Opengrep: Static Code Analysis for Security Vulnerabilities
Summary
Opengrep is an open-source static code analysis engine, forked from Semgrep, designed to identify security issues in code rapidly. It offers powerful semantic grep capabilities across over 30 programming languages, making secure software development more accessible and vendor-neutral. Driven by a collective of AppSec organizations, Opengrep is committed to advancing SAST and keeping it open for the long term.
Repository Info
Tags
Click on any tag to explore related repositories
Introduction
Opengrep is an ultra-fast static code analysis engine designed to help developers and organizations find and fix security issues in their code efficiently. As a fork of Semgrep, licensed under LGPL 2.1, Opengrep aims to make secure software development a shared standard by providing open and advanced static analysis capabilities.
Initiated by a collective of AppSec organizations, Opengrep is committed to making SAST (Static Application Security Testing) widely accessible, advancing its engine with impactful new features, and ensuring it remains open and vendor-neutral for the long term. It supports over 30 programming languages, offering powerful semantic grep for intuitive pattern matching and customizable rules.
Installation
Opengrep provides a straightforward installation process. The recommended method is using the official install script:
curl -fsSL https://raw.githubusercontent.com/opengrep/opengrep/main/install.sh | bash
If you have cloned the repository, you can run the install.sh script from the root directory:
./install.sh
Alternatively, binaries are available for manual installation on the Opengrep release page.
Examples
Getting started with Opengrep involves defining rules and scanning your code. Here's a quick example demonstrating how to detect an "unwrap" operation in Rust, which can be a potential panic risk.
First, create a rule file named rules/demo-rust-unwrap.yaml:
rules:
- id: unwrapped-result
pattern: $VAR.unwrap()
message: "Unwrap detected - potential panic risk"
languages: [rust]
severity: WARNING
Next, create a Rust code file named code/rust/main.rs that contains the risky unwrap:
fn divide(a: i32, b: i32) -> Result<i32, String> {
if b == 0 {
return Err("Division by zero".to_string());
}
Ok(a / b)
}
fn main() {
let result = divide(10, 0).unwrap(); // Risky unwrap!
println!("Result: {}", result);
}
Ensure your directory structure looks like this:
.
??? code
? ??? rust
? ??? main.rs
??? rules
??? demo-rust-unwrap.yaml
Now, run Opengrep to scan your code:
? opengrep scan -f rules code/rust
????????????????
? Opengrep CLI ?
????????????????
Scanning 1 file (only git-tracked) with 1 Code rule:
CODE RULES
Scanning 1 file.
PROGRESS
???????????????????????????????????????? 100% 0:00:00
??????????????????
? 1 Code Finding ?
??????????????????
code/rust/main.rs
?? rules.unwrapped-result
Unwrap detected - potential panic risk
9? let result = divide(10, 0).unwrap(); // Risky unwrap!
????????????????
? Scan Summary ?
????????????????
Ran 1 rule on 1 file: 1 finding.
Opengrep successfully identified the potential issue. You can also obtain SARIF output for integration with other tools:
? opengrep scan --sarif-output=sarif.json -f rules code
...
? cat sarif.json | jq
{
"version": "2.1.0",
"runs": [
{
"invocations": [
{
"executionSuccessful": true,
"toolExecutionNotifications": []
}
],
"results": [
{
"fingerprints": {
"matchBasedId/v1": "a0ff5ed82149206a74ee7146b075c8cb9e79c4baf86ff4f8f1c21abea6ced504e3d33bb15a7e7dfa979230256603a379edee524cf6a5fd000bc0ab29043721d8_0"
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "code/rust/main.rs",
"uriBaseId": "%SRCROOT%"
},
"region": {
"endColumn": 40,
"endLine": 9,
"snippet": {
"text": " let result = divide(10, 0).unwrap(); // Risky unwrap!"
},
"startColumn": 18,
"startLine": 9
}
}
}
],
"message": {
"text": "Unwrap detected - potential panic risk"
},
"properties": {},
"ruleId": "rules.unwrapped-result"
}
],
"tool": {
"driver": {
"name": "Opengrep OSS",
"rules": [
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Unwrap detected - potential panic risk"
},
"help": {
"markdown": "Unwrap detected - potential panic risk",
"text": "Unwrap detected - potential panic risk"
},
"id": "rules.unwrapped-result",
"name": "rules.unwrapped-result",
"properties": {
"precision": "very-high",
"tags": []
},
"shortDescription": {
"text": "Opengrep Finding: rules.unwrapped-result"
}
}
],
"semanticVersion": "1.100.0"
}
}
}
],
"$schema": "https://docs.oasis-open.org/sarif/sarif/v2.1.0/os/schemas/sarif-schema-2.1.0.json"
}
Why Use Opengrep?
Opengrep stands out as a powerful tool for several reasons:
- Open and Vendor-Neutral: It is an open-source project driven by a community of AppSec organizations, ensuring its long-term accessibility and neutrality.
- Fast and Powerful Analysis: Leveraging semantic grep, it provides ultra-fast scanning of large codebases with intuitive pattern matching.
- Comprehensive Language Support: With support for over 30 languages, Opengrep can be integrated into diverse development environments.
- Focus on Security: It is specifically designed to find and help fix security vulnerabilities, enabling developers to ship more secure code.
- Customizable Rules: Users can define their own rules to tailor the analysis to specific project needs and security policies.
Links
- GitHub Repository: https://github.com/opengrep/opengrep
- Opengrep Manifesto: https://opengrep.dev/
- Contributing Guide: https://github.com/opengrep/opengrep/blob/main/CONTRIBUTING.md
- License (LGPL-2.1): https://github.com/opengrep/opengrep/blob/main/LICENSE