How to write code-base specific lints for correctness and security using Semgrep

Every code base comes with a set of built-in expectations: do things this way, don’t do things that way. These expectations may be related to security (avoid this dangerous function), correctness (if you don’t call foo() before bar(), it’s a bug), performance, robustness, and more.

There are some great tools with out of the box checks you can use, like Brakeman for security and RuboCop for linting and quality. But what if there are code patterns you want to enforce that are unique to your code bases? Existing tools won’t have these checks, because they’re not general Ruby or framework patterns, they’re specific to you.

You can augment existing tools with custom checks, but this generally requires learning a potentially complicated DSL or API, and becoming familiar with abstract syntax trees (ASTs) and the tool’s architecture. Feasible, but it takes some work.

But what if you could write lints for Ruby that are essentially just Ruby, no complicated upfront learning required?

In this talk, we’ll show how to do just that, using Semgrep (https://github.com/returntocorp/semgrep), an open source, lightweight static analysis tool.

We’ll discuss how to:

• Search for Ruby code using patterns that are basically just Ruby (with a few helpful abstractions)
• Find and block security bugs from entering your code
• Scale your team’s productivity: automate the things you always comment in code reviews, and help onboard new engineers with custom checks that teach them calling conventions. Replace internal docs that people don’t read with checks that scan every PR
• Iteratively explore code bases, finding potential code spots or anomalies; for example, functions whose return value should be checked, or before_filter’s that should be consistently applied

You’ll leave this talk with another open source tool in your toolbelt for helping you and your team release higher quality, more secure code, faster and easier.

##About the speaker

Yoann Padioleau is a software engineer at r2c, and the main author of Semgrep, an open-source syntax-aware code search tool. Previously, Yoann started the AppSec, Test Engineering, and Program Analysis teams at Facebook, where he created many tools for software developers, including an ancestor of Semgrep for PHP. Before that, he was doing research in academia with a focus on developer tools. He co-created Coccinelle in 2008 with Julia Lawall, which is also an ancestor of Semgrep for C. Yoann received his PhD in Computer Science at INRIA Rennes in France. He currently lives in Italy, and loves to code and do research on stuff which makes it easier to code stuff.

## Register to attend

If you’d like to attend, you must indicate you are coming before 5pm on the day of the event. We’ll send out the meeting details on the day via Meetup. Please check your spam folder as Meetup emails can often end up in there.

In the meantime make sure you are set up and ready to go by downloading and installing the Zoom client (https://zoom.us/support/download).
If you don’t want to install the Zoom client there is a web client (https://support.zoom.us/hc/en-us/articles/214629443-Zoom-Web-Client) but it’s not as fully featured and you’ll still need to sign in with a Zoom account to use it.