Semgrep

slow-pattern-top-ellipsis

Using the ellipsis operator ... at the top of the pattern drastically slows down the rule performance.

multi-line-message

This rule has a multi-line message field, which may display poorly in a terminal. Consider ensuring it is on one line. For example, use message: >-, not message: |.

metadata-owasp

The owasp tag in Semgrep rule metadata should start with the format “A00:YYYY”, where A00 is the OWASP top ten number and YYYY is the OWASP top ten year.

metadata-references

The references in rule metadata should always be a list, even if there’s only one.

metadata-category

This Semgrep rule is missing a valid ‘category’ field in the ‘metadata’. ‘category’ must be one of ‘security’, ‘correctness’, ‘best-practice’, ‘performance’, ‘maintainability’, or ‘portability’.

metadata-confidence-incorrect-value

Semgrep rule confidence: $VALUE detected, but the value must be LOW, MEDIUM, or HIGH. For more information visit: https://semgrep.dev/docs/contributing/contributing-to-semgrep-rules-repository/

duplicate-pattern

Two identical pattern clauses were detected. This will cause Semgrep to run the same pattern twice. Remove one of the duplicate pattern clauses.

duplicate-id

The ‘id’ field $X was used multiple times. The ‘id’ field needs to be unique.

metadata-likelihood-incorrect-value

Semgrep rule likelihood: $VALUE detected, but the value must be LOW, MEDIUM, or HIGH. For more information visit: https://semgrep.dev/docs/contributing/contributing-to-semgrep-rules-repository/

yaml-key-indentation-check

It looks like you have an YAML indentation issue — instead of writing $KEY, put a space between the hyphen and what comes after! Otherwise, it reads as a single string.

metadata-technology

This Semgrep rule is missing a ‘technology’ field in the ‘metadata’. Consider adding a list of technologies based on the rule’s associated library or framework, or another piece of relevant information.

metadata-subcategory

This Semgrep rule is missing a valid ‘subcategory’ field in the ‘metadata’. which should be either audit, vuln, or guardrail. For more information visit https://semgrep.dev/docs/contributing/contributing-to-semgrep-rules-repository/

metadata-cwe

$…CWE The cwe tag in rule metadata should always be in the format “CWE-000: Title”.

metadata-subcategory-incorrect-value

Semgrep rule likelihood: $VALUE detected, but the value must be vuln, audit, or guardrail. For more information visit: https://semgrep.dev/docs/contributing/contributing-to-semgrep-rules-repository/

metadata-impact-incorrect-value

Semgrep rule impact: $VALUE detected, but the value must be LOW, MEDIUM, or HIGH. For more information visit: https://semgrep.dev/docs/contributing/contributing-to-semgrep-rules-repository/

metadata-likelihood

This Semgrep rule is missing a valid ‘likelihood’ field in the ‘metadata’. which should be either LOW, MEDIUM, or HIGH. For more information visit https://semgrep.dev/docs/contributing/contributing-to-semgrep-rules-repository/

interfile-true-under-metadata-and-no-options

interfile: true should be under the options field, not the metadata field.

slow-pattern-general-func

Using patterns like function (...) {...} is too general it will probably slow down the rule performance.

missing-language-field

Please include a ‘languages’ field for your rule $RULEID!

unnecessary-parent-operator

Unnecessary parent operator. Remove one to fix.

message-whitespace-check

It looks like you have an additional space in your rule message, this can look awkward in the finding output, please remove the additional whitespace!

metadata-impact

This Semgrep rule is missing a valid ‘impact’ field in the ‘metadata’. which should be either LOW, MEDIUM, or HIGH. For more information visit https://semgrep.dev/docs/contributing/contributing-to-semgrep-rules-repository/

missing-message-field

This rule does not have a message. Semgrep requires that rules have a message. Include a message to explain what the rule does. Consider writing a message that explains why this is an issue and how to fix it.

metadata-confidence

This Semgrep rule is missing a valid ‘confidence’ field in the ‘metadata’. which should be either LOW, MEDIUM, or HIGH. For more information visit https://semgrep.dev/docs/contributing/contributing-to-semgrep-rules-repository/

metadata-incorrect-option

It looks like $KEY is not in the default list of expected options, if this is a new key update this rule

empty-message

This rule has an empty message field. Consider adding a message field that communicates why this rule is an issue and how to fix it. This will increase the chance that the finding gets addressed.

slow-pattern-single-metavariable

Using a single metavariable as a pattern drastically slows down the rule performance because it will match every expression in a file. Instead, try to match something specific such as a function name, or anchor on a statement that may occur above or below the pattern. The more specific you can be, the faster the pattern will run.

missing-deconstructed-value

Looks like this value is deconstructing a const/var/let you need to use all three const {...} = var {...} = and let {...} = to provide accurate coverage consider adding the missing patterns in a pattern-inside for better coverage.

unsatisfiable-rule

You can not use ‘pattern’

A and 'pattern-not'

A together; this will always be empty.

interfile-true-under-metadata-and-options-already-present

interfile: true should be under the options field, not the metadata field.

slow-pattern-general-property

Using patterns like $X.$Y may be too general and may slow down the rule performance.

metadata-deepsemgrep

We no longer support deepsemgrep: true, please use interfile:true

Start Here

Setup

Pull Request Review

Scan center

Integrations

IDE

Rule Reference

Resources