Rule syntax
Getting started with rule writing? Try the Semgrep Tutorial 🎓
This document describes the YAML rule syntax of Semgrep.
Schema
Required
All required fields must be present at the top-level of a rule, immediately under the
rules
key.
| Field | Type | Description |
|---|---|---|
id
|
string
|
Unique, descriptive identifier, for example:
no-unused-variable
|
message
|
string
|
Message that includes why Semgrep matched this pattern and how to remediate it. See also Rule messages . |
severity
|
string
|
One of the following values:
INFO
(Low severity),
WARNING
(Medium severity), or
ERROR
(High severity). The
severity
key specifies how critical are the issues that a rule potentially detects. Note: Semgrep Supply Chain differs, as its rules use CVE assignments for severity. For more information, see
Filters
section in Semgrep Supply Chain documentation.
|
languages
|
array
|
See language extensions and tags |
pattern
*
|
string
|
Find code matching this expression |
patterns
*
|
array
|
Logical AND of multiple patterns |
pattern-either
*
|
array
|
Logical OR of multiple patterns |
pattern-regex
*
|
string
|
Find code matching this PCRE2 -compatible pattern in multiline mode |
Only one of the following is required:
pattern
,
patterns
,
pattern-either
,
pattern-regex
Language extensions and languages key values
The following table includes languages supported by Semgrep, accepted file extensions for test files that accompany rules, and valid values that Semgrep rules require in the
languages
key.
| Language | Extensions |
languages
key values
|
|---|---|---|
| Apex (only in Semgrep Pro Engine) |
.cls
|
apex
|
| Bash |
.bash
,
.sh
|
bash
,
sh
|
| C |
.c
|
c
|
| Cairo |
.cairo
|
cairo
|
| Clojure |
.clj
,
.cljs
,
.cljc
,
.edn
|
clojure
|
| C++ |
.cc
,
.cpp
|
cpp
,
c++
|
| C# |
.cs
|
csharp
,
c#
|
| Dart |
.dart
|
dart
|
| Dockerfile |
.dockerfile
,
.Dockerfile
|
dockerfile
,
docker
|
| Elixir |
.ex
,
.exs
|
ex
,
elixir
|
| Generic |
generic
|
|
| Go |
.go
|
go
,
golang
|
| HTML |
.htm
,
.html
|
html
|
| Java |
.java
|
java
|
| JavaScript |
.js
,
.jsx
|
js
,
javascript
|
| JSON |
.json
,
.ipynb
|
json
|
| Jsonnet |
.jsonnet
,
.libsonnet
|
jsonnet
|
| JSX |
.js
,
.jsx
|
js
,
javascript
|
| Julia |
.jl
|
julia
|
| Kotlin |
.kt
,
.kts
,
.ktm
|
kt
,
kotlin
|
| Lisp |
.lisp
,
.cl
,
.el
|
lisp
|
| Lua |
.lua
|
lua
|
| OCaml |
.ml
,
.mli
|
ocaml
|
| PHP |
.php
,
.tpl
|
php
|
| Python |
.py
,
.pyi
|
python
,
python2
,
python3
,
py
|
| R |
.r
,
.R
|
r
|
| Ruby |
.rb
|
ruby
|
| Rust |
.rs
|
rust
|
| Scala |
.scala
|
scala
|
| Scheme |
.scm
,
.ss
|
scheme
|
| Solidity |
.sol
|
solidity
,
sol
|
| Swift |
.swift
|
swift
|
| Terraform |
.tf
,
.hcl
|
tf
,
hcl
,
terraform
|
| TypeScript |
.ts
,
.tsx
|
ts
,
typescript
|
| YAML |
.yml
,
.yaml
|
yaml
|
| XML |
.xml
|
xml
|
To see the maturity level of each supported language, see the following sections in Supported languages document:
- Semgrep OSS Engine
- Semgrep Pro Engine
Optional
| Field | Type | Description |
|---|---|---|
options
|
object
|
Options object to enable/disable certain matching features |
fix
|
object
|
Simple search-and-replace autofix functionality |
metadata
|
object
|
Arbitrary user-provided data; attach data to rules without affecting Semgrep behavior |
min-version
|
string
|
Minimum Semgrep version compatible with this rule |
max-version
|
string
|
Maximum Semgrep version compatible with this rule |
paths
|
object
|
Paths to include or exclude when running this rule |