config.yaml

rules:
  - id: curl_ssl_unverified
    patterns:
      - pattern-either:
        - pattern: |
            $ARG = $IS_VERIFIED;
            ...
            curl_setopt(..., CURLOPT_SSL_VERIFYPEER, $ARG);
        - pattern: curl_setopt(..., CURLOPT_SSL_VERIFYPEER, $IS_VERIFIED)
      - metavariable-regex:
          metavariable: $IS_VERIFIED
          regex: 0|false|null
    languages: [php]
    mode: search
    message: SSL verification is disabled but should not be (currently CURLOPT_SSL_VERIFYPEER= $IS_VERIFIED)
    severity: WARNING
  
  - id: strict_equal_md5
    patterns:
      - pattern-either:
        - pattern: $X == md5(...)
        - pattern: md5(...) == $X
    languages: [php]
    mode: search
    message: Make sure md5 checks are strict
    severity: WARNING
    
  - id: basic_xss
    patterns:
      - pattern-either:
        - pattern: $_GET[$KEY]
        - pattern: $_POST[$KEY]
      - pattern-inside: echo $X;
      - pattern-not-inside: htmlentities(...)
    languages: [php]
    mode: search
    message: Look for basic XSS
    severity: WARNING

curl_ssl_issue.php

<?php

$ch = curl_init();

curl_setopt($ch, CURLOPT_URL, "http://www.example.com/");
curl_setopt($ch, CURLOPT_HEADER, 0);

// This is caught 
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);

$verify = false;
// ... but can I catch this?
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, $verify);

curl_exec($ch);
curl_close($ch);

md5("test") == "cats";

// echo $_GET['test'];

// Unsafe
echo "<label><input type='text'>" . $_GET['a'] . $_POST['b'] . "</label>";

// Mixed
echo "<label><input type='text'>" . htmlentities($_GET['c']) . htmlentities($_POST['d']) . "</label>";

// Safe
echo htmlentities($_GET['safe']);

Had success with

docker run --rm  \
   -v "${PWD}:/src" \
   returntocorp/semgrep:eef8a395ed5a2053e974e04176f3f04d80a7ef32 \
   -f semgrep.yaml curl_ssl_issue.php