How we made Semgrep rules run on Semgrep rules

Semgrep, a tool designed to identify security bugs and anti-patterns in code, has expanded its capabilities to include the scanning of Semgrep rules themselves, along with YAML configurations such as Kubernetes and CircleCI workflows. The tool's rules are written in YAML, a format that, while simple, can be prone to errors if not carefully managed. To address this, Semgrep has developed a YAML parser capable of providing location information, allowing for precise error reporting. The introduction of special syntax, like the "__semgrep_ellipsis__" operator, enhances YAML compatibility and allows for more efficient parsing. This update not only facilitates the writing of Semgrep rules for Semgrep rules but also enables users to apply existing JSON rules to YAML files, broadening the scope of security checks. Despite the current limitations, such as the lack of support for aliases and anchors, this development promises to enhance the functionality and accuracy of Semgrep in securing YAML configurations, with ongoing improvements anticipated as user feedback is incorporated.