Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.semgrep.dev/llms.txt

Use this file to discover all available pages before exploring further.

Semgrep developed metavariable analysis to support several metavariable inspection techniques that are difficult to express with existing rules, but have “simple” binary classifier behavior. Currently, this syntax supports two analyzers: redos and entropy.

ReDoS

metavariable-analysis:
    analyzer: redos
    metavariable: $VARIABLE
Poorly constructed regular expressions that exhibit exponential runtime when fed specifically crafted inputs can cause RegEx denial of service. The redos analyzer uses known RegEx anti-patterns to determine if the target expression is potentially vulnerable to catastrophic backtracking.

Entropy

metavariable-analysis:
    analyzer: entropy
    metavariable: $VARIABLE
Entropy is a common approach for detecting secret strings. Many existing tools utilize a combination of entropy calculations and regular expressions (RegEx) for secret detection. This analyzer returns true if a metavariable has high entropy, or randomness, relative to the English language.