My first attempt at a Burpsuite Extension. It is built to passively send temp copies of proxied HTML/JS to Semgrep. And yes, like most passive checks - it is full of -/+'s.... it's static analysis...
Burp (as of 2025.2.4) seems to do a great job batching these passive tasks up since they do take some time to complete and are resource intensive. There is likely enormous room for a performance boost but ¯\(ツ)/¯
Built with the below Maven/OpenJDK versions:
└─$ mvn --version
Apache Maven 3.9.9 (8e8579a9e76f7d015ee5ec7bfcdc97d260186937)
Maven home: /home/kali/Downloads/apache-maven-3.9.9
Java version: 17.0.15-ea, vendor: Debian, runtime: /usr/lib/jvm/java-17-openjdk-amd64
Default locale: en_US, platform encoding: UTF-8
OS name: "linux", version: "6.12.20-amd64", arch: "amd64", family: "unix"
You need semgrep in your PATH.
You will want to have a local copy of semgrep rules too. (git clone https://github.com/returntocorp/semgrep-rules.git)
git clone https://github.com/N0ur5/Burp2Sem.git
Point this tool at a directory full of semgrep rules by modifying the rulesDir variable in SemgrepScanCheck.java
cd Burp2Sem
mvn clean package
In BurpSuite -> Extensions -> Add -> Find SemgrepPassiveScanner-*.*.jar (in /target)
This is a passive check. Assuming you have semgrep installed locally... this thing should just cook "behind the scenes" and flag anything that semgrep would flag. You will need to take the finding and manually track down the actualy exploitability of any flagged Issues.
There is also plenty to watch in the Output tab of Extensions -> Installed -> Semgrep Passive Scanner so that you can see what is going on.
- Fix highlighting syntax (Seems like maybe not possible with passive checks, might need to migrate to an active version too for this)
- Fix severity/confidence
- Move to a damon model for performance boost. Semgrep binary is launched for each js/html file that is analyzed currently.