📢 The Secret’s out! We’re thrilled to share that Semgrep Secrets is available for Public Beta today! Secrets leverages Semantic Analysis in addition to regex and entropy-based validation to detect secrets with high precision.
Learn more →
We are thrilled to announce that
@wehackpurple
is joining forces with Semgrep!
Tanya Janca,
@shehackspurple
, has trained thousands of AppSec professionals and built an amazing community—with Semgrep she’ll continue that great work.
Read more here:
Wrote React code today and our team has
@semgrep
running on every pull request with some custom rules our frontend lead wrote. Incredible context about how to refactor the code to meet my team's coding best practices
Stoked for this partnership!
@jyotibansalsf
was one of the first coffee chats
@0xine
and I had prior to founding Semgrep and it’s an honor to work together to bring security to the best developer platform
🎯 Seamless integration alert! Now,
@HarnessIO
users can effortlessly incorporate Semgrep's SAST solutions into their workflows, enhancing code security and accelerating development cycles. Read the details here:
🤖 Semgrep: now augmented with AI
We’re excited to announce the private beta of Semgrep Assistant. Learn how we're using GPT to reduce noise and auto-fix bugs, making it even easier to ship secure code quickly 🧵
🚀 APIs help things go faster
🤯 BUT APIs also cause an ever-spiraling web of dependencies
At Akita, we're cleaning up the API dependency graph--using some out-there applications of PL that turn out to actually work.
Would love to hear your thoughts!
According to developers
@luca020400
and BadDaemon, here is why the bug occurs:
The image is encoded in the "Google/Skia/E3CADAB7BD3DE5E3436874D2A9DEE126" color space (that's the full name of the color space - Skia is the name of a 2D graphics library made by Google)...
Releasing
njsscan, a cli SAST tool that finds insecure code in Node.js apps.
Powered by Semantic Grep from
@r2cdev
libsast, a generic SAST library for writing your own static analyzer.
#nodejs
#devsecops
#javascript
#appsec
In May 28th's OWASP OC
@owaspoc
meeting we are virtually bringing you 2 presentations: "Guardrails for common security mistakes in Python web apps" by
@drewdennison
and "Yes, you too can break crypto: Exploiting common crypto mistakes" by
@kojenov
@anantshri
@DaghanAltas
@bnchandrapal
@semgrep
Semgrep maintainer here. Semgrep is completely open-source (LGPL - think Linux). We also have ~1100 rules in a git repo that is Commons Clause license which means you can use the rules commercially but can’t resell them without attribution and permission 😊
⭐ Semgrep just passed 2,000 GitHub stars, yay!
📣 Today we’re thrilled to introduce Semgrep Community and announce our Series A funding from
@redpointvc
and
@sequoia
.
🙏 Thanks to all who’ve supported us along the way. We’re grateful and humbled.
More:
🤔 What if grep had types?
Our intern, Emma, explored this and added type-awareness to Semgrep. Now you can find bugs and antipatterns or enforce best practices even more precisely:
OWASP Santa Barbara has teamed up with
@we45
's founder
@abhaybhargav
to bring you a hands-on workshop on security testing automation using
@zaproxy
and other dynamic scanning tools. Topics include context-awareness, authN, SPAs, APIs, CI/CD integration.
@snyff
Not just speed of running, speed to iterate on false positives. Incidentally last night
@yoann_padioleau
investigated a perf bug in semgrep where the runtime was 3 mins - now 3.2s.
@anantshri
@DaghanAltas
@bnchandrapal
@semgrep
To answer your question explicitly, yes an organization can run it on an internal instance and yes you can run it locally as both independent person and a commercial company 👍
I joined
@r2cdev
a couple weeks ago! We're developing semgrep, which is a syntax-aware grep for finding/fixing problems in source code in a variety of programming languages.
On Sunday's show,
@clintgibler
showed us how
@r2cdev
's Semgrep "autofixes" code that doesn't use approved secret services... Minds were blown! 🤯😆
Check out the full "extended" show here:
@_jtmelton
@clintgibler
@dlukeomalley
@0xine
Thank you for your kind words -- they mean a lot! An OSS project is nothing without its community members and I know we will learn a lot from your feedback 🙏
@securitygen
@alexjplaskett
Appreciate the feedback and yep can add a flag but we’re moving to a safe metavariable comparison without having to resort to the eval escape hatch.
Drumroll, please! 🥁 Our May quarterly launch is here, and we can’t contain our excitement!
Brace yourselves for a steller lineup of new features, including Semgrep managed scanning (formerly Zero Config Scanning), RBAC, faster monorepo support, and new Semgrep Secrets
🏎️ It’s time to put your coding skills to the test in Semgrep Speedway! Just as the Semgrep Platform champions ‘shift left’ security, this game will challenge you to navigate security hurdles with agility and precision. Are you up for the challenge?
@247arjun
@semgrep
@AzureDevOps
@semgrep
OSS is distributed on both PyPI and Docker so it should be quite easy to run with Azure. Would love a contribution to probably follow the Jenkins or CircleCI example
@dgryski
@njcw
@nicholascwng
Thanks.
@njcw
do you have any example code? (feel free to DM me if easier to show over Zoom). I opened this ticket if you want to follow along
@PredragGruevski
@r2cdev
Thanks for suggesting these lint rules. Even after coding in python for 10 years I was surprised by the behavior. 🙌 to more community codifying framework sharp edges into tooling
@anantshri
@semgrep
This is an interesting use case and agreed there are often subtle (or not!) security problems in SO answers. If you're interested in writing one, I would be happy to chat and help with any API needs
Yesterday we hosted
@JuliaLawall
from
@Inria
for a virtual r2c meetup where she presented, “Coccinelle, Prequel, and Spinfer: Code Evolutions in the Linux Kernel.” Julia kindly agreed to let us record the presentation and we’re sharing it with you here:
@abhaybhargav
@abhaybhargav
I attended your Dr. DevSecOps talk at Appsec Cali and was impressed with your AWS lambda architecture to build a fast code scanning pipeline. Glad you found semgrep and I liked your demo flow.
@dgryski
@r2cdev
Nice! I took a stab at a less verbose version using a bit of python scripting (coming soon regex on vars) and I filed for autofix support.