Skip to main content
TIPSemgrep’s Kotlin coverage leverages framework-specific analysis capabilities that are not present in Semgrep Community Edition (CE). As a result, many framework specific Pro rules will fail to return findings if run on Semgrep CE. To ensure full security coverage, run: semgrep login && semgrep ci.

Semgrep Code analyses

Coverage

Semgrep aims to provide comprehensive and accurate detection of common OWASP Top 10 issues in source code. Semgrep uses rules, which are instructions based on which it detects patterns in code. These rules are usually organized in rulesets. By default, Semgrep Code provides you with the p/comment and p/default rulesets. These rulesets provide the most accurate and comprehensive coverage across Semgrep’s supported languages. The following is an example of a Kotlin rule: Many, but not all Kotlin rules require a Semgrep account. Sign in to Semgrep AppSec Platform to view this rule:

Kotlin support in Semgrep Supply Chain

Semgrep Supply Chain is a software composition analysis (SCA) tool that detects security vulnerabilities in your codebase introduced by open source dependencies.
NO NEED FOR LOCKFILESKotlin projects can be scanned without the need for lockfiles. See Dynamic Dependency Resolution (beta).

Supported package managers

Semgrep supports the following Kotlin package managers:
  • Gradle
  • Maven

Analyses and features

The following analyses and features are available for Kotlin:

Kotlin support in Semgrep CE

Semgrep CE is a fast, lightweight program analysis tool that can help you detect bugs in your code. It makes use of Semgrep’s LGPL 2.1 open source engine.

Analyses

  • Single-file, cross-function constant propagation
  • Single-function taint analysis
  • Semantic analysis

Coverage

TIP
  • Check the license of a rule to ensure it meets your licensing requirements. See Licensing for more details.
The Semgrep Registry provides the following Kotlin rule sets (many rules require a Semgrep account): Sample usage: