OCaml on RORO's bloghttps://blog.rodolpheg.xyz/tags/ocaml/Recent content in OCaml on RORO's blogHugofr-frcontact@rodolpheg.xyz (0xRo)contact@rodolpheg.xyz (0xRo)Wed, 08 Apr 2026 00:00:00 +0000Semgrep Architecture: Comprehensive Referencehttps://blog.rodolpheg.xyz/posts/semgrep-architecture/Wed, 08 Apr 2026 00:00:00 +0000contact@rodolpheg.xyz (0xRo)https://blog.rodolpheg.xyz/posts/semgrep-architecture/<blockquote> <p><strong>Semgrep</strong> (Semantic Grep) is a multi-language static analysis tool that matches code by its <em>structure</em> &ndash; not just its text &ndash; using a unified Abstract Syntax Tree and a rich pattern language. This document covers the full internal architecture from CLI entry-point to taint sink detection.</p> </blockquote> <h2 id="table-of-contents">Table of Contents</h2> <ol start="0"> <li><a href="#0-introduction">Introduction</a> <ul> <li><a href="#01-what-is-sast">What is SAST?</a></li> <li><a href="#02-history-of-semgrep">History of Semgrep</a></li> </ul> </li> <li><a href="#1-high-level-architecture">High-Level Architecture</a></li> <li><a href="#2-component-breakdown">Component Breakdown</a></li> <li><a href="#3-the-full-analysis-pipeline">The Full Analysis Pipeline</a></li> <li><a href="#4-target-discovery--filtering">Target Discovery &amp; Filtering</a></li> <li><a href="#5-rule-parsing--optimization">Rule Parsing &amp; Optimization</a></li> <li><a href="#6-parsing--the-universal-ast">Parsing &amp; the Universal AST</a></li> <li><a href="#7-the-matching-engine">The Matching Engine</a></li> <li><a href="#8-the-intermediate-language-il--cfg">The Intermediate Language (IL) &amp; CFG</a></li> <li><a href="#9-taint-analysis-dataflow">Taint Analysis (Dataflow)</a></li> <li><a href="#10-output--reporting-pipeline">Output &amp; Reporting Pipeline</a></li> <li><a href="#11-osemgrep--rpc-architecture">OSemgrep / RPC Architecture</a></li> <li><a href="#12-key-data-structures">Key Data Structures</a></li> </ol> <hr> <h2 id="-1-why">-1. Why?</h2> <p>I have been working as a DevSecOps engineer for nearly four years now. When I started, I had little exposure to tooling like SAST, SCA, or DAST. My mindset was firmly rooted in offensive security. Penetration testing was the goal, the dream.</p>