https://semgrep.dev We're a startup passionate about improving software security and reliability. en-us 2024-11-20T21:16:19+00:00 https://semgrep.dev/blog/a-day-in-the-life-supply-chain-security-researcher This will give a glimpse into what it is like to be a Security Researcher on the Semgrep Supply Chain Security Research team! We walk through the steps that we take to understand a vulnerability and write a Semgrep rule to provide the best possible coverage for our customers. We evaluate vulnerabilities affecting open source software packages and maintain and build tooling to enable our research. Special shout-out to Diptendu, Max, and Kyle for contributing and sharing their expertise and experience. https://semgrep.dev/blog/a-deep-dive-into-semgrep-supply-chain A technical deep dive into the nuts and bolts of Semgrep Supply Chain https://semgrep.dev/blog/ai-assisted-remediation Semgrep Assistant now offers high quality, step-by-step remediation guidance to developers on almost every true positive finding, resulting in a 15% reduction in median time-to-resolution. https://semgrep.dev/blog/announcing-csharp-alpha-support Semgrep v0.52.0 includes alpha C# support https://semgrep.dev/blog/announcing-csharp-ga C# parse rate is now over 99% https://semgrep.dev/blog/announcing-kotlin-reachability We’re excited to announce an exciting new feature in Semgrep’s software composition analysis (SCA) tool—Kotlin reachability. https://semgrep.dev/blog/announcing-php-ga-support Semgrep adds PHP support including 40+ new rules https://semgrep.dev/blog/announcing-ruby-ga-support Semgrep v0.35.0 includes GA Ruby support https://semgrep.dev/blog/announcing-semgrep-code Semgrep Code enables security teams to leverage the Semgrep Pro Engine and Pro rules to surface highly actionable vulnerabilities directly to developers. https://semgrep.dev/blog/announcing-semgrep-code-search-public-beta Semgrep Code Search lets users run a single rule across hundreds of code repositories in seconds, highlighting all instances of matching code. Code Search's instant feedback gives users superpowers when it comes to rule evaluation, rule writing, and vulnerability hunting. https://semgrep.dev/blog/announcing-semgrep-s-beta-support-for-rust Programming language, or cult following? https://semgrep.dev/blog/announcing-semgrep-s-experimental-support-for-julia Semgrep adds experimental support for the Julia programming language https://semgrep.dev/blog/announcing-swift-exp-support Try your hand at writing Semgrep rules for Swift https://semgrep.dev/blog/appsec-development-keeping-it-all-together-at-scale Hard-won lessons from scaling security programs https://semgrep.dev/blog/appsec-guides-not-gates-introducing-secure-guardrails-with-semgrep "Shift left" was popular, but has largely failed to deliver on its promises. For too many teams, it was a way to take the same old security tools and point the firehose of issues at developers. What have successful teams done to reduce their massive vulnerabilities backlog? They’ve rolled out secure guardrails. https://semgrep.dev/blog/assistant-ga-launch Assistant helps both AppSec engineers and developers make the correct decisions faster, with far less cognitive load required. This means users only spend their time and "analysis bandwidth" on issues that actually warrant the attention. https://semgrep.dev/blog/assistant-public-beta Semgrep Assistant helps application security teams by using AI to identify potential false positives and suggest code updates to fix bugs. We reviewed the data from our private beta, such as 95% positive feedback on Assistant's suggestions, and decided to graduate it to public beta today. In this blog post, we discuss this data and also share our learnings from the past three months about building with GPT-4. https://semgrep.dev/blog/autofixing-code-with-semgrep Improve correctness using Semgrep's AST-based autofix https://semgrep.dev/blog/bay-area-owasp-meetup-presentation Video from the Bay Area OWASP Meetup on May 21 https://semgrep.dev/blog/be-careful-what-you-request-for-django-method Injection using the HTTP verb in Django https://semgrep.dev/blog/bento-08-released-with-updated-workflows-and-new-specialty-checks Changes to Bento’s default behavior integrate it more smoothly into your workflow https://semgrep.dev/blog/bento-09-released-with-checks-for-python-vulnerability-and-jinja Catch a high-severity Python vuln and new checks for Jinja templates https://semgrep.dev/blog/bento-check-catch-catastrophic-backtracking-redos-bugs Find severe regular expression denial-of-service bugs in Python using Bento https://semgrep.dev/blog/bento-check-keeping-cookies-safe-in-flask Ensure cookie settings are set securely in Flask https://semgrep.dev/blog/bringing-more-semgrep-capabilities-to-bitbucket-and-azure-devops We’re excited to announce the expansion of Semgrep's capabilities to include Atlassian BitBucket Cloud, BitBucket Data Center, and Microsoft Azure DevOps in our suite of supported source code management tools (SCMs). https://semgrep.dev/blog/bringing-semgrep-managed-scanning-to-gitlab-automated-code-scanning-at-scale Following the success of Semgrep Managed Scanning on GitHub, which runs Semgrep without any manual, per-repo CI/CD configuration, we are excited to announce the same seamless experience is now available to GitLab users. https://semgrep.dev/blog/bsides-las-vegas-power-of-guardrails Research on guardrails and how to slash the risk of XSS in half https://semgrep.dev/blog/building-enterprise-ready-scalable-program See how organizations use Semgrep at scale in production https://semgrep.dev/blog/building-security-champions There is a severe shortage of trained and experienced people who are capable of securing the systems that we must protect. Application security engineers, DevSecOps professionals, security architects, you name it, there's a shortage. https://semgrep.dev/blog/c-sharp-beta-support-ssc Semgrep Supply Chain (Semgrep’s SCA product) can now find reachable vulnerabilities in C# dependencies. Along with C#, we also added lockfile-only support for PHP. Semgrep Supply Chain now supports C#, Go, Java, JavaScript, PHP, Python, Rust, and Ruby. https://semgrep.dev/blog/choosing-a-static-analysis-tool There is no one tool that is perfect for every organization, and if you have the wrong one it can create friction, delays, frustration, and lack of adoption. I use the questions below to help create a set of requirements for clients, and then they go shopping! https://semgrep.dev/blog/choosing-api-security-tools Quite often clients ask me “Which API Security Tool should I buy?”, and as you might have guessed I answer “It depends”, then proceed to ask them a dozen questions. Recently I asked a colleague at Semgrep if they felt this process might be of value to my readers, and he said “Absolutely!” and here we are with a new blog post.  https://semgrep.dev/blog/cocoapods-vulnerabilities-highlight-risks-in-dependency-managers Three critical vulnerabilities have been disclosed for the CocoaPods dependency manager. These vulnerabilities exposed more than 3 million iOS and macOS apps to supply chain attacks between 2014 and 2023, allowing attackers to hijack pods (software packages), execute code, and gain session tokens. https://semgrep.dev/blog/conclusion-security-champions In the previous article we talked about Metrics, and in this article, I will conclude this series on Building Security Champions. A few more tips: Start by defining the focus of your program and what is expected from champions. Be realistic; you can only expect 1-4 hours maximum effort from them per week. https://semgrep.dev/blog/continuous-learning https://semgrep.dev/blog/curl-vulnerability cURL is releasing version 8.4.0 on Wednesday, October 11th, 2023 to patch a high-severity issue that is “the worst cURL vulnerability in a while” for both the CLI application and the https://semgrep.dev/blog/custom-rules-for-semgrep-secrets Customers can now write their own rules for Semgrep Secrets! These rules can https://semgrep.dev/blog/dast-devsecops In this blog post, Tanya goes through different types of DAST and penetration testing tools. The post also explains why DAST is not needed in your pipeline and encourages a tailored approach that fits an organization's unique needs rather than blindly following industry trends. https://semgrep.dev/blog/demystifying-taint-mode A user-friendly guide to writing rules with Semgrep's taint mode https://semgrep.dev/blog/dependency-search-and-license-compliance With Semgrep Supply Chain, you can now mitigate supply chain vulnerabilities before a CVE even drops with Dependency Search and enforce your organization's license policies on pull requests with License Compliance. https://semgrep.dev/blog/developer-focused-results-and-improved-coverage-with-semgrep-pro-rules Semgrep Pro rules are high confidence SAST rules that leverage the latest Semgrep features, and are designed to produce actionable results that can be surfaced directly to developers for vulnerability remediation. https://semgrep.dev/blog/devsecops-worst-practices-the-series Quite often when we read best practices we are told ‘what’ to do, but not the ‘why’. When we are told to ensure there are no false positives in the pipeline, the reason seems obvious, but not every part of DevOps is that intuitive, and not all ‘best practices’ make sense on first blush. Let’s explore tried, tested, and failed methods, so we can avoid these DevSecOps WORST practices. https://semgrep.dev/blog/discontinuation-of-node-vm2 The recent discontinuation of the JavaScript code virtualization tool “vm2” sounds the alarm for under-maintained open source packages. This post discusses the factors that led to its discontinuation and what can be done to save “isolated-vm”, the best alternative to vm2 currently, from suffering the same fate. https://semgrep.dev/blog/does-your-llm-thing-work-how-we-use-promptfoo client.chat.completions.create https://semgrep.dev/blog/dont-leak-your-secrets A new Semgrep ruleset to detect leaked secrets https://semgrep.dev/blog/easily-create-custom-sast-guardrails-with-human-language-and-semgrep-assistant-ai Tell Semgrep Assistant about any organizational coding standards or best practices you want developers to implement - generated guidance will take this into account! https://semgrep.dev/blog/efficient-dependency-management In this blog post, Kyle Kelly, Semgrep Security Researcher, delves into how practitioners can efficiently manage dependency versions by utilizing manifest files, lockfiles, and SemVer specifications. https://semgrep.dev/blog/engage-your-champions In this article, we discuss how to get security champions revved up about security once you have found them. https://semgrep.dev/blog/epss-and-supply-chain EPSS is a powerful prioritization mechanism: when combined with Semgrep’s dataflow reachability analysis, EPSS enables you to deprioritize 99% of findings and focus on the 1% that matter most. https://semgrep.dev/blog/experimental-feature-generic-pattern-matching Match code patterns in configuration files, structured data, and more https://semgrep.dev/blog/exploiting-dynamic-rendering-engines-to-take-control-of-web-apps Leveraging weaknesses in Rendertron and other headless renderers https://semgrep.dev/blog/finding-python-redos-bugs-at-scale-using-dlint-and-r2c Automating regular expression denial-of-service detection https://semgrep.dev/blog/fix-today-s-vulnerabilities-and-prevent-tomorrow-s-with-secure-guardrails This post illustrates some of the technical aspects of secure guardrails and the characteristics we think are essential to successfully integrating them into an AppSec program. Spoiler alert: the developer experience (DevX) is paramount. https://semgrep.dev/blog/fixing-leaky-logs-how-to-find-a-bug-and-ensure-it-never-returns Enabling developers to rapidly solve security issues https://semgrep.dev/blog/flask-check-send-file Bento check to detect if send_file() will throw an exception https://semgrep.dev/blog/forbes-cybersecurity-awards-2020 Forbes’ inaugural Cybersecurity Awards https://semgrep.dev/blog/four-levels-of-maturity-that-bridge-the-app-sec-engineering-divide Practical ways to bridge the gap between AppSec and development https://semgrep.dev/blog/future-of-appsec-why-r2c Why I’m betting on r2c and where I think application security is headed https://semgrep.dev/blog/golang-in-pro-engine We’re adding support for Go in our Pro Engine with 50+ new Go rules covering several popular Go frameworks! https://semgrep.dev/blog/gpt4-and-semgrep-detailed Semgrep is a code search tool many use for security scanning (SAST). We added GPT-4 to our cloud service to ask which Semgrep findings matter before we notify developers, and on our internal projects, it seemed to reason well about this task. We also tried to have it automatically fix these findings, and its output is often correct. https://semgrep.dev/blog/hackerone-partners-with-semgrep Accessing automated code security testing with added support from expert code reviewers https://semgrep.dev/blog/hardcoded-secrets-unverified-tokens-and-other-common-jwt-mistakes Examining 2,000+ npm modules for common mistakes when using JWT https://semgrep.dev/blog/hellasecure-hellaconf-2020-semgrep-presentation Video from Hella Secure’s virtual AppSec conference, HellaConf https://semgrep.dev/blog/help-us-rename-semgrep-oss We're exploring new names for Semgrep OSS and we want the community's input - please fill out the linked survey by November 15th, and read on for context/motivation. As a token of appreciation, those that fill out the survey will be entered to win a pair of AirPods Max! https://semgrep.dev/blog/how-semgrep-assistant-is-driving-enterprise-adoption-of-ai-code-security Semgrep Assistant saves developers and security engineers tens of thousands of hours annually. Learn why Assistant is so valuable, and how its design ensures compliance with the data privacy standards of large, security-forward organizations. https://semgrep.dev/blog/how-to-prevent-html-email-injection-in-python-web-apps Avoid accidental HTML injection when sending emails from an application https://semgrep.dev/blog/how-we-made-semgrep-rules-run-on-semgrep-rules Semgrep now has alpha support for YAML https://semgrep.dev/blog/http-request-failed-timeout-issue-in-ocaml Happy Eyeballs is an algorithm published by the https://semgrep.dev/blog/impact-of-identifying-code-specific-issues This blog post highlights the limitations of traditional security testing (SAST) tools and introduces why customizing rules enhances the relevancy, usability, and integration of security tools into the developer's workflow. The post explores various ways to customize rules, including through APIs, custom languages, and formatting languages, to improve the accuracy and trustworthiness of security feedback for developers. https://semgrep.dev/blog/improving-redos-detection-with-dlint-and-r2c Improving regular expression denial-of-service detection https://semgrep.dev/blog/integrating-semgrep-with-ci Integrating security scans into GitHub, GitLab, CircleCI, and other CI providers https://semgrep.dev/blog/internship-charissa I interned at Semgrep, an application security company. This blog post is about how my Semgrep internship debunked startup stereotypes, offering balance and rich learning experiences. It reshaped my perspective, leaving me eager for a future in the dynamic field of cybersecurity. https://semgrep.dev/blog/introducing-deepsemgrep DeepSemgrep is a proprietary extension to Semgrep that allows inter-file analysis to help reduce false positives and negatives https://semgrep.dev/blog/introducing-semgrep-academy It’s been my dream to share all of my content and knowledge for free, ever since I started learning about AppSec. I was so excited by what I learned, and wanted to tell everyone who would listen. When I started We Hack Purple, I had to charge for content, because it was a business and I had bills to pay. But now, https://semgrep.dev/blog/introducing-semgrep-and-r2c Announcing r2c's funding and Semgrep.dev https://semgrep.dev/blog/introducing-semgrep-for-gitlab Semgrep now has 1st-class integration into GitLab https://semgrep.dev/blog/introducing-semgrep-secrets Tl;dr: We’re excited to launch Semgrep Secrets in Public Beta, the only secrets detection product that uses Semantic Analysis, improved entropy analysis, and validation for detecting secrets with high precision in developer workflows. https://semgrep.dev/blog/introducing-semgrep-supply-chain Based on the Semgrep engine, Semgrep Supply Chain finds reachable vulnerable dependencies in your code https://semgrep.dev/blog/introducing-semgreps-community-oriented-twitter-account The Semgrep Community team has some exciting news to share! We’re shaking things up in the best way possible, because we want to give you the power to choose the content on your Twitter feed. That’s right, we’re introducing two Twitter accounts - Semgrep and Semgrep Community. https://semgrep.dev/blog/javascript-static-analysis-comparison-eslint-semgrep A deep dive tool comparison https://semgrep.dev/blog/jenkins-meetup-an-open-source-security-scanner-for-most-languages Integrating open source static analysis into Jenkins jobs https://semgrep.dev/blog/keep-your-rules-simple-with-symbolic-propagation Symbolic propagation is an experimental feature that enables Semgrep to perform matching modulo variable assignments, so you can keep rules simple but powerful. https://semgrep.dev/blog/kotlin-ga We improved Semgrep’s support to Generally Available (GA) for Kotlin by improving the parse rate and adding support for https://semgrep.dev/blog/may-quarterly-launch This quarter we've shipped a variety of features that make the Semgrep AppSec Platform easier to manage and scale across an organization - even for an AppSec team of one. Features include managed scanning (scan in our cloud), project-level access controls (RBAC), and a UI refresh for Semgrep Supply Chain. https://semgrep.dev/blog/modernizing-static-analysis-for-c Both languages are notoriously difficult for SAST tools to analyze accurately and quickly, but our Pro Engine is uniquely capable of handling the challenge. https://semgrep.dev/blog/new-high-signal-rules-for-the-javascript-ecosystem Updates for Node, Express, and other JavaScript rules https://semgrep.dev/blog/new-insight-into-backlogs-developer-engagement-and-security-posture Semgrep’s revamped reporting capabilities bring increased levels of clarity to your production backlog, developer engagement levels, and overall security posture. https://semgrep.dev/blog/new-playground Use the new Playground to make rule-writing simple, fast, and flexible https://semgrep.dev/blog/not-just-another-jira-integration For security teams that rely on Jira, work just got a whole lot easier (for both security folks and the developers they partner with). Our revamped integration embeds tailored, AI-powered remediation guidance directly in tickets, alongside all of the information and context developers need to take action right away. https://semgrep.dev/blog/november-quarterly-update After launching our third product - Semgrep Secrets - just last month, we have expanded coverage for our SAST and SCA products (C# support is here!), and have shipped new features like SBOM exports, support for IntelliJ IDE products, and Semgrep Assistant for GitLab! https://semgrep.dev/blog/our-quest-to-make-world-class-security-and-bugfinding-available-to-all-developers Introducing Bento, a free and opinionated toolkit for easily adopting linters and program analysis in a codebase https://semgrep.dev/blog/overcommunication-with-your-security-champions As mentioned in the previous article (Recognizing and rewarding your security champions), the most common reason for failure of a security champions program is the security team losing steam, and/or the champions losing interest. In this article, we will discuss a few ways to avoid this. The best way? Communication. https://semgrep.dev/blog/overrated-and-underperforming-transitive-reachability-analysis Due to complex dependency layers and static analysis limitations, transitive reachability analysis struggles to deliver actionable insights. https://semgrep.dev/blog/personal-and-team-use-in-bento-08 Our learnings from user feedback and how to use Bento individually and on teams https://semgrep.dev/blog/preventing-secrets-in-code In this blog post, I cover what we mean by secrets in application security, how to find secrets in your code, and how to prevent secrets from being leaked in your code. https://semgrep.dev/blog/preventing-sql-injection-a-django-authors-perspective The creator of Django on preventing SQL injection https://semgrep.dev/blog/promql-and-semgrep In this blog post, our rockstar community member and contributor, Michael Hoffman, shares information on how to make alerting and recording rules more reliable and consistent for PromQL using https://semgrep.dev/blog/protect-your-code-from-the-polyfill-supply-chain-attack Over 100k websites use a CDN service, polyfill.io, that was delivering malicious JavaScript code. Check to see if your source code is affected by using Semgrep code search to detect its presence. https://semgrep.dev/blog/protect-your-github-actions-with-semgrep Semgrep rules for GitHub Actions https://semgrep.dev/blog/python-static-analysis-comparison-bandit-semgrep A deep dive tool comparison https://semgrep.dev/blog/r2c-internship-vivek Vivek's experience interning at r2c https://semgrep.dev/blog/r2c-meetup-writing-semgrep-rules-august-2020 Video from meetup hosted on August 26th https://semgrep.dev/blog/r2c-series-b-funding Announcing new funding and our partnership with GitLab https://semgrep.dev/blog/r2c-workshop-at-defcon-27-finding-vulnerabilities Material from our DEF CON workshop on finding vulnerabilities at ecosystem-scale https://semgrep.dev/blog/rapidly-deploy-code-scans-with-semgrep-managed-scanning You can now roll out Semgrep at ludicrous speed without any manual, per-repo CI/CD configuration. Whether you have one repo or thousands of repos, It Just Works. https://semgrep.dev/blog/recognizing-rewarding-security-champions If you've ever read the book The 5 Love Languages, or articles summarizing the 5 love languages, then you are aware that there are predictable patterns of how people respond to various acts of kindness. Someone's “love language” is the specific type of kindness that they are most affected by. https://semgrep.dev/blog/recruiting-security-champions In the previous article, ‘Building Security Champions', we covered what champions are, why you need them, and our plan to make an amazing program. The #1 most important rule of recruiting security champions is that you must attract them. https://semgrep.dev/blog/redefining-security-coverage-for-python-with-framework-native-analysis We’ve supercharged Semgrep Code’s Python support with new, framework-specific analysis capabilities. The engine now tracks implicit data flows in popular frameworks like Django, FastAPI, and Flask, providing accurate detection of impactful security issues (OWASP Top Ten) for nearly 100 common Python libraries. https://semgrep.dev/blog/sca-reachability-analysis-methods What do people mean exactly when they use the term reachability? As it turns out, there are many distinct approaches to reachability analysis, but not many resources available that explain how they differ. In this blog post, we'll go over the different methods of reachability analysis, the pros and cons of each, and why we think Semgrep's is the most effective and pragmatic when it comes to prioritizing software supply chain vulnerabilities. https://semgrep.dev/blog/scaling-lang-coverage-with-spiders How we made it easy to follow .NET coding best practices by scraping the MSDN documentation for recommendations and concerns. https://semgrep.dev/blog/scanning-shell-scripts-with-semgrep Semgrep now has experimental support for Bash. This allows detecting problems in shell scripts when it would be hard or impossible with plain grep. https://semgrep.dev/blog/securing-codeql-with-semgrep We're excited to announce that Semgrep now offers GA support for CodeQL's query language. https://semgrep.dev/blog/security-champions-metrics-data The previous article in this series is Recognizing and Rewarding Your Security Champions. If you've followed my conference talks, you likely saw my Security Metrics That Matter presentation, and understand that I absolutely love data. Here's a general list of security metrics that matter… https://semgrep.dev/blog/security-headers-for-asp-net-and-net-core This blog post provides code examples for both ASP.Net and .Net Core, emphasizing the importance of security headers and encouraging readers to refer to OWASP Security Headers Guidance for more information. https://semgrep.dev/blog/semgrep-a-static-analysis-journey How an academic project for the Linux kernel evolved into a multilingual security tool https://semgrep.dev/blog/semgrep-app-fall-2021-updates Announcing the rule board, finding triage, and Jira integration https://semgrep.dev/blog/semgrep-fall-2021-updates Announcing taint mode, Terraform support, and auto-configuration https://semgrep.dev/blog/semgrep-now-supports-cairo-1-0 Announcing Semgrep's support for Cairo 1.0 - a language used to develop smart contracts. Our rockstar community user Romain Jufer writes about adding a new language to Semgrep's arsenal! https://semgrep.dev/blog/semgrep-release-v1-announcement Announcing a milestone release: Semgrep 1.0 https://semgrep.dev/blog/semgrep-seattle-java-user-group A walk through of practical and real-world Semgrep examples for Java https://semgrep.dev/blog/semgrep-speed This blog post delves into one of Semgrep's key attributes: its exceptional speed. Semgrep is known for its developer-friendly and customizable nature in securing code. This velocity is crucial for seamless integration into CI pipelines, enabling rapid rule customization without long wait times between iterations. https://semgrep.dev/blog/semgrep-spring-2022-meetup-recap A look into the information shared at Semgrep's Spring 2022 meetup https://semgrep.dev/blog/semgrep-stop-grepping-code Semgrep is an open-source tool that is like a code-aware grep https://semgrep.dev/blog/semgrep-summer-2021-meetup Video from our meetup on August 11th https://semgrep.dev/blog/semgrep-vscode-extension Semgrep is a code analysis tool many use for static application security scanning (SAST). SAST tools can be difficult to set up and use and are often lumped in with other lengthy processes late in the development cycle. Ideally, they should work alongside linters while code is being written before the context is lost. We now have a VS Code extension that’s as easy to set up and use as other linting extensions and just as fast! https://semgrep.dev/blog/semgreps-february-2022-updates Summary of Semgrep releases from October 2021 to February 2022 https://semgrep.dev/blog/semgreps-may-2022-updates See all that’s shipped between February and May and how to get the latest enhancements https://semgrep.dev/blog/sense-and-path-sensitivity-my-experience-adding-a-new-feature-as-a-semgrep-intern I spent 10 weeks at Semgrep as a Software Engineering (SWE) Intern on the Semgrep Analysis Foundations Team, the team that owns and maintains the core static analysis functionality of the Semgrep tool. In this blog post, I am going to share my experience of adding path sensitivity to Semgrep, as well as what I learned and loved along the way! https://semgrep.dev/blog/series-c Announcing our $53M Series C led by Lightspeed Venture Partners https://semgrep.dev/blog/should-random-be-banned The most important static analysis metric https://semgrep.dev/blog/shoulda-woulda-coulda Improving findings performance through false negative feedback https://semgrep.dev/blog/silicon-valley-cyber-security-meetup-presentation Video from the Silicon Valley Cyber Security Meetup on April 9 https://semgrep.dev/blog/slack-presents-semgrep-at-def-con-appsec-village Slack’s DEF CON 29 AppSec Village presentation https://semgrep.dev/blog/software-supply-chain-security-is-hard See why today's SCA tools are noisy and how can you leverage reachability to reduce the noise https://semgrep.dev/blog/static-analysis-speed Why speed is important in static analysis and how Semgrep achieves ludicrous speed https://semgrep.dev/blog/structure-mode-never-write-an-invalid-semgrep-rule Semgrep rule-writing is simple in principle, but it can be easy to make mistakes in practice (especially if you are newer to rule-writing). Structure mode is a new interface for https://semgrep.dev/blog/surprising-subtleties-of-docker-permissions Our unique infrastructure leads to unique challenges related to how Docker interacts with filesystem permissions https://semgrep.dev/blog/taint-mode-is-now-in-beta Using the flexibility of Semgrep patterns with taint mode to find injection vulnerabilities https://semgrep.dev/blog/teaching-security-champions In the previous article, we talked about how to engage your champions. We want them interested, revved up and ready to go. You are in a room full of brand-new security champions and they are itching to learn all about ‘cyber', what do you do? What do you teach them? How do you impress them? https://semgrep.dev/blog/testing-autofix-behavior-of-sast-rules Automatically test the autofix behavior of custom Semgrep rules https://semgrep.dev/blog/testing-vulnerable-pyyaml-versions Understanding which PyYAML API versions are vulnerable with a testing matrix https://semgrep.dev/blog/the-best-free-open-source-supply-chain-tool-the-lockfile Lockfiles: the best investment you can make for supply chain security https://semgrep.dev/blog/the-birth-of-semgrep-pro-engine Of all our projects, adding interfile analysis in a way that achieves our developer-focused goals without the aid of the open-source community has been the hardest. To succeed, we had to develop against a focused benchmark of real vulnerabilities before iterating with users thoughtfully. https://semgrep.dev/blog/the-cve-program-s-new-rules-will-they-affect-your-vulnerability-management The new CNA Rules v4.0 introduce more flexible, case-by-case CVE assignment guidelines, emphasizing a community-driven approach and potentially increasing the number of recognized vulnerabilities to enhance overall cybersecurity management. https://semgrep.dev/blog/the-difference-between-sca-and-supply-chain-security Right now, the concept of the software supply chain and securing it is quite trendy. After the  https://semgrep.dev/blog/the-tech-behind-semgrep-assistant Semgrep Assistant is like having another median-level security engineer on your team, whose sole responsibility is parsing through findings and giving humans-in-the-loop (even those with no security knowledge) everything they need to quickly and confidently take the right course of action. How does it work? https://semgrep.dev/blog/three-key-learnings-for-appsec-teams-from-the-xz-backdoor It’s been a week since the https://semgrep.dev/blog/three-things-your-linter-shouldnt-tell-you How we’ve curated our code checks in Bento https://semgrep.dev/blog/tips-and-tricks-for-writing-fixes A few tips you might not know to improve your Semgrep usage https://semgrep.dev/blog/transitive-supply-chain-vulnerabilities In this blog post, Kyle Kelly, Semgrep Security Researcher, discusses transitive dependencies, prioritizing risks based on exploitability, and why today’s issues aren’t going anywhere anytime soon. https://semgrep.dev/blog/turbo-mode We modified the https://semgrep.dev/blog/type-awareness-in-semantic-grep How we’re making Sempgrep patterns more precise with type support https://semgrep.dev/blog/understanding-and-preventing-dos-in-web-apps Modeling DoS attacks through attacker leverage https://semgrep.dev/blog/understanding-log4j-and-log4shell A guide to determining exposure and mitigation of the vulnerability in Log4j https://semgrep.dev/blog/unlocking-advanced-security-for-all-with-semgrep Introducing free access to Semgrep Supply Chain and Code’s Pro features, for up to 10 monthly contributors. Additionally, Semgrep is faster and runs with every keystroke in the browser and in VS Code. https://semgrep.dev/blog/using-ai-to-write-secure-code-with-semgrep Announcement details for https://semgrep.dev/blog/using-wasm-and-javascript-to-support-ocaml-on-windows Semgrep now supports Windows for our https://semgrep.dev/blog/we-hack-purple-and-i-are-joining-semgrep Why I'm choosing Semgrep, and what the future will hold for the AppSec Community. https://semgrep.dev/blog/what-it-takes-to-make-shift-left-work The surface area of software is expanding at a rate well above our ability to secure it. How can we speed software delivery and prevent security incidents at the same time? https://semgrep.dev/blog/when-devsecops-goes-wrong-a-short-lesson-from-huaweis-source-code A quick look at a breakdown in the security and developer team interface https://semgrep.dev/blog/why-i-moved-to-semgrep-for-all-my-code-analysis An inside look at writing program analysis using Semgrep https://semgrep.dev/blog/why-sast-tools-need-to-be-customizable Most modern SAST tools only provide findings, with no control or visibility into why or how they were surfaced. When shifting left, this makes false positives a shared problem between AppSec and developers. Customizability solves this issue, letting security teams shift SAST left gradually, without putting their reputations on the line. https://semgrep.dev/blog/writing-robust-flask-apps-sf-python-meetup-april-08 Material from the presentation at the SF Python Virtual Meetup https://semgrep.dev/blog/writing-semgrep-rules-a-methodology How to think about and approach writing new Semgrep rules https://semgrep.dev/blog/xml-security-in-java Java XML security issues and how to address them https://semgrep.dev/blog/xss-cheat-sheets Run a single Semgrep command to check your app for XSS