We're excited to announce the public beta for Semgrep Code Search! The new feature is available to all users with a paid license for Semgrep Code, our developer-first SAST product. Try Code Search today to search for vulnerabilities and evaluate/iterate on rules at lightning speed.
Why testing and deploying SAST rules can be slow
Compared to other solutions, Semgrep rule syntax is easy to understand and write. That being said, it can still be time-consuming to write rules that you feel confident deploying to your organization - especially if your goal is to surface findings directly in the developer workflow.
Devs have a very low-tolerance for false positives, so one noisy rule can derail weeks of goodwill with an engineering team.
Without Code Search, to get feedback on a rule’s accuracy and effectiveness you need to either:
Download a bunch of repositories to test your rule locally
Deploy the rule in monitor mode (where developers won’t see findings) and wait for scans to run so you can parse the results
If you don't want to test rules locally (which is still very time consuming) you'll likely have to wait for the next nightly scan to run before you can analyze a rule's findings. Since rule-writing is a very iterative process, this is a huge bottleneck!
Additionally, rule-writing is not a task where you can easily context-switch - having to wait for a scan before iterating on a rule almost guarantees that the writer is going to be sidetracked by one of the 100 other things on the average AppSec person's plate.
Code Search: write rules faster and deploy with more confidence
With Code Search you can quickly run a rule across all of your organization’s repos in seconds, letting you quickly analyze the results to evaluate or iterate on a rule. You can also run Code Search on public Github repos (we plan to support other SCMs in the future).
Rules that have been tested across your codebase using Code Search can be quickly promoted out of monitor and into comment or blocking mode (where developers see findings in PR comments or ticketing tools). This is critical for short-staffed security teams looking to scale their impact across a fleet of developers.
TL;DR: Code Search shortens the rule writing (or rule evaluation) feedback loop from days to seconds, allowing you to rapidly analyze and iterate on a rule so you can feel confident that the false positive rate will be low enough to provide value to your devs.
Finding vulnerabilities with Code Search
One of our customers recently received a critical submission to their bug bounty program. They were able to generalize the submission and write a custom Semgrep rule for variant analysis - with Code Search, they were able to identify additional unreported instances of the vulnerability, ultimately saving over $15,000 in future bug bounty costs.
They were also able to start remediating the additional vulnerabilities sooner, which helped protect their users. Semgrep Code Search can scan hundreds of repos in a matter of seconds – so you can hunt for vulns at ludicrous speeds and then deploy rules that prevent the vuln from occurring again.
Code Search showing all findings for a Semgrep rule across multiple repos
How does it work? What makes it so fast?
Code Search is powered by AWS Lambda. When a new search is started, we spin up a Lambda for each repository. With this horizontal scaling, scanning five similarly-sized repos takes about the same amount of time as scanning one repo since everything is happening in parallel.
We return results incrementally so that you can see results for smaller repos while you wait for the results from larger repos. We’ve also done a lot of optimizations with the repo cloning and scanning process so that we’re not wasting time on unnecessary files.
Once the scanning process is done, the Lambda is deleted along with the cloned code.
Let us know what you think!
We’ve built Code Search with a few use-cases in mind, but the tool is so flexible that we know customers will come up with creative ways to get value out of it.
We’d love to hear about how you’re using Code Search, what you love about it, and what you find frustrating. We’ve included an easily accessible feedback button in the Code Search UI to make sharing your thoughts as seamless as possible:
Try Semgrep Code Search today to quickly write new rules and hunt for vulnerabilities at scale!
About
Semgrep lets security teams partner with developers and shift left organically, without introducing friction. Semgrep gives security teams confidence that they are only surfacing true, actionable issues to developers, and makes it easy for developers to fix these issues in their existing environments.
