block serious issues from reaching production. Supports Python, Java, JavaScript, and Go.

r2c

Scan for runtime errors, logic bus, and high-confidence security vulnerabilities. Recommended for use in CI to block serious issues from reaching production.

r2c

Scan for runtime errors, logic bus, and high-confidence security vulnerabilities. Recommended for use in CI to block serious issues from reaching production.

r2c

Scan for runtime errors, logic bus, and high-confidence security vulnerabilities. Recommended for use in CI to block serious issues from reaching production.

Colleen Dai

SQL injection guardrails. Checks for non-constant SQL queries and other SQLi.

Mobile Security Framework

Written by the MobSF team. See https://github.com/MobSF/mobsfscan for more.

r2c

Nextjs security rules.

Colleen Dai

OWASP Java Benchmark ruleset, a subset of java rules for faster results.

Grayson Hardaway

Ruleset for OWASP SF

r2c

The OWASP Top 10 is an industry-recognized report of top web application security risks. Use this ruleset to scan for OWASP Top 10 vulnerabilities.

r2c

Default ruleset for PHP, curated by r2c.

r2c

PHP Laravel framework ruleset by r2c

r2c

Play framework ruleset by r2c

Vasilii Ermilov

Secure defaults for Command injection prevention

Grayson Hardaway

Python Meetup Check Ruleset

r2c

React rules which contain best practices and general code-smells, should not be run in CI/CD.

r2c

React rules available to team tier customers, this rule-pack would be the most recommended due to higher accuracy of sources.

Vasilii Ermilov

Secure defaults for Command injection prevention

r2c

Secure defaults for XSS prevention for Ruby on Rails

r2c

General purpose ruleset for Rust. Includes audit-oriented rules, which might lead to false positives.

r2c

Default ruleset for Scala, curated by r2c.

Use Semgrep as a universal linter to identify vulnerabilities and code smells in your code base with the Security Code Scan (https://security-code-scan.github.io/) rule pack.

r2c

Use Semgrep to scan for supply chain-related issues.

r2c

Rule pack for detecting insecure transport in java spring.

r2c

Wordpress audit ruleset, ported from WPScan