Open source Semgrep / OpenGrep rules for detecting cryptographic usage in source code.
These rules statically inventory where cryptography is used across a codebase — algorithms, hashes, MACs, key material, certificates, and protocols — and attach structured metadata to each finding. The metadata is designed to feed downstream tooling such as a Cryptographic Bill of Materials (CBOM).
The rules surface evidence; they do not enforce policy. Whether a given algorithm or configuration is acceptable is left to the systems and people consuming the findings.
| Path | Description |
|---|---|
semgrep-rules/ |
The detection rules, organized as <language>/<library>/... |
tests/ |
Python + OpenGrep test framework and self-describing fixtures |
TESTING.md |
Full guide to writing and running tests |
Dockerfile.test |
Reproducible test environment |
Makefile |
Common test commands |
- Python 3.9+
- OpenGrep (or Semgrep) >= 1.12.1 — required for taint analysis
pip install semgrep # provides the opengrep-compatible engine
opengrep --version # should be >= 1.12.1Point the engine at the rules and your code:
opengrep --config semgrep-rules/ --taint-intrafile path/to/your/codemake test # run all tests
make test-parallel # run across all CPU cores
make test-quick # fast subsetOr in a container, with no local Python/OpenGrep setup:
make docker-testSee TESTING.md for the complete testing guide.
Rules are grouped by language and library under semgrep-rules/. Each rule file
is paired with self-describing test fixtures under
tests/integration/fixtures/ that document and verify the expected detections.
Contributions are welcome — new rules, additional fixtures, and improvements to the test framework. Please read CONTRIBUTING.md and our Code of Conduct before opening a pull request.
To report a security issue, please follow the process in SECURITY.md.
This project is licensed under the GNU General Public License v3.0. See LICENSE for the full text.
Maintained by SCANOSS.