JavaScript static analysis comparison: ESLint vs Semgrep

GitLab's transition from Bandit and ESLint to Semgrep for SAST (Static Application Security Testing) analyzers brings a nuanced comparison between these tools in terms of security coverage, custom rule creation, performance, and CI/CD usage. Semgrep, with access to a wide-ranging community-maintained registry, can handle multiple languages and is easily adaptable with rapid rule modifications, though it tends to produce more false positives compared to ESLint, which offers more precise security checks for JavaScript. The analysis highlights that while ESLint is faster and more efficient on larger repositories, Semgrep's multithreading capabilities can enhance its performance on smaller to medium-sized projects. Both tools integrate well into development workflows and CI/CD systems, offering flexible options for ignoring lines, paths, and specific rules. Semgrep's multilingual support and experimental features like autofix make it a versatile choice for multi-language projects, although ESLint's detailed rule testing and fewer false positives present a robust alternative for JavaScript security analysis.