SAST with Semgrep

Overview

Perform comprehensive static application security testing using Semgrep, a fast, open-source static analysis tool. This skill provides automated vulnerability detection, security code review workflows, and remediation guidance mapped to OWASP Top 10 and CWE standards.

Quick Start

Scan a codebase for security vulnerabilities:

semgrep --config=auto --severity=ERROR --severity=WARNING /path/to/code

Run with OWASP Top 10 ruleset:

semgrep --config="p/owasp-top-ten" /path/to/code

Core Workflows

Workflow 1: Initial Security Scan

1. Identify the primary languages in the codebase
2. Run scripts/semgrep_scan.py with appropriate rulesets
3. Parse findings and categorize by severity (CRITICAL, HIGH, MEDIUM, LOW)
4. Map findings to OWASP Top 10 and CWE categories
5. Generate prioritized remediation report

Workflow 2: Security Code Review

1. For pull requests or commits, run targeted scans on changed files
2. Use semgrep --diff to scan only modified code
3. Flag high-severity findings as blocking issues
4. Provide inline remediation guidance from references/remediation_guide.md
5. Link findings to secure coding patterns

Workflow 3: Custom Rule Development

1. Identify organization-specific security patterns to detect
2. Create custom Semgrep rules in YAML format using assets/rule_template.yaml
3. Test rules against known vulnerable code samples
4. Integrate custom rules into CI/CD pipeline
5. Document rules in references/custom_rules.md

Workflow 4: CI/CD Integration

1. Add Semgrep to CI/CD pipeline using assets/ci_config_examples/
2. Configure baseline scanning for pull requests
3. Set severity thresholds (fail on CRITICAL/HIGH)
4. Generate SARIF output for security dashboards
5. Track metrics: vulnerabilities found, fix rate, false positives

Security Considerations

• Sensitive Data Handling: Semgrep scans code locally; ensure scan results don't leak secrets or proprietary code patterns. Use --max-lines-per-finding to limit output.

• Access Control: Semgrep scans require read access to source code. Restrict scan result access to authorized security and development teams.

• Audit Logging: Log all scan executions with timestamps, user, commit hash, and findings count for compliance auditing.

• Compliance: SAST scanning supports SOC2, PCI-DSS, and GDPR compliance requirements. Maintain scan history and remediation tracking.

• Safe Defaults: Use --config=auto for balanced detection. For security-critical applications, use --config="p/security-audit" for comprehensive coverage.

Language Support

Semgrep supports 30+ languages including:

• Web: JavaScript, TypeScript, Python, Ruby, PHP, Java, C#, Go
• Mobile: Swift, Kotlin, Java (Android)
• Infrastructure: Terraform, Dockerfile, YAML, JSON
• Other: C, C++, Rust, Scala, Solidity

Bundled Resources

Scripts

• scripts/semgrep_scan.py - Full-featured scanning with OWASP/CWE mapping and reporting
• scripts/baseline_scan.sh - Quick baseline scan for CI/CD
• scripts/diff_scan.sh - Scan only changed files (for PRs)

References

• references/owasp_cwe_mapping.md - OWASP Top 10 to CWE mapping with Semgrep rules
• references/remediation_guide.md - Vulnerability remediation patterns by category
• references/rule_library.md - Curated list of useful Semgrep rulesets

Assets

• assets/rule_template.yaml - Template for creating custom Semgrep rules
• assets/ci_config_examples/ - CI/CD integration examples (GitHub Actions, GitLab CI)
• assets/semgrep_config.yaml - Recommended Semgrep configuration

Common Patterns

Pattern 1: Daily Security Baseline Scan

# Run comprehensive scan and generate report
scripts/semgrep_scan.py --config security-audit \
  --output results.json \
  --format json \
  --severity HIGH CRITICAL

Pattern 2: Pull Request Security Gate

# Scan only changed files, fail on HIGH/CRITICAL
scripts/diff_scan.sh --fail-on high \
  --base-branch main \
  --output sarif

Pattern 3: Vulnerability Research

# Search for specific vulnerability patterns
semgrep --config "r/javascript.lang.security.audit.xss" \
  --json /path/to/code | jq '.results'

Pattern 4: Custom Rule Validation

# Test custom rule against vulnerable samples
semgrep --config assets/custom_rules.yaml \
  --test tests/vulnerable_samples/

Integration Points

CI/CD Integration

• GitHub Actions: Use semgrep/semgrep-action@v1 with SARIF upload
• GitLab CI: Run as security scanning job with artifact reports
• Jenkins: Execute as build step with quality gate integration
• pre-commit hooks: Run lightweight scans on staged files

See assets/ci_config_examples/ for ready-to-use configurations.

Security Tool Integration

• SIEM/SOAR: Export findings in JSON/SARIF for ingestion
• Vulnerability Management: Integrate with Jira, DefectDojo, or ThreadFix
• IDE Integration: Use Semgrep IDE plugins for real-time detection
• Secret Scanning: Combine with tools like trufflehog, gitleaks

SDLC Integration

• Requirements Phase: Define security requirements and custom rules
• Development: IDE plugins provide real-time feedback
• Code Review: Automated security review in PR workflow
• Testing: Integrate with security testing framework
• Deployment: Final security gate before production

Severity Classification

Semgrep findings are classified by severity:

• CRITICAL: Exploitable vulnerabilities (SQLi, RCE, Auth bypass)
• HIGH: Significant security risks (XSS, CSRF, sensitive data exposure)
• MEDIUM: Security weaknesses (weak crypto, missing validation)
• LOW: Code quality issues with security implications
• INFO: Security best practice recommendations

Performance Optimization

For large codebases:

# Use --jobs for parallel scanning
semgrep --config auto --jobs 4

# Exclude vendor/test code
semgrep --config auto --exclude "vendor/" --exclude "test/"

# Use lightweight rulesets for faster feedback
semgrep --config "p/owasp-top-ten" --exclude-rule "generic.*"

Troubleshooting

Issue: Too Many False Positives

Solution:

• Use --exclude-rule to disable noisy rules
• Create .semgrepignore file to exclude false positive patterns
• Tune rules using --severity filtering
• Add # nosemgrep comments for confirmed false positives (with justification)

Issue: Scan Taking Too Long

Solution:

• Use --exclude for vendor/generated code
• Increase --jobs for parallel processing
• Use targeted rulesets instead of --config=auto
• Run incremental scans with --diff

Issue: Missing Vulnerabilities

Solution:

• Use comprehensive rulesets: p/security-audit or p/owasp-top-ten
• Consult references/rule_library.md for specialized rules
• Create custom rules for organization-specific patterns
• Combine with dynamic analysis (DAST) and dependency scanning

Advanced Usage

Creating Custom Rules

See references/rule_library.md for guidance on writing effective Semgrep rules. Use assets/rule_template.yaml as a starting point.

Example rule structure:

rules:
  - id: custom-sql-injection
    patterns:
      - pattern: execute($QUERY)
      - pattern-inside: |
          $QUERY = $USER_INPUT + ...
    message: Potential SQL injection from user input concatenation
    severity: ERROR
    languages: [python]
    metadata:
      cwe: "CWE-89"
      owasp: "A03:2021-Injection"

OWASP Top 10 Coverage

This skill provides detection for all OWASP Top 10 2021 categories. See references/owasp_cwe_mapping.md for complete coverage matrix.

Best Practices

1. Baseline First: Establish security baseline before enforcing gates
2. Progressive Rollout: Start with HIGH/CRITICAL, expand to MEDIUM over time
3. Developer Training: Educate team on common vulnerabilities and fixes
4. Rule Maintenance: Regularly update rulesets and tune for your stack
5. Metrics Tracking: Monitor vulnerability trends, MTTR, and false positive rate
6. Defense in Depth: Combine with DAST, SCA, and manual code review

References

• Semgrep Documentation
• Semgrep Rule Registry
• OWASP Top 10 2021
• CWE Top 25
• SANS Top 25