Hi, I'm Romain Jufer, the CSO of AVNU and a guest author on this blog. I'm thrilled to announce that we've added the experimental support of Cairo 1.0 in Semgrep.
Cairo 1.0 is a programming language used to write provable computer programs and it is used to develop smart contracts on Starknet, a Layer-2 blockchain. With this added support, Cairo becomes the second blockchain programming language supported by Semgrep, the first one being Solidity. Semgrep also supports more than 30 other languages!
Software security is of utmost importance when developing smart contracts, as almost all of them are mission-critical. In recent years, we've seen an important number of attacks on these contracts, which translated into billions of dollars in funds lost and companies’ reputations being severely damaged. Unfortunately, as for every new technology, we are missing the tools necessary to properly analyze the code of these smart contracts and identify the potential flaws before they reach production.
I personally come from the cybersecurity industry, having worked for a few years at Kudelski Security. During these years, Semgrep was always integral to our development workflow, allowing us to have a high level of confidence in the code written. It helped us identify issues and proactively remediate them. On top of that, the flexibility given to us (engineers) to easily parameterize the tool through language-agnostic rules made it even more powerful as we could easily fine-tune our SAST pipelines by creating business and context-aware rules that perfectly reflected our needs.
As a result, it was clear that we had to have Semgrep available in our toolbox when developing in Cairo 1.0, as it would be a game-changer to develop robust and secure smart contracts. Additionally, the fact that rules can be created and modified easily by anyone makes it a perfect tool for a community-centric blockchain such as Starknet.
While this first version already comes with the support of several of the Semgrep constructs, like ellipsis and metavariables, there is still a long path ahead of us to improve the support of the language and to ensure that Semgrep becomes part of every Starknet developer toolbox. To that end, we are working closely with Starkware to validate the tree-sitter for Cairo 1.0 and we are also working with the community to create the first ruleset for Cairo 1.0. So, if you're interested in making that journey with us, please reach out and in the meantime have fun finding flaws in your contracts!
Finally, I would like to thank the Semgrep team and, more specifically, Yoann Padioleau, without whom this integration would not have been possible. His support has been invaluable during the whole process, making it seamless and easy, and it has been a pleasure to add Cairo 1.0 to this amazing tool.
For questions and more information about Cairo support for Semgrep, please join the Semgrep Community Slack!
About
Semgrep lets security teams partner with developers and shift left organically, without introducing friction. Semgrep gives security teams confidence that they are only surfacing true, actionable issues to developers, and makes it easy for developers to fix these issues in their existing environments.
