Open in app

Sign in

Write

Sign in

Aptos Labs

Bringing the Future On-Chain

Follow publication

Semgrep Support for Move on Aptos

--

by Zhiping Liao, Andrea Cappa, Vineeth Kashyap, Marco Ilardi

Semgrep now supports Move on Aptos with five showcase rules. Aptos Labs invites security researchers and developers to try the tool, report bugs, and contribute to improving the rules!

Aptos Labs is excited to announce that Semgrep now supports Move on Aptos! This popular tool among security researchers and developers is now part of our ecosystem, enhancing our mission to provide a secure network through an orthogonal approach to security.

What is Semgrep?

Semgrep is a powerful static analysis tool that helps identify vulnerabilities and enforce code standards in software projects. It allows developers to create custom rules for scanning and analyzing source code, supporting multiple programming languages, and integrating seamlessly into CI/CD pipelines. As a Static Application Security Testing (SAST) tool, Semgrep analyzes source code for security vulnerabilities without executing the program, detecting potential flaws early in the development process. This helps mitigate risks and ensures security issues are addressed during coding, reducing the cost and effort of fixing them later.

For more details on Semgrep see the documentation.

Bringing a SAST tool to the Aptos Ecosystem

To continuously secure the Aptos ecosystem, Aptos Labs is committed to providing high-quality security tools for security researchers and developers to write more secure smart contracts. Offering Semgrep to our community reduces the time spent on manual audits for common issues, allowing auditors to focus on complex attacks beyond the capabilities of SAST tools. For developers, Semgrep can help eradicate certain classes of vulnerabilities by identifying potential issues in their code at any stage of development.

Rules

We have published five rules based on Move security guidelines to get you started with Semgrep in your projects. Find them in our GitHub repository. As we identify more dangerous code patterns, we will expand and improve these rules to cover more cases and variants.

Run

To start using Semgrep, install it by following the Quickstart Guide. Make sure you’re using version 1.80 or newer.

Clone the rules repository:

git clone https://github.com/aptos-labs/semgrep-move-rules.git <rules-path>

From the folder where your Move code is contained, run the following command after replacing <rules-path>with the path of the rules just downloaded:

semgrep scan --config=<rules-path> ./

Note that this command runs all the rules contained in semgrep-move-rules. You can run a single rule by pointing --config to the single <rule-name>.yaml file.

Tip 1: Adding --dataflow-traces while using rules with mode: taint prints the detailed flow.
Tip 2: Semgrep supports multiple output formats to STDOUT or to file, run it with --help to find the format more suitable for your working flow.

Exclusions

Like most automated tools of this type, Semgrep can also report false positives for reasons such as difficulty in expressing the pattern of a very context-dependent vulnerability. For this reason, the confidence with which we can identify a real issue is expressed in the tool results. We can filter out the noisiest rules either by not running them or by filtering the output based on the confidence level of the findings.

In some cases, however, a rule with good confidence might misfire and report a false positive (FP).

How do we exclude a FP from the code? Locate the block of code affected by the FP and add the comment // nosemgrep: rule-id on the first line or the preceding line of the pattern match. The version that ignores the single rule is preferable to the one that excludes all rules. Additionally, we recommend documenting the exclusion for future reference.

Refer to the Semgrep documentation for more details on exclusions.

Call for Contribution 🗣️

We invite everyone to contribute to the rules repository, whether it is a new rule or an improvement to existing ones, your contributions are invaluable! Check out the details within the rules’ repository!

Bugs 🐛

Support for Move on Aptos in Semgrep is experimental, although we have ensured that a good number of features work properly. If you encounter a bug in a rule or feature, you can report it via the two reference repositories:

Free

Distraction-free reading. No ads.

Organize your knowledge with lists and highlights.

Tell your story. Find your audience.

Membership

Read member-only stories

Support writers you read most

Earn money for your writing

Listen to audio narrations

Read offline with the Medium app

Web3
Blockchain
Aptos
Static Analysis
Move

--

--

Aptos Labs
Aptos Labs

Published in Aptos Labs

2.2K Followers
Last published Mar 21, 2025

Bringing the Future On-Chain

Aptos Labs
Aptos Labs

Written by Aptos Labs

16.9K Followers
2 Following

Aptos Labs is a premier Web3 studio of engineers, researchers, strategists, designers, and dreamers building on Aptos, the Layer 1 blockchain.

No responses yet

Write a response

What are your thoughts?

Help

Status

About

Careers

Press

Blog

Privacy

Rules

Terms

Text to speech