Introducing a tool to search through code for flaws where plain regexes fall flat and using Static Application Security Testing would be overkill.
Semgrep proclaims itself as:
"a tool for easily detecting and preventing bugs and anti-patterns in your codebase. It combines the convenience of grep with the correctness of syntactical and semantic search".
It isn't just a glorified grep, though. It occupies a space somewhere in between grep and a SAST tool - more expressive than grep, but not as hard to tweak and learn as a SAST.