Semgrep: a static analysis journey

Semgrep, a semantic code analysis tool, has evolved from its origins as a code transformation tool for C called Spatch, which was used to address API evolutions in the Linux kernel. Created by Julia Lawall and Gilles Muller's research group, Spatch was designed to automate "collateral evolutions" in Linux device drivers using a syntax familiar to developers. Later adapted by Facebook to become Sgrep, it helped PHP developers enforce new APIs and catch bugs efficiently, leading to its success due to its speed and simplicity. In 2019, r2c refined Sgrep into Semgrep, expanding its capabilities to support multiple programming languages and adding features such as taint analysis and a web-based playground, fostering a community around the tool. Semgrep aims to make security easy by enabling developers to write custom rules and enforce best practices seamlessly across various codebases, reflecting its adaptability to the changing paradigms of software security.