Security Score (Semgrep-based)

A small Semgrep-based project to compare findings before and after a code fix, then compute a simple security score.

This repository includes:

• vulnerable and fixed Python examples in examples/
• Semgrep execution scripts in scripts/
• Python modules for running scans and calculating score in src/modules/
• CWE-to-Semgrep config mappings for Python and Java in rules/*.json
• Docker setup for containerized execution

Repository Layout

.
├── docker-compose.yml
├── Dockerfile
├── README.md
├── requirements.txt
├── examples/
│   ├── example.fix.py
│   └── example.py
├── rules/
│   ├── java.json
│   └── python.json
├── scripts/
│   ├── test.sast.sh
│   └── test.semgrep.sh
└── src/
    ├── config.py
    ├── utils.py
    └── modules/
        ├── sast.py
        └── security_score.py

Prerequisites

• Python 3.10+ (or Docker)
• Semgrep (installed via requirements.txt)

Run with Docker

Build and start the container:

docker compose up -d --build

Open a shell inside the container:

docker exec -it security-score-container bash

Inside the container, run either script:

bash scripts/test.security-score.sh

Stop the stack when finished:

docker compose down

CWE Mapping Files

rules/python.json and rules/java.json map CWE IDs to Semgrep registry configs.

Example:

"CWE-78": ["p/command-injection", "p/python"]

This mapping can be used by automation to select Semgrep rule packs from a CWE list.

Notes

• scripts/test.semgrep.sh currently scans only examples/example.py.
• The script writes output to results.json in the project root.
• Semgrep findings can vary by Semgrep version and registry updates.