How to Use Semgrep in CodeGrade to Improve Student Code Quality
Articles
February 10, 2025

How to use Semgrep for Automatic Grading

In 30 seconds...

Want to catch missing function definitions, enforce coding best practices, or ensure students follow assignment guidelines? Semgrep in CodeGrade makes it easy. This powerful, lightweight static analysis tool helps instructors automatically check for code structures without complex setup. Learn how to integrate Semgrep into your grading workflow to provide instant feedback and improve student learning.

What is Semgrep?

Semgrep (Semantic Grep) is an open-source, lightweight static analysis tool that scans source code to identify specific patterns. It helps instructors and developers check for certain structures in code, such as:

  • Statements
  • Loops
  • Declarations
  • Function definitions

Semgrep works similarly to grep, but instead of searching for plain text, it scans for structured code patterns in a variety of programming languages like Python, JavaScript, Go, Java, C, and more.

How Can You Use Semgrep in CodeGrade?

In CodeGrade, Semgrep is integrated as a parent block called Code Structure, with two child blocks for pattern matching:

  • Positive Match: Passes if the pattern is found.
  • Negative Match: Fails if the pattern is found (useful for ensuring students don't use overly advanced or AI-generated code).

These blocks can be added to your setup with just a few simple steps. Here’s how:

Step 1: Set Up the Code Structure Block

  1. Drag the Code Structure block into your setup in CodeGrade.
  2. Inside the Code Structure block, nest a Match block.
    There are two types of Match blocks:
    • Positive Match: This will pass if the pattern is detected in the student’s code.
    • Negative Match: This will fail if the pattern is detected. This can be helpful to ensure students aren't using inappropriate code structures, such as overly advanced techniques or AI-generated code.

Make your coding course more efficient today.

Step 2: Define the Pattern

Each Match block has a template you can fill in. Here's how to define a pattern:

  1. Select the Language (e.g., Python, JavaScript, etc.).

Fill in the Pattern: In Semgrep, you write patterns using a specific syntax. For example, if you want to ensure a student implements an add() function with two parameters in Python, the pattern would look like this:
yaml

rules:

- id: untitled_rule

  pattern: |

    def add($VAR1, $VAR2):

        ...

    return $SUM

  

  message: Semgrep found a match

  languages: [python]

  severity: WARNING

  1. Explanation of the syntax:
    • The | symbol indicates that the pattern spans multiple lines.
    • $VAR1, $VAR2, and $SUM represent variables in the function. These variables can have any name.
    • The ellipsis (...) matches any code inside the function.
  2. You can test your patterns using the Semgrep playground: Semgrep Playground.
    For more details on writing Semgrep rules, visit Semgrep Docs.

Step 3: Provide Hints (Optional)

You can add hints to help students if they fail to meet the required pattern:

  1. Click the dialog box on the right side of the block settings.
  2. Select "Uncollapsed when full marks are not achieved".
    This ensures that the hint will be displayed if the student doesn’t pass the test, guiding them towards the right solution.

Example Assignment: Calculator

Let’s look at a practical example. In this assignment, students are expected to code a basic calculator in Python. We want students to define 4 functions: add(), subtract(), multiply(), and divide(). The program should also catch divisions by zero. 

  • Goal: Ensure that the add() function accepts two parameters.
  • Pattern: As shown earlier, we’ll look for a function definition like def add($VAR1, $VAR2).

We added another pattern to check whether students implement divide() so it handles 0:

You don’t need to install Semgrep yourself in CodeGrade—CodeGrade will automatically handle installation if needed.

The Student View & How They Benefit

If a student doesn’t implement the required function (e.g., add()), they will see an error message like this:

This forces students to pay attention to the specific concepts and code structures discussed in class, improving their coding skills and ensuring that they don’t just game the system.

When to Use Semgrep

Semgrep is ideal for assignments where you want to teach students about fundamental code structures. Some common use cases include:

  • Teaching function definitions and parameters.
  • Enforcing code style guidelines.
  • Preventing the use of advanced or incorrect techniques for beginner-level assignments.

For best results, combine Semgrep with other tests (like unit tests or I/O tests), as it’s easy for students to bypass the code structure test by simply including the pattern without fulfilling the functional requirements.

Continue reading

How to set up a Data Structures course with Delaware State

Explore Delaware State University's innovative Java course, where freshmen master object-oriented programming, algorithm design, and clean coding practices to launch their tech careers.

Watch Now: Mastering Java with Automatic Grading

Learn how to automatically grade Java assignments with efficiency and ease at our latest webinar.

Setting Up a C++ Course at Ivy Tech Community College

Explore how Angela Venable’s Data Structures course at Ivy Tech transforms C++ learning with a focus on building custom data structures, automated grading, and rapid feedback—equipping students with practical, industry-ready coding skills.

How to automatically grade Java

Discover how to autograde Java assignments in CodeGrade with I/O tests, JUnit5, and code style checks for seamless feedback

Sign up to our newsletter

Transform your coding course today!