This repository contains Semgrep rules developed by Trail of Bits and made available to the public. They are part of our ongoing development efforts and are used in our security audits, vulnerability reseach, and internal projects. They will evolve over time as we identify new techniques.
The easiest way to run the rules is to run them from the Semgrep registry. To do so, navigate to the root folder of your project and run the following:
$ semgrep --config "p/trailofbits"
Alternatively, you can clone this repository, navigate to the root folder of your project, and run individual rules using the command below :
$ semgrep --config /path/to/semgrep-rules/semgreprule.yml
To run all rules from the cloned repository:
$ semgrep --config /path/to/semgrep-rules/ .
Semgrep will run against all supported code files except for those in your .gitignore
file. If you want to run the rules against all files and directories, including those in your .gitignore
, add the --no-git-ignore
flag.
$ semgrep --config /path/to/semgrep-rules/ . --no-git-ignore
You can also tell Semgrep to ignore files and directories that match any pattern. For instance, if you want to tell Semgrep to ignore all Go test files you can run the following:
$ semgrep --config /path/to/semgrep-rules/ . --exclude='*_test.go'
Use -o
to output results to a file:
$ semgrep --config /path/to/semgrep-rules/hanging-goroutine.yml -o leaks.txt'
Rule ID | Language | What it Finds |
---|---|---|
anonymous-race-condition | Go | Race conditions within anonymous goroutines |
hanging-goroutine | Go | Goroutine leaks |
iterate-over-empty-collection | Go | Iterations over empty collection |
nil-check-after-call | Go | Possible nil dereferences |
invalid-usage-of-modified-variable | Go | Possible unintentional assignment when an error occurs |
servercodec-readrequestbody-unhandled-nil | Go | Possible incorrect ServerCodec interface implementation |
string-to-int-signedness-cast | Go | Integer underflows |
sync-mutex-value-copied | Go | Copying of sync.Mutex via value receivers |
waitgroup-add-called-inside-goroutine | Go | Calls to sync.WaitGroup.Add inside of anonymous goroutines |
waitgroup-wait-inside-loop | Go | Calls to sync.WaitGroup.Wait inside a loop |
racy-append-to-slice | Go | Concurrent calls to append from multiple goroutines |
racy-write-to-map | Go | Concurrent writes to the same map in multiple goroutines |
missing-unlock-before-return | Go | Missing mutex unlock before returning from a function. This could cause panics resulting from double lock operations |
missing-runlock-on-rwmutex | Go | Missing RUnlock on an RWMutex lock before returning from a function. |
tarfile-extractall-traversal | Python | Potential path traversal in call to extractall for a tarfile |
automatic-memory-pinning | Python | Memory is not automatically pinned |
lxml-in-pandas | Python | Potential XXE attacks from loading lxml in pandas |
numpy-in-pytorch-modules | Python | Uses NumPy functions inside PyTorch modules |
numpy-in-torch-datasets | Python | Calls to the Numpy RNG inside of a Torch dataset |
pickles-in-numpy | Python | Potential arbitrary code execution from NumPy functions reliant on pickling |
pickles-in-pandas | Python | Potential arbitrary code execution from Pandas functions reliant on pickling |
pickles-in-pytorch | Python | Potential arbitrary code execution from PyTorch functions reliant on pickling |
pickles-in-torch-distributed | Python | Potential arbitrary code execution from PyTorch Distributed functions reliant on pickling |
torch-package | Python | Potential arbitrary code execution from torch.package |
torch-tensor | Python | Possible parsing issues and inefficiency from improper tensor creation |
waiting-with-torch-distributed | Python | Possible undefined behavior when not waiting for requests |
panic-in-function-returning-result | Rust | Calling unwrap or expect in a function returning a Result |