Semgrep: Writing quick rules to verify ideas (opens in new tab)

(blog.deesee.xyz)

62 pointsadrianomartins3y ago19 comments

19 comments

I use semgrep for semantic search (and replace, sometimes).

Their docs and website try very hard to suggest you should use it for some kind of CI process, but so far I haven't found any need to do so. I can maybe see it being useful in a pre-commit hook.

It's VERY handy for semantic searches though - in situations where ripgrep would be useless due to multi-line matches.

I set up this alias to make it a bit less verbose for Python patterns:

    pygrep () {
        pat="$1"
        shift
        filez="$*"
        bash -xc "semgrep --lang=python --pattern '$pat' $filez"
    }

Usage is something like:

    pygrep 'myfunc(..., needle_arg=..., ...)'

burntsushi3y ago

Note that ripgrep can do multi-line searches with the -U flag.

Not that this detracts from your main point. Semgrep is much smarter than ripgrep and goes well beyond multi line searches.

I just wanted to clarify the small thing.

craigds3y ago

thanks for ripgrep!

underyx3y ago

Heya, Semgrep maintainer here. Just wanted to ask you about an idea I had before, how would you feel about specifying the language parameter in the binary name, making the invocation look like this?

    semgrep.py search 'myfunc(..., needle_arg=..., ...)'

And then the other subcommands would remain

    semgrep scan --config auto

to scan with all recommended rules and

    semgrep ci

to scan in CI jobs.

leipert3y ago

I feel like the „semgrep.py“ idea is not that good, because someone could legitimately have a semgrep.py or semgrep.js or similar file which wraps semgrep.

Edit: thanks for maintaining semgrep, started using it heavily in day job and the team started writing Frontends for it.

1 more reply

O_H_E3y ago

>> Their docs and website try very hard to suggest you should use it for some kind of CI process...

Just a piece of feedback for the record: I have been stuck in exactly the same place the few times I was interested in trying out a ripgrep alternative that understood semantics, but didn't have such an urgent need to actually understand how to get things going.

1 more reply

lbhdc3y ago

I really wish it could infer the language from the file type. One of the things that prevents me from reaching for semgrep as often as I want to is the complexity, and having it infer language from filetype would be nice.

1 more reply

iib3y ago

Don't you have to shift the arguments, so that `$1` does not also end in `filez`?

craigds3y ago

There is a `shift` in the function

koyanisqatsi3y ago

I was looking for something like this the other day but then ended up just using RubyVM::AbstractSyntaxTree.parse_file and then rolled my own visitor on top of the AST. It's cool what they can do here but I think any language that exposes its AST is amenable to this kind of analysis, you just have to write some code to do it. The main bottleneck in my experience is just being familiar with the AST structure and how it maps to source syntax. It's cool that they have abstracted a lot of the commonality among several languages, definitely gonna look into this next time I need semantic code search.

renewiltord3y ago

Very cool. Thank you for writing this!

j / k navigate · click thread line to collapse

19 comments

craigds3y ago

I use semgrep for semantic search (and replace, sometimes).

Their docs and website try very hard to suggest you should use it for some kind of CI process, but so far I haven't found any need to do so. I can maybe see it being useful in a pre-commit hook.

It's VERY handy for semantic searches though - in situations where ripgrep would be useless due to multi-line matches.

I set up this alias to make it a bit less verbose for Python patterns:

    pygrep () {
        pat="$1"
        shift
        filez="$*"
        bash -xc "semgrep --lang=python --pattern '$pat' $filez"
    }

Usage is something like:

    pygrep 'myfunc(..., needle_arg=..., ...)'

burntsushi3y ago

Note that ripgrep can do multi-line searches with the -U flag.

Not that this detracts from your main point. Semgrep is much smarter than ripgrep and goes well beyond multi line searches.

I just wanted to clarify the small thing.

craigds3y ago

thanks for ripgrep!

underyx3y ago

Heya, Semgrep maintainer here. Just wanted to ask you about an idea I had before, how would you feel about specifying the language parameter in the binary name, making the invocation look like this?

    semgrep.py search 'myfunc(..., needle_arg=..., ...)'

And then the other subcommands would remain

    semgrep scan --config auto

to scan with all recommended rules and

    semgrep ci

to scan in CI jobs.

leipert3y ago

I feel like the „semgrep.py“ idea is not that good, because someone could legitimately have a semgrep.py or semgrep.js or similar file which wraps semgrep.

Edit: thanks for maintaining semgrep, started using it heavily in day job and the team started writing Frontends for it.

1 more reply

O_H_E3y ago

>> Their docs and website try very hard to suggest you should use it for some kind of CI process...

1 more reply

lbhdc3y ago

1 more reply

iib3y ago

Don't you have to shift the arguments, so that `$1` does not also end in `filez`?

craigds3y ago

There is a `shift` in the function

koyanisqatsi3y ago

renewiltord3y ago

Very cool. Thank you for writing this!

j / k navigate · click thread line to collapse