Static analysis
semgrep-rules
Public Semgrep queries developed during audits, research, and internal engineering work.
View on GitHub
trailofbits/semgrep-rules
Best for
Fast pattern-based checks you can drop into CI with minimal scaffolding.
Surface
Static analysis
Catalog group
Verify supply chains and enforce engineering policy
Repository
trailofbits/semgrep-rules
From the README
This repository contains Semgrep rules developed by Trail of Bits and made available to the public. They are part of our ongoing development efforts and are used in our security audits, vulnerability reseach, and internal projects. They will evolve over time as we identify new techniques. Visit Testing Handbook for Semgrep guidance. The easiest way to run the rules is to run them from the Semgrep registry.Read the full README on GitHub ↗
Related tools · Verify supply chains and enforce engineering policy
- rekor-monitor Transparency-log monitoring for Sigstore's Rekor so maintainers can watch for suspicious signing events.
- It-Depends Dependency-graph and SBOM builder for packages and arbitrary source repositories.
- cargo-unmaintained Identifies unmaintained packages in Rust projects before they quietly become inherited risk.
- Dylint Runs custom Rust lints from dynamic libraries rather than a single fixed lint set.
- codeql-queries Public CodeQL query packs used to express deeper code and data-flow policies.