This repository contains Semgrep rules developed by Trail of Bits and made available to the public. They are part of our ongoing development efforts and are used in our security audits, vulnerability reseach, and internal projects. They will evolve over time as we identify new techniques.
The easiest way to run the rules is to run them from the Semgrep registry. To do so, navigate to the root folder of your project and run the following:
$ semgrep --config "p/trailofbits"Alternatively, you can clone this repository, navigate to the root folder of your project, and run individual rules using the command below :
$ semgrep --config /path/to/semgrep-rules/semgreprule.ymlTo run all rules from the cloned repository:
$ semgrep --config /path/to/semgrep-rules/ .Semgrep will run against all supported code files except for those in your .gitignore file. If you want to run the rules against all files and directories, including those in your .gitignore, add the --no-git-ignore flag.
$ semgrep --config /path/to/semgrep-rules/ . --no-git-ignoreYou can also tell Semgrep to ignore files and directories that match any pattern. For instance, if you want to tell Semgrep to ignore all Go test files you can run the following:
$ $ semgrep --config /path/to/semgrep-rules/ . --exclude='*_test.go'Use -o to output results to a file:
$ semgrep --config /path/to/semgrep-rules/hanging-goroutine.yml -o leaks.txt'| Rule ID | Language | What it Finds |
|---|---|---|
| anonymous-race-condition | Go | Race conditions within anonymous goroutines |
| hanging-goroutine | Go | Goroutine leaks |
| iterate-over-empty-collection | Go | Iterations over empty collection |
| nil-check-after-call | Go | Possible nil dereferences |
| questionable-assignment | Go | Possible unintentional assignment when an error occurs |
| nondeterministic-select | Go | Nondeterministic select logic. |
| servercodec-readrequestbody-unhandled-nil | Go | Possible incorrect ServerCodec interface implementation |
| sleep-used-for-synchronizations | Go | Uses time.Sleep for goroutine synchronization |
| string-to-int-signedness-cast | Go | Integer underflows |
| sync-mutex-value-copied | Go | Copying of sync.Mutex via value receivers |
| waitgroup-add-called-inside-goroutine | Go | Calls to sync.WaitGroup.Add inside of anonymous goroutines |
| waitgroup-wait-inside-loop | Go | Calls to sync.WaitGroup.Wait inside a loop |
| racy-append-to-slice | Go | Concurrent calls to append from multiple goroutines |
| racy-write-to-map | Go | Concurrent writes to the same map in multiple goroutines |
| unchecked-type-assertion | Go | Unchecked type assertion |
| missing-unlock-before-return | Go | Missing mutex unlock before returning from a function. This could cause panics resulting from double lock operations |
| missing-runlock-on-rwmutex | Go | Missing RUnlock on an RWMutex lock before returning from a function. |
| tarfile-extractall-traversal | Python | Potential path traversal in call to extractall for a tarfile |
| panic-in-function-returning-result | Rust | Calling unwrap or expect in a function returning a Result |