Opengrep quickstart

Since I could not find a quickstart to run opengrep with the full set of rules from their fork I thought I'd document what I found out.

Setup

Download the opengrep binary from github and make it executable with chmod +x.
Clone the rules repo:
git clone git@github.com:opengrep/opengrep-rules.git

and clean it up to make it usable to opengrep:
cd opengrep-rules
rm -rf ".git",".github",".pre-commit-config.yaml", "elixir", "apex"
find . -type f -not -iname "*.yaml" -delete
rm -rf .github
rm -rf .pre-commit-config.yaml

Ensure opengrep can load the rules with:
opengrep_manylinux_x86 validate .

The same can be done for custom rules maintained in a separate repository. AFAIU Multiple repositories can be specified by repeating -f option as needed, see below.

We are now ready to scan a repo, from the repo root directory run:
opengrep_manylinux_x86 scan \
  -f <path_to>/opengrep-rules \
  --error \
  --exclude-rule=VAL

some tips:
  1. to save time you can load only the rules that apply to a specific project, for example only load java rules and ignore everything else by repeating -f with specific subdirectories
  2. output can redirected to a file in a specific format for later inspection, loading into defectdojo or archival with --text-* options
  3. --exclude-rules can be used to disable rules and can be repeated as many times as necessary
  4. --error forces opengrep to exit with 1 if there are any findings, useful for CI
  5. --include and --exclude can be used to exclude files and directories that are not relevant
Run opengrep --help to see all options.

Running opengrep against recent changes only

We can gather a list of changed files (in this case files changed less than 72h ago) and supply that list to opengrep with some bash magic:
find . \
  -type f \
  -atime -72 \
  -print0 \
  | xargs \
    --no-run-if-empty \
    -0 <opegrep command>

Note that if the list becomes longer than 1024 files approx., xargs will start another opengrep process after the first one.

Additional rules


Popular posts

Mirth: recover space when mirthdb grows out of control

I was recently asked to recover a mirth instance whose embedded database had grown to fill all available space so this is just a note-to-self kind of post. Btw: the recovery, depending on db size and disk speed, is going to take long. The problem A 1.8 Mirth Connect instance was started, then forgotten (well neglected, actually). The user also forgot to setup pruning so the messages filled the embedded Derby database until it grew to fill all the available space on the disk. The SO is linux. The solution First of all: free some disk space so that the database can be started in embedded mode from the cli. You can also copy the whole mirth install to another server if you cannot free space. Depending on db size you will need a corresponding amount of space: in my case a 5GB db required around 2GB to start, process logs and then store the temp files during shrinking. Then open a shell as the user that mirth runs as (you're not running it as root, are you?) and cd in...
Read more

From 0 to ZFS replication in 5m with syncoid

The ZFS filesystem has many features that once you try them you can never go back. One of the lesser known is probably the support for replicating a zfs filesystem by sending the changes over the network with zfs send/receive. Technically the filesystem changes don't even need to be sent over a network: you could as well dump them on a removable disk, then receive  from the same removable disk.
Read more

1/4/2000 to 1/4/2025: the beginning

Today April, 1st 2025 marks the 25 years anniversary (quarter of a century sounds more impressive, doesn't it?) working professionally in ICT. My first working day as an ICT professional was on April 1st 2000. I had just graduated from uni (literally the week before) and one of the profs offered me a position at this company. The daily commute over bus and train was about one hour and a half, but I got to work on something really fancy: writing a c-shell script to daily sync data over ftp from an Oracle 7 database running on AIX (looked a lot like this one ) to a Bull mainframe. Development occurrent from a Windows NT4 workstation over telnet (I think). c-shell was a b1tḉh to work with and vim wasn't available (only vi IIRC) so my productivity wasn't great but I got it done and it ran until one of the two system (AIX) was eventually decommissioned. The AIX system might still be in the basement at my $OLDJOB. After that I moved on to more interesting e...
Read more