We’re using semgrep to do static application security testing (SAST).

SAST Docker image#

There’s a SAST Docker image which we’re using for the tests.

The Docker image can be used to run semgrep with the official registry rules, but also our custom SAST rules.

SAST rules#

The image also includes custom SAST rules, which we’re maintaining.


Read the Writing rules chapter of the official documentation, to maintain our custom rules.

SAST CI file#

While semgrep is a Python utility, it can be used to test many different languages.

Thus we’ve created a dedicated shared sast CI file, which can be included in all the projects requiring SAST.