Hey, I'm a Security Engineer at Red Canary, and a guest author here. I'm interested in all things automated program analysis. Fuzzing, static analysis, dynamic analysis, you name it. In short, making the computer sweat, so you don't have to.
Rust is on a meteoric rise within the tech community. It was voted "Most Loved" programming language for the 7th year in a row in the 2022 Stack Overflow Developer Survey. In fact, just this morning I was reading another article evangelizing Rust: How Rust went from a side project to the world’s most-loved programming language. Rust is also beginning to see adoption in the enterprise space. Red Canary, my employer, has forgone C and all its security baggage, and instead chosen Rust for implementing our Linux EDR sensor.
Now, Rust is not a panacea. It can still have security bugs. To that end, we use Semgrep to help ensure our Rust code is secure on every commit. As a big believer in open source, we also saw an opportunity to contribute back to the community and work with r2c to improve Semgrep's Rust support to beta. For that, I thank Red Canary for giving me the time to contribute the first Rust rules to the Semgrep community. That was the easy part. I'd also like to give a shout out to the one, the only, Yoann Padioleau for improving Semgrep's parsing and feature support for Rust.
So, go ahead, find all those unsafe blocks and air out those skeletons in the closet:
Semgrep’s Rust beta support was released in v1.10.0. To scan your Rust code:
On the command line, upgrade to Semgrep v1.10.0 or higher (often using
brew upgrade semgrep or
pip install --upgrade semgrep) and scan your Rust code with
semgrep --config=auto or
Semgrep is a fast, open-source, code scanning tool for finding bugs, detecting dependency vulnerabilities, and enforcing code standards.