Not sure what to write a rule for? Below are some common questions, ideas, and topics to spur your imagination. Happy hacking! 💡
Common use cases
Below are common use cases with sample rules to get you thinking.
|Use case||Semgrep rule|
|Ban dangerous APIs||Prevent use of exec|
|Search routes and authentication||Extract Spring routes|
|Enforce the use secure defaults||Securely set Flask cookies|
|Enforce project best-practices||Use assertEqual for == checks, Always check subprocess calls|
|Codify project-specific knowledge||Verify transactions before making them|
|Audit security hotspots||Finding XSS in Apache Airflow, Hardcoded credentials|
|Audit configuration files||Find S3 ARN uses|
|Migrate from deprecated APIs||DES is deprecated, Deprecated Flask APIs, Deprecated Bokeh APIs|
|Apply automatic fixes||Use listenAndServeTLS|
|Ban importing bad packages||Ban imports matching a regex|
Try answering these questions to uncover important rules for your project.
- From recent post mortems: what code issues contributed to it?
- [XYZ] is a (security, performance, other) library that everyone should use, but they don’t consistently.
- When you review code, what changes do you frequently ask for?
- What vulnerability classes from bug bounty submissions reoccur (or appear in different places of the codebase)?
- Are there eng / perf patterns? Consistent exception handlers?
- What issues were caused by misconfigurations in Infrastructure-as-Code files (JSON)?
- What are some “invariants” that should hold about your code - things that should always or never be true (e.g. every admin route checks if user is admin)?
- What methods/APIs are deprecated and you’re trying to move away from?