Additional Resources #

Suggested rules #

• Official Semgrep rules registry
• Trail of Bits public Semgrep rules
• dgryski Go rules for Semgrep
• 0xdea/semgrep-rules
• elttam/semgrep-rules
• kondukto-io/semgrep-rules
• federicodotta/semgrep-rules
• mindedsecurity/semgrep-rules-android-security

Trail of Bits blog posts on Semgrep #

• Discovering goroutine leaks with Semgrep
• Secure your machine learning with Semgrep
• Secure your Apollo GraphQL server with Semgrep
• How to introduce Semgrep to your organization

Publications #

Official Semgrep resources #

• Rule updates | Semgrep
• Official Semgrep blog

Introduction to Semgrep #

• A Practical Introduction to Semgrep
• 🎦 Semgrep: a lightweight static analysis tool for security consultant and hackers
• 🎦 Detect complex code patterns using semantic grep
• 🎦 Semgrep part 1 - Embrace Secure Defaults, Block Anti-patterns and more
• 🎦 OCaml Workshop 2021 - Semgrep a fast lightweight polyglot static analysis tool to find bugs
• 🎦 Detect Complex Code Patterns Using Semantic Grep - OWASP ATL Meeting

Semgrep in the organization #

• How Two Interns Are Helping Secure Millions of Lines of Code
• 🎦 Workshop: Scaling your AppSec Program with Semgrep
• 🎦 Scaling Your Security Program with Semgrep
• 🎦 How to Eradicate Vulnerability Classes with Secure Defaults + Lightweight Enforcement

Creating custom Semgrep rules #

• 11 Semgrep Rules for Go Web Projects
• Detecting Android Content Provider APIs with Semgrep Rules
• Enforcing Code & Security Standards with Semgrep
• Using Semgrep to find security issues and misconfiguration in AWS Cloud Development Kit projects
• Spring Actuator Security, Part 2: Finding Actuators using Static Code Analysis with Semgrep
• Semgrep ruleset for C/C++ vulnerability research
• Customizing Semgrep Rules for Flask/Django and Other Popular Web Frameworks
• Semgrep: scanning unusual extensions
• Semgrep - Matching JavaScript Imports
• Linting naked returns with Semgrep
• Ensuring postMessage Origin Validation with Semgrep
• 🎦 Semgrep Weekly Wednesday Office Hours: Modifying Rules to Reduce False Positives

Semgrep in vulnerability discovery #

• Automating binary vulnerability discovery with Ghidra and Semgrep
• 🎦 Raining CVEs On WordPress Plugins With Semgrep | Nullcon Goa 2022
• 🎦 Automating Android App Vulnerability Discovery with Semgrep

Semgrep in CI/CD #

• 🎦 Using Semgrep and Jenkins for Static Code Analysis
• 🎦 Adding in Semgrep SAST job and configuring custom rules