Get Started
- CodeAnt AI
- Control Center
- Pull Request Review
- IDE
- Compliance
- Anti-Patterns
- Code Governance
- Infrastructure Security Database
- Application Security Database
- Apex
- Bash
- C
- Clojure
- Cpp
- Csharp
- Dockerfile
- Elixir
- Fingerprints
- Generic
- Go
- Html
- Java
- Javascript
- Json
- Kotlin
- Ocaml
- Php
- Problem-based-packs
- Python
- Ruby
- Rust
- Scala
- Solidity
- Swift
- Terraform
- Typescript
- Yaml
- Argo
- Docker-compose
- Github-actions
- Gitlab
- Kubernetes
- Openapi
- Semgrep
- Semgrep
Semgrep
Using the ellipsis operator ... at the top of the pattern drastically slows down the rule performance.
This rule has a multi-line message field, which may display poorly in a terminal. Consider ensuring it is on one line. For example, use message: >-, not message: |.
The owasp tag in Semgrep rule metadata should start with the format “A00:YYYY”, where A00 is the OWASP top ten number and YYYY is the OWASP top ten year.
The references in rule metadata should always be a list, even if there’s only one.
This Semgrep rule is missing a valid ‘category’ field in the ‘metadata’. ‘category’ must be one of ‘security’, ‘correctness’, ‘best-practice’, ‘performance’, ‘maintainability’, or ‘portability’.
Semgrep rule confidence: $VALUE detected, but the value must be LOW, MEDIUM, or HIGH. For more information visit: https://semgrep.dev/docs/contributing/contributing-to-semgrep-rules-repository/
Two identical pattern clauses were detected. This will cause Semgrep to run the same pattern twice. Remove one of the duplicate pattern clauses.
The ‘id’ field $X was used multiple times. The ‘id’ field needs to be unique.
Semgrep rule likelihood: $VALUE detected, but the value must be LOW, MEDIUM, or HIGH. For more information visit: https://semgrep.dev/docs/contributing/contributing-to-semgrep-rules-repository/
It looks like you have an YAML indentation issue — instead of writing $KEY, put a space between the hyphen and what comes after! Otherwise, it reads as a single string.
This Semgrep rule is missing a ‘technology’ field in the ‘metadata’. Consider adding a list of technologies based on the rule’s associated library or framework, or another piece of relevant information.
This Semgrep rule is missing a valid ‘subcategory’ field in the ‘metadata’. which should be either audit, vuln, or guardrail. For more information visit https://semgrep.dev/docs/contributing/contributing-to-semgrep-rules-repository/
$…CWE The cwe tag in rule metadata should always be in the format “CWE-000: Title”.
Semgrep rule likelihood: $VALUE detected, but the value must be vuln, audit, or guardrail. For more information visit: https://semgrep.dev/docs/contributing/contributing-to-semgrep-rules-repository/
Semgrep rule impact: $VALUE detected, but the value must be LOW, MEDIUM, or HIGH. For more information visit: https://semgrep.dev/docs/contributing/contributing-to-semgrep-rules-repository/
This Semgrep rule is missing a valid ‘likelihood’ field in the ‘metadata’. which should be either LOW, MEDIUM, or HIGH. For more information visit https://semgrep.dev/docs/contributing/contributing-to-semgrep-rules-repository/
interfile: true should be under the options field, not the metadata field.
Using patterns like function (...) {...} is too general it will probably slow down the rule performance.
Please include a ‘languages’ field for your rule $RULEID!
Unnecessary parent operator. Remove one to fix.
It looks like you have an additional space in your rule message, this can look awkward in the finding output, please remove the additional whitespace!
This Semgrep rule is missing a valid ‘impact’ field in the ‘metadata’. which should be either LOW, MEDIUM, or HIGH. For more information visit https://semgrep.dev/docs/contributing/contributing-to-semgrep-rules-repository/
This rule does not have a message. Semgrep requires that rules have a message. Include a message to explain what the rule does. Consider writing a message that explains why this is an issue and how to fix it.
This Semgrep rule is missing a valid ‘confidence’ field in the ‘metadata’. which should be either LOW, MEDIUM, or HIGH. For more information visit https://semgrep.dev/docs/contributing/contributing-to-semgrep-rules-repository/
It looks like $KEY is not in the default list of expected options, if this is a new key update this rule
This rule has an empty message field. Consider adding a message field that communicates why this rule is an issue and how to fix it. This will increase the chance that the finding gets addressed.
Using a single metavariable as a pattern drastically slows down the rule performance because it will match every expression in a file. Instead, try to match something specific such as a function name, or anchor on a statement that may occur above or below the pattern. The more specific you can be, the faster the pattern will run.
Looks like this value is deconstructing a const/var/let you need to use all three const {...} = var {...} = and let {...} = to provide accurate coverage consider adding the missing patterns in a pattern-inside for better coverage.
You can not use ‘pattern’ Aand′pattern−not′A together; this will always be empty.
interfile: true should be under the options field, not the metadata field.
Using patterns like $X.$Y may be too general and may slow down the rule performance.
We no longer support deepsemgrep: true, please use interfile:true