Semgrep Blog Feed https://semgrep.dev We're a startup passionate about improving software security and reliability. en-us 2024-12-11T21:29:59+00:00 <![CDATA[A day in the life: Supply Chain Security Researcher]]> https://semgrep.dev/blog/a-day-in-the-life-supply-chain-security-researcher This will give a glimpse into what it is like to be a Security Researcher on the Semgrep Supply Chain Security Research team! We walk through the steps that we take to understand a vulnerability and write a Semgrep rule to provide the best possible coverage for our customers. We evaluate vulnerabilities affecting open source software packages and maintain and build tooling to enable our research. Special shout-out to Diptendu, Max, and Kyle for contributing and sharing their expertise and experience. <![CDATA[A deep dive into Semgrep Supply Chain]]> https://semgrep.dev/blog/a-deep-dive-into-semgrep-supply-chain A technical deep dive into the nuts and bolts of Semgrep Supply Chain <![CDATA[Announcing AI-assisted remediation guidance on every PR]]> https://semgrep.dev/blog/ai-assisted-remediation Semgrep Assistant now offers high quality, step-by-step remediation guidance to developers on almost every true positive finding, resulting in a 15% reduction in median time-to-resolution. <![CDATA[Announcing C# alpha support]]> https://semgrep.dev/blog/announcing-csharp-alpha-support Semgrep v0.52.0 includes alpha C# support <![CDATA[Announcing general availability of C#]]> https://semgrep.dev/blog/announcing-csharp-ga C# parse rate is now over 99% <![CDATA[Announcing Kotlin Reachability: Expanding the reach of Semgrep’s reachability]]> https://semgrep.dev/blog/announcing-kotlin-reachability We’re excited to announce an exciting new feature in Semgrep’s software composition analysis (SCA) tool—Kotlin reachability. <![CDATA[Announcing Semgrep's general availability support of PHP]]> https://semgrep.dev/blog/announcing-php-ga-support Semgrep adds PHP support including 40+ new rules <![CDATA[Announcing Ruby GA support]]> https://semgrep.dev/blog/announcing-ruby-ga-support Semgrep v0.35.0 includes GA Ruby support <![CDATA[Announcing Semgrep Code: SAST designed and built for engineers]]> https://semgrep.dev/blog/announcing-semgrep-code Semgrep Code enables security teams to leverage the Semgrep Pro Engine and Pro rules to surface highly actionable vulnerabilities directly to developers. <![CDATA[Announcing Semgrep Code Search (public beta)]]> https://semgrep.dev/blog/announcing-semgrep-code-search-public-beta Semgrep Code Search lets users run a single rule across hundreds of code repositories in seconds, highlighting all instances of matching code. Code Search's instant feedback gives users superpowers when it comes to rule evaluation, rule writing, and vulnerability hunting. <![CDATA[Announcing Semgrep’s beta support for Rust]]> https://semgrep.dev/blog/announcing-semgrep-s-beta-support-for-rust Programming language, or cult following? <![CDATA[Announcing Semgrep’s experimental support for Julia]]> https://semgrep.dev/blog/announcing-semgrep-s-experimental-support-for-julia Semgrep adds experimental support for the Julia programming language <![CDATA[Announcing Semgrep's experimental support of Swift]]> https://semgrep.dev/blog/announcing-swift-exp-support Try your hand at writing Semgrep rules for Swift <![CDATA[Appsec Development: Keeping it all together at scale]]> https://semgrep.dev/blog/appsec-development-keeping-it-all-together-at-scale Hard-won lessons from scaling security programs <![CDATA[AppSec guides, not gates: Introducing secure guardrails with Semgrep]]> https://semgrep.dev/blog/appsec-guides-not-gates-introducing-secure-guardrails-with-semgrep "Shift left" was popular, but has largely failed to deliver on its promises. For too many teams, it was a way to take the same old security tools and point the firehose of issues at developers. What have successful teams done to reduce their massive vulnerabilities backlog? They’ve rolled out secure guardrails. <![CDATA[10x your AppSec program with Semgrep Assistant]]> https://semgrep.dev/blog/assistant-ga-launch Assistant helps both AppSec engineers and developers make the correct decisions faster, with far less cognitive load required. This means users only spend their time and "analysis bandwidth" on issues that actually warrant the attention. <![CDATA[AI & Cybersecurity: Learnings from three months of Semgrep Assistant]]> https://semgrep.dev/blog/assistant-public-beta Semgrep Assistant helps application security teams by using AI to identify potential false positives and suggest code updates to fix bugs. We reviewed the data from our private beta, such as 95% positive feedback on Assistant's suggestions, and decided to graduate it to public beta today. In this blog post, we discuss this data and also share our learnings from the past three months about building with GPT-4. <![CDATA[Powerfully autofixing code with Semgrep's new AST-based approach]]> https://semgrep.dev/blog/autofixing-code-with-semgrep Improve correctness using Semgrep's AST-based autofix <![CDATA[Bay Area OWASP Meetup presentation]]> https://semgrep.dev/blog/bay-area-owasp-meetup-presentation Video from the Bay Area OWASP Meetup on May 21 <![CDATA[Be careful what you request for]]> https://semgrep.dev/blog/be-careful-what-you-request-for-django-method Injection using the HTTP verb in Django <![CDATA[Bento 0.8: Updated workflows and new specialty checks]]> https://semgrep.dev/blog/bento-08-released-with-updated-workflows-and-new-specialty-checks Changes to Bento’s default behavior integrate it more smoothly into your workflow <![CDATA[Bento 0.9: Checks for a high-severity Python vulnerability and Jinja templates]]> https://semgrep.dev/blog/bento-09-released-with-checks-for-python-vulnerability-and-jinja Catch a high-severity Python vuln and new checks for Jinja templates <![CDATA[Bento check: Catch catastrophic backtracking ReDoS bugs]]> https://semgrep.dev/blog/bento-check-catch-catastrophic-backtracking-redos-bugs Find severe regular expression denial-of-service bugs in Python using Bento <![CDATA[Bento check: keeping your cookies safe in Flask]]> https://semgrep.dev/blog/bento-check-keeping-cookies-safe-in-flask Ensure cookie settings are set securely in Flask <![CDATA[Bringing more Semgrep capabilities to BitBucket and Azure DevOps]]> https://semgrep.dev/blog/bringing-more-semgrep-capabilities-to-bitbucket-and-azure-devops We’re excited to announce the expansion of Semgrep's capabilities to include Atlassian BitBucket Cloud, BitBucket Data Center, and Microsoft Azure DevOps in our suite of supported source code management tools (SCMs). <![CDATA[Bringing Semgrep Managed Scanning to GitLab: automated code scanning at scale]]> https://semgrep.dev/blog/bringing-semgrep-managed-scanning-to-gitlab-automated-code-scanning-at-scale Following the success of Semgrep Managed Scanning on GitHub, which runs Semgrep without any manual, per-repo CI/CD configuration, we are excited to announce the same seamless experience is now available to GitLab users. <![CDATA[BSides Las Vegas: the power of guardrails]]> https://semgrep.dev/blog/bsides-las-vegas-power-of-guardrails Research on guardrails and how to slash the risk of XSS in half <![CDATA[Building an enterprise-ready, scalable security program using Semgrep]]> https://semgrep.dev/blog/building-enterprise-ready-scalable-program See how organizations use Semgrep at scale in production <![CDATA[Building security champions]]> https://semgrep.dev/blog/building-security-champions There is a severe shortage of trained and experienced people who are capable of securing the systems that we must protect. Application security engineers, DevSecOps professionals, security architects, you name it, there's a shortage. <![CDATA[Announcing Semgrep Supply Chain’s beta support for C#]]> https://semgrep.dev/blog/c-sharp-beta-support-ssc Semgrep Supply Chain (Semgrep’s SCA product) can now find reachable vulnerabilities in C# dependencies. Along with C#, we also added lockfile-only support for PHP. Semgrep Supply Chain now supports C#, Go, Java, JavaScript, PHP, Python, Rust, and Ruby. <![CDATA[Choosing a static analysis tool]]> https://semgrep.dev/blog/choosing-a-static-analysis-tool There is no one tool that is perfect for every organization, and if you have the wrong one it can create friction, delays, frustration, and lack of adoption. I use the questions below to help create a set of requirements for clients, and then they go shopping! <![CDATA[Choosing API Security Tools]]> https://semgrep.dev/blog/choosing-api-security-tools Quite often clients ask me “Which API Security Tool should I buy?”, and as you might have guessed I answer “It depends”, then proceed to ask them a dozen questions. Recently I asked a colleague at Semgrep if they felt this process might be of value to my readers, and he said “Absolutely!” and here we are with a new blog post.  <![CDATA[CocoaPods vulnerabilities highlight risks in dependency managers]]> https://semgrep.dev/blog/cocoapods-vulnerabilities-highlight-risks-in-dependency-managers Three critical vulnerabilities have been disclosed for the CocoaPods dependency manager. These vulnerabilities exposed more than 3 million iOS and macOS apps to supply chain attacks between 2014 and 2023, allowing attackers to hijack pods (software packages), execute code, and gain session tokens. <![CDATA[Conclusion: Security Champions]]> https://semgrep.dev/blog/conclusion-security-champions In the previous article we talked about Metrics, and in this article, I will conclude this series on Building Security Champions. A few more tips: Start by defining the focus of your program and what is expected from champions. Be realistic; you can only expect 1-4 hours maximum effort from them per week. <![CDATA[Continuous learning]]> https://semgrep.dev/blog/continuous-learning <![CDATA[Much ado about cURL]]> https://semgrep.dev/blog/curl-vulnerability cURL is releasing version 8.4.0 on Wednesday, October 11th, 2023 to patch a high-severity issue that is “the worst cURL vulnerability in a while” for both the CLI application and the <![CDATA[Announcing custom rules for Semgrep Secrets]]> https://semgrep.dev/blog/custom-rules-for-semgrep-secrets Customers can now write their own rules for Semgrep Secrets! These rules can <![CDATA[You do not need to do DAST in a pipeline to do DevSecOps]]> https://semgrep.dev/blog/dast-devsecops In this blog post, Tanya goes through different types of DAST and penetration testing tools. The post also explains why DAST is not needed in your pipeline and encourages a tailored approach that fits an organization's unique needs rather than blindly following industry trends. <![CDATA[Demystifying Taint Mode]]> https://semgrep.dev/blog/demystifying-taint-mode A user-friendly guide to writing rules with Semgrep's taint mode <![CDATA[Expanding Semgrep Supply Chain into Dependency Intelligence and License Compliance]]> https://semgrep.dev/blog/dependency-search-and-license-compliance With Semgrep Supply Chain, you can now mitigate supply chain vulnerabilities before a CVE even drops with Dependency Search and enforce your organization's license policies on pull requests with License Compliance. <![CDATA[Developer-focused results and improved coverage with Semgrep Pro rules]]> https://semgrep.dev/blog/developer-focused-results-and-improved-coverage-with-semgrep-pro-rules Semgrep Pro rules are high confidence SAST rules that leverage the latest Semgrep features, and are designed to produce actionable results that can be surfaced directly to developers for vulnerability remediation. <![CDATA[DevSecOps worst practices – the series]]> https://semgrep.dev/blog/devsecops-worst-practices-the-series Quite often when we read best practices we are told ‘what’ to do, but not the ‘why’. When we are told to ensure there are no false positives in the pipeline, the reason seems obvious, but not every part of DevOps is that intuitive, and not all ‘best practices’ make sense on first blush. Let’s explore tried, tested, and failed methods, so we can avoid these DevSecOps WORST practices. <![CDATA[The indomitable maintainer spirit versus the indifferent cruelty of JavaScript]]> https://semgrep.dev/blog/discontinuation-of-node-vm2 The recent discontinuation of the JavaScript code virtualization tool “vm2” sounds the alarm for under-maintained open source packages. This post discusses the factors that led to its discontinuation and what can be done to save “isolated-vm”, the best alternative to vm2 currently, from suffering the same fate. <![CDATA[Does your LLM thing work? (& how we use promptfoo)]]> https://semgrep.dev/blog/does-your-llm-thing-work-how-we-use-promptfoo client.chat.completions.create <![CDATA[🤫 Don't leak your secrets]]> https://semgrep.dev/blog/dont-leak-your-secrets A new Semgrep ruleset to detect leaked secrets <![CDATA[Easily create custom SAST guardrails with human language and Semgrep Assistant (AI)]]> https://semgrep.dev/blog/easily-create-custom-sast-guardrails-with-human-language-and-semgrep-assistant-ai Tell Semgrep Assistant about any organizational coding standards or best practices you want developers to implement - generated guidance will take this into account! <![CDATA[Efficient Dependency Management: Leveraging Manifest Files, Lockfiles, and SemVer Specifications]]> https://semgrep.dev/blog/efficient-dependency-management In this blog post, Kyle Kelly, Semgrep Security Researcher, delves into how practitioners can efficiently manage dependency versions by utilizing manifest files, lockfiles, and SemVer specifications. <![CDATA[Engage your champions]]> https://semgrep.dev/blog/engage-your-champions In this article, we discuss how to get security champions revved up about security once you have found them. <![CDATA[Exploit exploitability: prioritize supply chain findings with EPSS]]> https://semgrep.dev/blog/epss-and-supply-chain EPSS is a powerful prioritization mechanism: when combined with Semgrep’s dataflow reachability analysis, EPSS enables you to deprioritize 99% of findings and focus on the 1% that matter most. <![CDATA[Experimental feature: generic pattern matching]]> https://semgrep.dev/blog/experimental-feature-generic-pattern-matching Match code patterns in configuration files, structured data, and more <![CDATA[Exploiting dynamic rendering engines to take control of web apps]]> https://semgrep.dev/blog/exploiting-dynamic-rendering-engines-to-take-control-of-web-apps Leveraging weaknesses in Rendertron and other headless renderers <![CDATA[Finding Python ReDoS bugs at scale using Dlint and r2c]]> https://semgrep.dev/blog/finding-python-redos-bugs-at-scale-using-dlint-and-r2c Automating regular expression denial-of-service detection <![CDATA[Fix today’s vulnerabilities and prevent tomorrow’s with secure guardrails]]> https://semgrep.dev/blog/fix-today-s-vulnerabilities-and-prevent-tomorrow-s-with-secure-guardrails This post illustrates some of the technical aspects of secure guardrails and the characteristics we think are essential to successfully integrating them into an AppSec program. Spoiler alert: the developer experience (DevX) is paramount. <![CDATA[Fixing leaky logs: how to find a bug and ensure it never returns]]> https://semgrep.dev/blog/fixing-leaky-logs-how-to-find-a-bug-and-ensure-it-never-returns Enabling developers to rapidly solve security issues <![CDATA[Flask check: send_file() with a file handle]]> https://semgrep.dev/blog/flask-check-send-file Bento check to detect if send_file() will throw an exception <![CDATA[r2c named Disruptive Innovator by Forbes]]> https://semgrep.dev/blog/forbes-cybersecurity-awards-2020 Forbes’ inaugural Cybersecurity Awards <![CDATA[Four levels of maturity that bridge the AppSec / engineering divide]]> https://semgrep.dev/blog/four-levels-of-maturity-that-bridge-the-app-sec-engineering-divide Practical ways to bridge the gap between AppSec and development <![CDATA[The future of AppSec and why I joined r2c]]> https://semgrep.dev/blog/future-of-appsec-why-r2c Why I’m betting on r2c and where I think application security is headed <![CDATA[Announcing Semgrep’s support for Go in Pro Engine]]> https://semgrep.dev/blog/golang-in-pro-engine We’re adding support for Go in our Pro Engine with 50+ new Go rules covering several popular Go frameworks! <![CDATA[We put GPT-4 in Semgrep to point out false positives & fix code]]> https://semgrep.dev/blog/gpt4-and-semgrep-detailed Semgrep is a code search tool many use for security scanning (SAST). We added GPT-4 to our cloud service to ask which Semgrep findings matter before we notify developers, and on our internal projects, it seemed to reason well about this task. We also tried to have it automatically fix these findings, and its output is often correct. <![CDATA[HackerOne partners with Semgrep to combine expert code review with powerful automation]]> https://semgrep.dev/blog/hackerone-partners-with-semgrep Accessing automated code security testing with added support from expert code reviewers <![CDATA[Hardcoded secrets, unverified tokens, and other common JWT mistakes]]> https://semgrep.dev/blog/hardcoded-secrets-unverified-tokens-and-other-common-jwt-mistakes Examining 2,000+ npm modules for common mistakes when using JWT <![CDATA[Semgrep at Hella Secure HellaConf 2020]]> https://semgrep.dev/blog/hellasecure-hellaconf-2020-semgrep-presentation Video from Hella Secure’s virtual AppSec conference, HellaConf <![CDATA[Help us rename Semgrep OSS!]]> https://semgrep.dev/blog/help-us-rename-semgrep-oss We're exploring new names for Semgrep OSS and we want the community's input - please fill out the linked survey by November 15th, and read on for context/motivation. As a token of appreciation, those that fill out the survey will be entered to win a pair of AirPods Max! <![CDATA[Driving enterprise adoption of AI code security with Semgrep Assistant]]> https://semgrep.dev/blog/how-semgrep-assistant-is-driving-enterprise-adoption-of-ai-code-security Semgrep Assistant saves developers and security engineers tens of thousands of hours annually. Learn why Assistant is so valuable, and how its design ensures compliance with the data privacy standards of large, security-forward organizations. <![CDATA[How to prevent HTML email injection in Python web apps]]> https://semgrep.dev/blog/how-to-prevent-html-email-injection-in-python-web-apps Avoid accidental HTML injection when sending emails from an application <![CDATA[How we made Semgrep rules run on Semgrep rules]]> https://semgrep.dev/blog/how-we-made-semgrep-rules-run-on-semgrep-rules Semgrep now has alpha support for YAML <![CDATA[How we resolved the ‘HTTP request failed: timeout’ issue in OCaml]]> https://semgrep.dev/blog/http-request-failed-timeout-issue-in-ocaml Happy Eyeballs is an algorithm published by the <![CDATA[Enhancing developer happiness: The impact of identifying code-specific issues]]> https://semgrep.dev/blog/impact-of-identifying-code-specific-issues This blog post highlights the limitations of traditional security testing (SAST) tools and introduces why customizing rules enhances the relevancy, usability, and integration of security tools into the developer's workflow. The post explores various ways to customize rules, including through APIs, custom languages, and formatting languages, to improve the accuracy and trustworthiness of security feedback for developers. <![CDATA[Improving ReDoS detection and finding more bugs using Dlint and r2c]]> https://semgrep.dev/blog/improving-redos-detection-with-dlint-and-r2c Improving regular expression denial-of-service detection <![CDATA[Security scanning with Semgrep in CI]]> https://semgrep.dev/blog/integrating-semgrep-with-ci Integrating security scans into GitHub, GitLab, CircleCI, and other CI providers <![CDATA[My Very, Very, VERY HONEST Internship Experience @ Semgrep]]> https://semgrep.dev/blog/internship-charissa I interned at Semgrep, an application security company. This blog post is about how my Semgrep internship debunked startup stereotypes, offering balance and rich learning experiences. It reshaped my perspective, leaving me eager for a future in the dynamic field of cybersecurity. <![CDATA[Introducing DeepSemgrep]]> https://semgrep.dev/blog/introducing-deepsemgrep DeepSemgrep is a proprietary extension to Semgrep that allows inter-file analysis to help reduce false positives and negatives <![CDATA[Introducing Semgrep Academy: the door to cyber security for everyone]]> https://semgrep.dev/blog/introducing-semgrep-academy It’s been my dream to share all of my content and knowledge for free, ever since I started learning about AppSec. I was so excited by what I learned, and wanted to tell everyone who would listen. When I started We Hack Purple, I had to charge for content, because it was a business and I had bills to pay. But now, <![CDATA[Introducing Semgrep and r2c]]> https://semgrep.dev/blog/introducing-semgrep-and-r2c Announcing r2c's funding and Semgrep.dev <![CDATA[Introducing Semgrep for GitLab]]> https://semgrep.dev/blog/introducing-semgrep-for-gitlab Semgrep now has 1st-class integration into GitLab <![CDATA[Go beyond regex: introducing Semgrep Secrets]]> https://semgrep.dev/blog/introducing-semgrep-secrets Tl;dr: We’re excited to launch Semgrep Secrets in Public Beta, the only secrets detection product that uses Semantic Analysis, improved entropy analysis, and validation for detecting secrets with high precision in developer workflows. <![CDATA[It's time to ignore 98% of dependency alerts. Introducing Semgrep Supply Chain.]]> https://semgrep.dev/blog/introducing-semgrep-supply-chain Based on the Semgrep engine, Semgrep Supply Chain finds reachable vulnerable dependencies in your code <![CDATA[Introducing Semgrep’s Community-Oriented Twitter Account]]> https://semgrep.dev/blog/introducing-semgreps-community-oriented-twitter-account The Semgrep Community team has some exciting news to share! We’re shaking things up in the best way possible, because we want to give you the power to choose the content on your Twitter feed. That’s right, we’re introducing two Twitter accounts - Semgrep and Semgrep Community. <![CDATA[JavaScript static analysis comparison: ESLint vs Semgrep]]> https://semgrep.dev/blog/javascript-static-analysis-comparison-eslint-semgrep A deep dive tool comparison <![CDATA[Jenkins Meetup]]> https://semgrep.dev/blog/jenkins-meetup-an-open-source-security-scanner-for-most-languages Integrating open source static analysis into Jenkins jobs <![CDATA[Keep your rules simple with symbolic propagation]]> https://semgrep.dev/blog/keep-your-rules-simple-with-symbolic-propagation Symbolic propagation is an experimental feature that enables Semgrep to perform matching modulo variable assignments, so you can keep rules simple but powerful. <![CDATA[The journey of a language from experimental to GA in Semgrep]]> https://semgrep.dev/blog/kotlin-ga We improved Semgrep’s support to Generally Available (GA) for Kotlin by improving the parse rate and adding support for <![CDATA[Semgrep Quarterly Launch: scaling your AppSec impact just got easier]]> https://semgrep.dev/blog/may-quarterly-launch This quarter we've shipped a variety of features that make the Semgrep AppSec Platform easier to manage and scale across an organization - even for an AppSec team of one. Features include managed scanning (scan in our cloud), project-level access controls (RBAC), and a UI refresh for Semgrep Supply Chain. <![CDATA[Semgrep Code brings modern static analysis to C/C++]]> https://semgrep.dev/blog/modernizing-static-analysis-for-c Both languages are notoriously difficult for SAST tools to analyze accurately and quickly, but our Pro Engine is uniquely capable of handling the challenge. <![CDATA[New, high-signal rules for the JavaScript ecosystem]]> https://semgrep.dev/blog/new-high-signal-rules-for-the-javascript-ecosystem Updates for Node, Express, and other JavaScript rules <![CDATA[New insight into backlogs, developer engagement, and security posture]]> https://semgrep.dev/blog/new-insight-into-backlogs-developer-engagement-and-security-posture Semgrep’s revamped reporting capabilities bring increased levels of clarity to your production backlog, developer engagement levels, and overall security posture. <![CDATA[Write custom rules with the new Playground]]> https://semgrep.dev/blog/new-playground Use the new Playground to make rule-writing simple, fast, and flexible <![CDATA[Not just another Jira integration]]> https://semgrep.dev/blog/not-just-another-jira-integration For security teams that rely on Jira, work just got a whole lot easier (for both security folks and the developers they partner with). Our revamped integration embeds tailored, AI-powered remediation guidance directly in tickets, alongside all of the information and context developers need to take action right away. <![CDATA[Semgrep Fall '23 Launch: improved coverage + enterprise fit]]> https://semgrep.dev/blog/november-quarterly-update After launching our third product - Semgrep Secrets - just last month, we have expanded coverage for our SAST and SCA products (C# support is here!), and have shipped new features like SBOM exports, support for IntelliJ IDE products, and Semgrep Assistant for GitLab! <![CDATA[Our quest to make world-class security and bugfinding available to all developers, for free]]> https://semgrep.dev/blog/our-quest-to-make-world-class-security-and-bugfinding-available-to-all-developers Introducing Bento, a free and opinionated toolkit for easily adopting linters and program analysis in a codebase <![CDATA[(Over)Communication with your security champions]]> https://semgrep.dev/blog/overcommunication-with-your-security-champions As mentioned in the previous article (Recognizing and rewarding your security champions), the most common reason for failure of a security champions program is the security team losing steam, and/or the champions losing interest. In this article, we will discuss a few ways to avoid this. The best way? Communication. <![CDATA[Overrated and underperforming: transitive reachability analysis]]> https://semgrep.dev/blog/overrated-and-underperforming-transitive-reachability-analysis Due to complex dependency layers and static analysis limitations, transitive reachability analysis struggles to deliver actionable insights. <![CDATA[Using Bento individually and on team projects]]> https://semgrep.dev/blog/personal-and-team-use-in-bento-08 Our learnings from user feedback and how to use Bento individually and on teams <![CDATA[ Preventing secrets in code]]> https://semgrep.dev/blog/preventing-secrets-in-code In this blog post, I cover what we mean by secrets in application security, how to find secrets in your code, and how to prevent secrets from being leaked in your code. <![CDATA[Preventing SQL injection: a Django author's perspective]]> https://semgrep.dev/blog/preventing-sql-injection-a-django-authors-perspective The creator of Django on preventing SQL injection <![CDATA[Guardrails for PromQL using Semgrep]]> https://semgrep.dev/blog/promql-and-semgrep In this blog post, our rockstar community member and contributor, Michael Hoffman, shares information on how to make alerting and recording rules more reliable and consistent for PromQL using <![CDATA[Protect your code from the Polyfill supply chain attack]]> https://semgrep.dev/blog/protect-your-code-from-the-polyfill-supply-chain-attack Over 100k websites use a CDN service, polyfill.io, that was delivering malicious JavaScript code. Check to see if your source code is affected by using Semgrep code search to detect its presence. <![CDATA[Protect Your GitHub Actions with Semgrep]]> https://semgrep.dev/blog/protect-your-github-actions-with-semgrep Semgrep rules for GitHub Actions <![CDATA[Python static analysis comparison: Bandit vs Semgrep]]> https://semgrep.dev/blog/python-static-analysis-comparison-bandit-semgrep A deep dive tool comparison <![CDATA[My experience interning at r2c]]> https://semgrep.dev/blog/r2c-internship-vivek Vivek's experience interning at r2c <![CDATA[r2c meetup on writing Semgrep rules]]> https://semgrep.dev/blog/r2c-meetup-writing-semgrep-rules-august-2020 Video from meetup hosted on August 26th <![CDATA[r2c's Series B funding]]> https://semgrep.dev/blog/r2c-series-b-funding Announcing new funding and our partnership with GitLab <![CDATA[DEF CON 27 workshop on finding vulnerabilities at scale]]> https://semgrep.dev/blog/r2c-workshop-at-defcon-27-finding-vulnerabilities Material from our DEF CON workshop on finding vulnerabilities at ecosystem-scale <![CDATA[Rapidly deploy code scans across your organization with Semgrep managed scanning]]> https://semgrep.dev/blog/rapidly-deploy-code-scans-with-semgrep-managed-scanning You can now roll out Semgrep at ludicrous speed without any manual, per-repo CI/CD configuration. Whether you have one repo or thousands of repos, It Just Works. <![CDATA[Recognizing and rewarding security champions]]> https://semgrep.dev/blog/recognizing-rewarding-security-champions If you've ever read the book The 5 Love Languages, or articles summarizing the 5 love languages, then you are aware that there are predictable patterns of how people respond to various acts of kindness. Someone's “love language” is the specific type of kindness that they are most affected by. <![CDATA[Recruiting security champions]]> https://semgrep.dev/blog/recruiting-security-champions In the previous article, ‘Building Security Champions', we covered what champions are, why you need them, and our plan to make an amazing program. The #1 most important rule of recruiting security champions is that you must attract them. <![CDATA[Redefining security coverage for Python with framework-native analysis]]> https://semgrep.dev/blog/redefining-security-coverage-for-python-with-framework-native-analysis We’ve supercharged Semgrep Code’s Python support with new, framework-specific analysis capabilities. The engine now tracks implicit data flows in popular frameworks like Django, FastAPI, and Flask, providing accurate detection of impactful security issues (OWASP Top Ten) for nearly 100 common Python libraries. <![CDATA[Comparing Reachability Analysis methods: Semgrep's distinct approach]]> https://semgrep.dev/blog/sca-reachability-analysis-methods What do people mean exactly when they use the term reachability? As it turns out, there are many distinct approaches to reachability analysis, but not many resources available that explain how they differ. In this blog post, we'll go over the different methods of reachability analysis, the pros and cons of each, and why we think Semgrep's is the most effective and pragmatic when it comes to prioritizing software supply chain vulnerabilities. <![CDATA[Scaling Semgrep rule coverage by spidering language documentation]]> https://semgrep.dev/blog/scaling-lang-coverage-with-spiders How we made it easy to follow .NET coding best practices by scraping the MSDN documentation for recommendations and concerns. <![CDATA[Scanning Shell Scripts With Semgrep]]> https://semgrep.dev/blog/scanning-shell-scripts-with-semgrep Semgrep now has experimental support for Bash. This allows detecting problems in shell scripts when it would be hard or impossible with plain grep. <![CDATA[Securing CodeQL queries with Semgrep]]> https://semgrep.dev/blog/securing-codeql-with-semgrep We're excited to announce that Semgrep now offers GA support for CodeQL's query language. <![CDATA[Security Champions: Metrics & Data]]> https://semgrep.dev/blog/security-champions-metrics-data The previous article in this series is Recognizing and Rewarding Your Security Champions. If you've followed my conference talks, you likely saw my Security Metrics That Matter presentation, and understand that I absolutely love data. Here's a general list of security metrics that matter… <![CDATA[Security headers for ASP.Net and .Net CORE]]> https://semgrep.dev/blog/security-headers-for-asp-net-and-net-core This blog post provides code examples for both ASP.Net and .Net Core, emphasizing the importance of security headers and encouraging readers to refer to OWASP Security Headers Guidance for more information. <![CDATA[Semgrep: a static analysis journey]]> https://semgrep.dev/blog/semgrep-a-static-analysis-journey How an academic project for the Linux kernel evolved into a multilingual security tool <![CDATA[Semgrep App's Fall 2021 updates]]> https://semgrep.dev/blog/semgrep-app-fall-2021-updates Announcing the rule board, finding triage, and Jira integration <![CDATA[Semgrep's Fall 2021 Updates]]> https://semgrep.dev/blog/semgrep-fall-2021-updates Announcing taint mode, Terraform support, and auto-configuration <![CDATA[Semgrep now supports Cairo 1.0]]> https://semgrep.dev/blog/semgrep-now-supports-cairo-1-0 Announcing Semgrep's support for Cairo 1.0 - a language used to develop smart contracts. Our rockstar community user Romain Jufer writes about adding a new language to Semgrep's arsenal! <![CDATA[Releasing Semgrep 1.0]]> https://semgrep.dev/blog/semgrep-release-v1-announcement Announcing a milestone release: Semgrep 1.0 <![CDATA[Seattle Java User Group: Detect complex code patterns using Semgrep]]> https://semgrep.dev/blog/semgrep-seattle-java-user-group A walk through of practical and real-world Semgrep examples for Java <![CDATA[Security scanning at ludicrous speed]]> https://semgrep.dev/blog/semgrep-speed This blog post delves into one of Semgrep's key attributes: its exceptional speed. Semgrep is known for its developer-friendly and customizable nature in securing code. This velocity is crucial for seamless integration into CI pipelines, enabling rapid rule customization without long wait times between iterations. <![CDATA[Semgrep Spring 2022 meetup recap]]> https://semgrep.dev/blog/semgrep-spring-2022-meetup-recap A look into the information shared at Semgrep's Spring 2022 meetup <![CDATA[Semgrep: Stop grepping code]]> https://semgrep.dev/blog/semgrep-stop-grepping-code Semgrep is an open-source tool that is like a code-aware grep <![CDATA[Recording: Semgrep Summer 2021 Meetup]]> https://semgrep.dev/blog/semgrep-summer-2021-meetup Video from our meetup on August 11th <![CDATA[Semgrep Supply Chain announces dataflow reachability support for 10 languages]]> https://semgrep.dev/blog/semgrep-supply-chain-announces-dataflow-reachability-support-for-10-languages Semgrep Supply Chain now supports Scala and Swift, which brings our dataflow reachability coverage up to 10 languages! <![CDATA[Semgrep’s VS Code extension: powerful SAST as fast as linting]]> https://semgrep.dev/blog/semgrep-vscode-extension Semgrep is a code analysis tool many use for static application security scanning (SAST). SAST tools can be difficult to set up and use and are often lumped in with other lengthy processes late in the development cycle. Ideally, they should work alongside linters while code is being written before the context is lost. We now have a VS Code extension that’s as easy to set up and use as other linting extensions and just as fast! <![CDATA[Semgrep's February 2022 Updates]]> https://semgrep.dev/blog/semgreps-february-2022-updates Summary of Semgrep releases from October 2021 to February 2022 <![CDATA[Semgrep's May 2022 updates]]> https://semgrep.dev/blog/semgreps-may-2022-updates See all that’s shipped between February and May and how to get the latest enhancements <![CDATA[Sense and (path) sensitivity: My experience adding a new feature as a Semgrep intern]]> https://semgrep.dev/blog/sense-and-path-sensitivity-my-experience-adding-a-new-feature-as-a-semgrep-intern I spent 10 weeks at Semgrep as a Software Engineering (SWE) Intern on the Semgrep Analysis Foundations Team, the team that owns and maintains the core static analysis functionality of the Semgrep tool. In this blog post, I am going to share my experience of adding path sensitivity to Semgrep, as well as what I learned and loved along the way! <![CDATA[Semgrep, a code & supply chain security search engine, raises Series C]]> https://semgrep.dev/blog/series-c Announcing our $53M Series C led by Lightspeed Venture Partners <![CDATA[Should random() be banned?]]> https://semgrep.dev/blog/should-random-be-banned The most important static analysis metric <![CDATA[Shoulda, Woulda...Coulda]]> https://semgrep.dev/blog/shoulda-woulda-coulda Improving findings performance through false negative feedback <![CDATA[Silicon Valley Cyber Security: Detect complex code patterns using semantic grep]]> https://semgrep.dev/blog/silicon-valley-cyber-security-meetup-presentation Video from the Silicon Valley Cyber Security Meetup on April 9 <![CDATA[Slack on scaling static analysis with Semgrep]]> https://semgrep.dev/blog/slack-presents-semgrep-at-def-con-appsec-village Slack’s DEF CON 29 AppSec Village presentation <![CDATA[Software supply chain security is hard]]> https://semgrep.dev/blog/software-supply-chain-security-is-hard See why today's SCA tools are noisy and how can you leverage reachability to reduce the noise <![CDATA[Need for speed: static analysis version]]> https://semgrep.dev/blog/static-analysis-speed Why speed is important in static analysis and how Semgrep achieves ludicrous speed <![CDATA[Structure Mode: Never write an invalid Semgrep rule again]]> https://semgrep.dev/blog/structure-mode-never-write-an-invalid-semgrep-rule Semgrep rule-writing is simple in principle, but it can be easy to make mistakes in practice (especially if you are newer to rule-writing). Structure mode is a new interface for <![CDATA[Surprising subtleties of Docker permissions]]> https://semgrep.dev/blog/surprising-subtleties-of-docker-permissions Our unique infrastructure leads to unique challenges related to how Docker interacts with filesystem permissions <![CDATA[Taint mode is now in beta]]> https://semgrep.dev/blog/taint-mode-is-now-in-beta Using the flexibility of Semgrep patterns with taint mode to find injection vulnerabilities <![CDATA[Teaching security champions]]> https://semgrep.dev/blog/teaching-security-champions In the previous article, we talked about how to engage your champions. We want them interested, revved up and ready to go. You are in a room full of brand-new security champions and they are itching to learn all about ‘cyber', what do you do? What do you teach them? How do you impress them? <![CDATA[Testing autofix behavior of SAST rules]]> https://semgrep.dev/blog/testing-autofix-behavior-of-sast-rules Automatically test the autofix behavior of custom Semgrep rules <![CDATA[Fully loaded: testing vulnerable PyYAML versions]]> https://semgrep.dev/blog/testing-vulnerable-pyyaml-versions Understanding which PyYAML API versions are vulnerable with a testing matrix <![CDATA[The best free, open-source supply-chain security tool? The lockfile]]> https://semgrep.dev/blog/the-best-free-open-source-supply-chain-tool-the-lockfile Lockfiles: the best investment you can make for supply chain security <![CDATA[The birth of Semgrep Pro Engine]]> https://semgrep.dev/blog/the-birth-of-semgrep-pro-engine Of all our projects, adding interfile analysis in a way that achieves our developer-focused goals without the aid of the open-source community has been the hardest. To succeed, we had to develop against a focused benchmark of real vulnerabilities before iterating with users thoughtfully. <![CDATA[The CVE program’s new rules: will they affect your vulnerability management?]]> https://semgrep.dev/blog/the-cve-program-s-new-rules-will-they-affect-your-vulnerability-management The new CNA Rules v4.0 introduce more flexible, case-by-case CVE assignment guidelines, emphasizing a community-driven approach and potentially increasing the number of recognized vulnerabilities to enhance overall cybersecurity management. <![CDATA[The Difference Between SCA and Supply Chain Security]]> https://semgrep.dev/blog/the-difference-between-sca-and-supply-chain-security Right now, the concept of the software supply chain and securing it is quite trendy. After the  <![CDATA[The tech behind Semgrep Assistant’s triage and remediation guidance]]> https://semgrep.dev/blog/the-tech-behind-semgrep-assistant Semgrep Assistant is like having another median-level security engineer on your team, whose sole responsibility is parsing through findings and giving humans-in-the-loop (even those with no security knowledge) everything they need to quickly and confidently take the right course of action. How does it work? <![CDATA[Three key learnings for AppSec teams from the XZ backdoor]]> https://semgrep.dev/blog/three-key-learnings-for-appsec-teams-from-the-xz-backdoor It’s been a week since the <![CDATA[Three things your linter shouldn’t tell you]]> https://semgrep.dev/blog/three-things-your-linter-shouldnt-tell-you How we’ve curated our code checks in Bento <![CDATA[Tips and tricks for writing fixes]]> https://semgrep.dev/blog/tips-and-tricks-for-writing-fixes A few tips you might not know to improve your Semgrep usage <![CDATA[Should security engineers care about transitive supply chain vulnerabilities?]]> https://semgrep.dev/blog/transitive-supply-chain-vulnerabilities In this blog post, Kyle Kelly, Semgrep Security Researcher, discusses transitive dependencies, prioritizing risks based on exploitability, and why today’s issues aren’t going anywhere anytime soon. <![CDATA[Cross-compiling OCaml to JS and Wasm: How we made the Semgrep Playground Fast]]> https://semgrep.dev/blog/turbo-mode We modified the <![CDATA[Type-awareness in semantic grep]]> https://semgrep.dev/blog/type-awareness-in-semantic-grep How we’re making Sempgrep patterns more precise with type support <![CDATA[Not all attacks are equal: understanding and preventing DoS in web applications]]> https://semgrep.dev/blog/understanding-and-preventing-dos-in-web-apps Modeling DoS attacks through attacker leverage <![CDATA[Understanding and mitigating the Log4Shell vulnerability]]> https://semgrep.dev/blog/understanding-log4j-and-log4shell A guide to determining exposure and mitigation of the vulnerability in Log4j <![CDATA[Unlocking advanced security for all: Semgrep’s latest update]]> https://semgrep.dev/blog/unlocking-advanced-security-for-all-with-semgrep Introducing free access to Semgrep Supply Chain and Code’s Pro features, for up to 10 monthly contributors. Additionally, Semgrep is faster and runs with every keystroke in the browser and in VS Code. <![CDATA[Using AI to write secure code with Semgrep]]> https://semgrep.dev/blog/using-ai-to-write-secure-code-with-semgrep Announcement details for <![CDATA[LSP.js: Using Wasm and JavaScript to support OCaml on Windows]]> https://semgrep.dev/blog/using-wasm-and-javascript-to-support-ocaml-on-windows Semgrep now supports Windows for our <![CDATA[Why We Hack Purple and I are joining Semgrep]]> https://semgrep.dev/blog/we-hack-purple-and-i-are-joining-semgrep Why I'm choosing Semgrep, and what the future will hold for the AppSec Community. <![CDATA[What it takes to make shift left work]]> https://semgrep.dev/blog/what-it-takes-to-make-shift-left-work The surface area of software is expanding at a rate well above our ability to secure it. How can we speed software delivery and prevent security incidents at the same time? <![CDATA[When DevSecOps goes wrong]]> https://semgrep.dev/blog/when-devsecops-goes-wrong-a-short-lesson-from-huaweis-source-code A quick look at a breakdown in the security and developer team interface <![CDATA[Pain-free custom linting: why I moved from ESLint and Bandit to Semgrep]]> https://semgrep.dev/blog/why-i-moved-to-semgrep-for-all-my-code-analysis An inside look at writing program analysis using Semgrep <![CDATA[Why SAST tools need to be customizable to be useful]]> https://semgrep.dev/blog/why-sast-tools-need-to-be-customizable Most modern SAST tools only provide findings, with no control or visibility into why or how they were surfaced. When shifting left, this makes false positives a shared problem between AppSec and developers. Customizability solves this issue, letting security teams shift SAST left gradually, without putting their reputations on the line. <![CDATA[SF Python: writing robust Flask apps]]> https://semgrep.dev/blog/writing-robust-flask-apps-sf-python-meetup-april-08 Material from the presentation at the SF Python Virtual Meetup <![CDATA[Writing Semgrep rules]]> https://semgrep.dev/blog/writing-semgrep-rules-a-methodology How to think about and approach writing new Semgrep rules <![CDATA[XML Security in Java]]> https://semgrep.dev/blog/xml-security-in-java Java XML security issues and how to address them <![CDATA[Executable XSS cheat sheets for popular web frameworks]]> https://semgrep.dev/blog/xss-cheat-sheets Run a single Semgrep command to check your app for XSS