GitLab CI-CD semgrep SAST (Static Application Security Test) configuration example; blocks the MR if there is any finding.

https://gitlab.com/carvilsi/sast-cicd-example

#CI_CD #sast #semgrep #gitlab #security #devops

Current status:

#yaml #semgrep

One static analysis tool tells me to use `lstat` and `fstat` to avoid (or at least detect) malicious replacement of a file that I `open`. Then, after doing this, my other static analysis tool complains that I’ve introduced a TOCTOU (time-of-use, time-of-check) between `lstat` and `open`.

Sure, but I’m going to detect that. Real issue I have with all of this is that there’s still a window (which I estimate to be the about the same size in both versions of this program) between creating this pseudoterminal file and the next interaction I have with it (be that pulling file stats with `lstat` or `open`ing it).
#SemGrep #Coverity #StaticAnalysis #Programming #C

During the weekend, I’ve been working a bit on updating my battle-tested #semgrep ruleset for #c #vulnerability research

https://github.com/0xdea/semgrep-rules

Nothing major, just a couple of small updates. It feels good to be back doing some #security #research! Let’s see where this takes me…

SonarQube в действии: плагины как ключевой элемент контроля качества в отделе

Привет! Меня зовут Глеб, я старший backend-разработчик в ЮMoney. В прошлом году моя команда активно занималась внедрением и развитием инфраструктуры статического анализа на базе SonarQube . Итогом нашей деятельности стало превращение SonarQube из простого статического анализатора в полноценную платформу для автоматизации многих процессов контроля качества — от сопровождения кодовой базы и отказа от Kotlin до проверки обратной совместимости в OpenAPI-спецификациях и миграциях баз данных. Расскажу, какое место занимает этот инструмент в нашей системе контроля качества и как именно мы этого добились.

https://habr.com/ru/companies/yoomoney/articles/905900/

#sonarqube #статический_анализ #плагины #backendразработка #контроль_качества_кода #java #semgrep

Will you be at #RSAC or #BSidessf this year? Want to meet up with me? I've posted my schedule, with links so you can sign up for the free events. I'm also giving away 300 copies of my new book at the #Semgrep booth. It would be really nice to see you!

https://shehackspurple.ca/2025/04/17/my-schedule-at-rsac-2025/

Will you be at #RSAC or #BSidessf this year? Want to meet up with me? I've posted my schedule, with links so you can sign up for the free events. I'm also giving away 300 copies of my new book at the #Semgrep booth. It would be really nice to see you!

https://shehackspurple.ca/2025/04/17/my-schedule-at-rsac-2025/

Will you be at #RSAC or #BSidessf this year? Want to meet up with me? I've posted my schedule, with links so you can sign up for the free events. I'm also giving away 300 copies of my new book at the #Semgrep booth. It would be really nice to see you!

https://shehackspurple.ca/2025/04/17/my-schedule-at-rsac-2025/

Will you be at #RSAC or #BSidessf this year? Want to meet up with me? I've posted my schedule, with links so you can sign up for the free events. I'm also giving away 300 copies of my new book at the #Semgrep booth. It would be really nice to see you!

https://shehackspurple.ca/2025/04/17/my-schedule-at-rsac-2025/

Что помогает разработчику писать безопасный код: обзор инструментов

Современное производство программного обеспечения — сложный процесс, от разработчика требуется не только писать код, но и справляться с целым комплексом сопутствующих задач: отслеживать изменения, проводить тестирование, соблюдать стилистические правила и внутренние стандарты, учитывать безопасность и применять best practices по обеспечению ИБ уже во время написания кода. Но есть и хорошие новости. Разработчику доступно большое число инструментов, которые упрощают труд: от линтеров до анализаторов и систем автоматизированного тестирования — все они встраиваются в среду разработки и помогают решать сложные задачи, не отвлекаясь от творческой части работы. В этой статье я, Евгений Иляхин, архитектор процессов безопасной разработки в Positive Technologies, как раз расскажу о крайне полезных инструментах, которые автоматизируют рутину и повышают качество кода, позволяя программисту сосредоточиться на разработке новой фичи или поиске оптимального решения. Читать

https://habr.com/ru/companies/pt/articles/891400/

#безопасная_разработка #appsec #devsecops #sonarlint #semgrep #gitleaks #gitsecret #trivy #secret_scanner #owasp_zap

Current status: learning about #semgrep https://semgrep.dev/ for a personal project 🚀 .

For this case we need a quick and extensible code-scanning solution, that can process large code repositories in a reasonable amount of time and can be enhanced with custom rules. For a few years we're using #Semgrep for this use-case.

Better Code Scanning? Putting #Opengrep to the Test 🧐

Part of consistently improving our #pentesting procedures includes evaluating the tools we use in our assessments. When conducting code-reviews and pentests of fat-client applications we are often faced with the challenge of identifying vulnerabilities in the targets source code. 🧵

#AppSec #CyberSecurity #InfoSec #Hacking #CodeReview #SourceCode #Semgrep

Nieuwe open source code-scanner opengrep gelanceerd door beveiligingsbedrijven https://www.trendingtech.news/trending-news/2025/01/52277/nieuwe-open-source-code-scanner-opengrep-gelanceerd-door-beveiligingsbedrijven #Opengrep #Semgrep #open source #code-scanning #beveiliging #Trending #News #Nieuws

"We’re launching #Opengrep a fork of SemgrepCS (formerly SemgrepOSS), in response to recent changes by #Semgrep that affect its open-source nature and shift focus to its paid offering, limiting access and innovation for the broader community."

https://www.opengrep.dev/
https://github.com/opengrep/opengrep

OpenGrep sounds like a very interesting community initiative. I really hope this will get traction. The community needs open source tools without licensing pain.
Semgrep has been a great tool and it was just too disappointing to see it go pay walled with time.
#opengrep #semgrep
https://www.opengrep.dev/

🎉Announcing the latest research from our intern Michael Pastor! In it, you'll learn all about Decompression Attacks, get to practice in custom-built labs and get some free Semgrep rules for detecting flaws. Check it out today!

https://blog.doyensec.com/2024/12/16/unsafe-unpacking.html

#appsec #doyensec #semgrep

35 more Semgrep rules: infrastructure, supply chain, and Ruby - By Matt Schwager and Travis Peters
We are publishing another set of custom Semgrep rules,... https://blog.trailofbits.com/2024/12/09/35-more-semgrep-rules-infrastructure-supply-chain-and-ruby/ #applicationsecurity #semgrep

Announcing the Trail of Bits and Semgrep partnership - At Trail of Bits, we aim to share and develop tools and resources used in our security as... https://blog.trailofbits.com/2024/09/19/announcing-the-trail-of-bits-and-semgrep-partnership/ #testinghandbook #semgrep

"Unsafe path manipulation", it says, unsafe file operations on untrusted user input.

The code: fopen(argv[1])

#SemGrep #programming #security