A few months ago, we launched Semgrep Pro Engine, which added cross-file analysis for Java and JavaScript into Semgrep Code. Since then, we’ve received overwhelmingly positive support from Pro Engine users to find and fix more complex vulnerabilities across more languages. We are excited to announce that Semgrep Pro Engine now supports Go (Golang) for cross-file analysis.
Go is an increasingly popular programming language due to its speed and ease of use. However, like all languages, it is not immune to bugs and vulnerabilities. With this new addition, Semgrep continues to expand its language coverage and provide accurate, fast, and customizable code analysis tools for security engineers and developers.
We’re also adding 50+ new Go rules covering several popular Go frameworks, including Gin, gRPC, Gorilla, and plain ol’ net/http. We’ve also added new rules for hardcoded secrets to ensure none of those meddling kids secrets make their way into production. Here is an example of a new rule for command injection you can check out!
To get started with Semgrep Pro Engine’s new Go support:
In Semgrep Code, add a GitHub or GitLab project and have Semgrep scan your codebase whenever a pull request (PR) or a merge request (MR) is created! Make sure the
default
ruleset is on your Rule Board & you have the Pro Engine enabled in Settings (as shown below).
On the command line, upgrade to Semgrep v1.22.0 or higher and scan with
semgrep --pro p/default
We are committed to improving Semgrep's coverage and making it the Go-to code analysis tool across all programming languages.
What language would you like to see Semgrep Pro Engine support next? Join our Community Slack and let us know!
About
Semgrep lets security teams partner with developers and shift left organically, without introducing friction. Semgrep gives security teams confidence that they are only surfacing true, actionable issues to developers, and makes it easy for developers to fix these issues in their existing environments.