DEF CON 27 workshop on finding vulnerabilities at scale

Material from our DEF CON workshop on finding vulnerabilities at ecosystem-scale
semgrep placeholder image

A few weeks ago we hosted our first DEF CON workshop. We’re grateful we had the opportunity to share some of our work with a packed room, and we learned a lot from the experience.

<script async src="" charset="utf-8"></script>

We realize many people didn’t have the chance to attend DEF CON, so we’re sharing the workshop content here as well.

While some of the large-scale infrastructure was created for the workshop and has since been turned off, you should be able to follow the slides and run most of the exercises. And if you want to keep going beyond the guided instructions, let us know and we’ll give you access to our beta platform, where you can continue to hack away.

Here’s the agenda presented at the workshop so you can get an idea of the content:

  • What is program analysis?

  • Current tools available to analyze source

  • Writing your first program analysis

  • Writing a program analysis that actually looks for something interesting

  • Complex analysis and refining the analysis true positive / false positive

A few notes about the exercises:

  • Ignore the VM instructions if you’re using a Mac — the VM was specifically for Linux and Windows users during the workshop

  • If you need additional help, email us at

We really enjoyed the workshop, but don’t worry, we had lots of fun outside the workshop, too:


Semgrep Logo

Semgrep is a fast, open-source, code scanning tool for finding bugs, detecting dependency vulnerabilities, and enforcing code standards.

Code scanning at ludicrous speed

Find bugs and enforce code standards