Knowing what software you’re running and what it does is essential to the software & security engineering process. In order to improve visibility, a set of specifically designed static analysis rules can be useful.
The CodeRecon Semgrep/Opengrep rule set analyzes your codebase and provides reports highlighting the functionality detected and its location in the code.
The current rule set is focused on JavaScript/TypeScript and detects the use of things such as:
- Networks
- Databases
- File Systems
- Command Lines
- Cryptography
- Authentication
- Authorization
- Web Frameworks
- AI
Support for additional languages and functionality types is in development.
Identifies common areas in high risk projects that could benefit from secure by design / secure by default libraries. Rules could be extended to enforce the usage of approved APIs and halt the usage of dangerous ones.
Augments efforts by revealing the attack surface of a system through a systematic analysis vs relying on tribal knowledge and outdated documentation.
Helps architects notice opportunities for standardization, e.g. several repos using a different libraries to achieve the same functionality but one is clearly superior in terms of performance.
opengrep --config=js-ts/ --json --output=results.json /path/to/project
opengrep --config=js-ts/ --sarif --output=results.sarif /path/to/projectComing soon!
- JavaScript/TypeScript
- Java
- Python
- C#
- Go
- Rust
- C++
- PHP
This repository includes automated testing via GitHub Actions that:
- Validates rule syntax for all languages
- Tests rules against sample code patterns
- Generates comprehensive test reports
- Runs on every push and pull request
Run the same CI locally using act:
# Install act (see https://github.com/nektos/act)
# Then from this folder:
make act # simulate pull_request
make act-push # simulate push
make act-dispatch # simulate workflow_dispatch
make act-job JOB=test-rules # run a single jobUse the provided test script to validate rules locally:
# Make the script executable
chmod +x test-opengrep-rules.sh
# Test all languages
./test-opengrep-rules.sh
# Test specific language
./test-opengrep-rules.sh java
./test-opengrep-rules.sh js-ts
./test-opengrep-rules.sh python
# Test against custom directory
./test-opengrep-rules.sh java /path/to/your/java/project- OpenGrep
- jq
- Add new rule following the existing directory structure
- Ensure rule includes proper metadata
- Validate and test rule against both positive and negative use cases
- Submit pull request