Enforcing Code & Security Standards with Semgrep

Duration:
45 min

Abstract:
We’ll discuss a program analysis tool we’re developing called Semgrep. It's a multilingual semantic tool for writing security and correctness queries on source code (for Python, Java, Go, C, and JS) with a simple “grep-like” interface. The original author, Yoann Padioleau, worked on Semgrep’s predecessor, Coccinelle, for Linux kernel refactoring, and later developed Semgrep while at Facebook. He’s now full time with us at r2c.

Semgrep is a free open-source program analysis toolkit that finds bugs using custom analysis we’ve written and OSS code checks. Semgrep is ideal for security researchers, product security engineers, and developers who want to find complex code patterns without extensive knowledge of ASTs or advanced program analysis concepts.

For example, find subprocess calls with shell=True in Python using the query:
subprocess.open(..., shell=True)
This will even find snippets like:
import subprocess as s
s.open(f'rm {args}', shell=True)

Or find hardcoded credentials using the query:
boto3.client(..., aws_secret_access_key=”...”, aws_access_key_id=”...” )

Source code: https://github.com/returntocorp/semgrep
Test in your browser: https://semgrep.dev/

Speaker bio:
Bence Nagy is a software engineer at r2c, working on Semgrep, an open-source syntax-aware code search tool. At r2c, his responsibilities tend towards building various interfaces atop the core semgrep CLI. These include CI integrations, editor extensions, and the semgrep.live web app. He previously led a developer experience team at Kiwi.com, the Czech Republic’s top startup at the time of its acquisition in 2019. You should totally ask him for video game recommendations after the talk.