> ## Documentation Index > Fetch the complete documentation index at: https://docs.zenable.io/llms.txt > Use this file to discover all available pages before exploring further. # Semgrep > Static analysis rules for pattern matching across many languages ## Overview Semgrep (and OpenGrep) uses YAML rules to find code patterns via Abstract Syntax Tree matching. Rules detect vulnerabilities, anti-patterns, and policy violations in application code, IaC, and config files. ## Capabilities * Pattern matching with metavariables (`$VAR`, `...`) * Taint mode for tracking data flow from sources to sinks within a function (cross-function and cross-file tracking available with [Semgrep Pro](https://semgrep.dev/docs/semgrep-code/semgrep-pro-engine-intro)) * Supports 35+ languages * Lightweight, fast execution with no build step required ## Limitations * Analyzes **one file at a time** by default -- cross-file analysis available with [Semgrep Pro](https://semgrep.dev/docs/semgrep-code/semgrep-pro-engine-intro) * Not applicable to runtime or infrastructure state checks -- check out [InSpec](/integrations/guardrails/inspec) or [Goss](/integrations/guardrails/goss) for runtime validation, or [Checkov](/integrations/guardrails/checkov) for IaC static analysis If you've got a paid Semgrep subscription and are looking for multi-file support, please let us know at [zenable.io/feedback](https://www.zenable.io/feedback?utm_source=docs\&utm_medium=guardrails-semgrep). ## Generated Format * **Language:** YAML * **Structure:** Semgrep rule files with `id`, `message`, `severity`, `languages`, and pattern specification fields * **Execution:** `semgrep --config rule.yaml` ## Example Guardrail ```yaml theme={null} rules: - id: sql-injection-prevention mode: taint languages: [python] severity: HIGH message: User input flows to SQL query without sanitization pattern-sources: - pattern: request.args.get(...) pattern-sinks: - patterns: - pattern: cursor.execute($QUERY, ...) - focus-metavariable: $QUERY pattern-sanitizers: - pattern: sanitize(...) ``` Learn more at [Semgrep rule syntax](https://semgrep.dev/docs/writing-rules/rule-syntax), [pattern syntax](https://semgrep.dev/docs/writing-rules/pattern-syntax), and [supported languages](https://semgrep.dev/docs/supported-languages). ## Custom guardrails You can author your own semgrep / opengrep rules and have Zenable apply them alongside marketplace guardrails. Configure each custom guardrail directory under the engine it belongs to: ```yaml theme={null} guardrails: engines: semgrep: extras: custom_guardrail_dirs: - path: ~/.zenable/custom_guardrails/semgrep recurse: true opengrep: extras: custom_guardrail_dirs: - path: ~/.zenable/custom_guardrails/opengrep recurse: true ``` ### `metadata.category` Every custom rule must declare a `metadata.category` from the upstream semgrep set: `best-practice`, `correctness`, `maintainability`, `performance`, `portability`, or `security`. Zenable translates these to its own [`FindingCategory`](https://docs.zenable.io) taxonomy at the boundary. Rules with `metadata.category: security` must also declare `confidence`, `likelihood`, `impact`, `subcategory`, `cwe`, `owasp`, `references`, `technology`, and `vulnerability_class` per the upstream [contributor requirements](https://semgrep.dev/docs/contributing/contributing-to-semgrep-rules-repository#fields-required-by-the-security-category). You can use the `zenable guardrail validate` command in order to confirm your custom rule is valid for Zenable guardrail use, for instance: ```bash theme={null} zenable guardrail validate opengrep ~/.zenable/custom_guardrails/semgrep/custom-no-eval.yaml ```