Lockfiles: the best investment you can make for supply chain security
A guide to determining exposure and mitigation of the vulnerability in Log4j
Semgrep now has experimental support for Bash. This allows detecting problems in shell scripts when it would be hard or impossible with plain grep.
Updates for Node, Express, and other JavaScript rules
How an academic project for the Linux kernel evolved into a multilingual security tool
C# parse rate is now over 99%
Announcing the rule board, finding triage, and Jira integration
Announcing taint mode, Terraform support, and auto-configuration
Using the flexibility of Semgrep patterns with taint mode to find injection vulnerabilities
A walk through of practical and real-world Semgrep examples for Java
Semgrep rules for GitHub Actions
Video from our meetup on August 11th
Research on guardrails and how to slash the risk of XSS in half
Slack’s DEF CON 29 AppSec Village presentation
Announcing new funding and our partnership with GitLab
A deep dive tool comparison
Semgrep now has 1st-class integration into GitLab
Semgrep v0.52.0 includes alpha C# support
A new Semgrep ruleset to detect leaked secrets
Semgrep now has alpha support for YAML
Integrating open source static analysis into Jenkins jobs
The most important static analysis metric
Appsec Development: Keeping it all together at scale
Run a single Semgrep command to check your app for XSS
Forbes’ inaugural Cybersecurity Awards
Practical ways to bridge the gap between AppSec and development
A quick look at a breakdown in the security and developer team interface
Semgrep v0.35.0 includes GA Ruby support
Match code patterns in configuration files, structured data, and more
Leveraging weaknesses in Rendertron and other headless renderers
Announcing r2c's funding and Semgrep.dev
Why I’m betting on r2c and where I think application security is headed
Enabling developers to rapidly solve security issues
How to think about and approach writing new Semgrep rules
Modeling DoS attacks through attacker leverage
Video from meetup hosted on August 26th
How we’re making Sempgrep patterns more precise with type support
Avoid accidental HTML injection when sending emails from an application
Examining 2,000+ npm modules for common mistakes when using JWT
Injection using the HTTP verb in Django
Video from the Bay Area OWASP Meetup on May 21
Semgrep is an open-source tool that is like a code-aware grep
An inside look at writing program analysis using Semgrep
The creator of Django on preventing SQL injection
Video from Hella Secure’s virtual AppSec conference, HellaConf
Video from the Silicon Valley Cyber Security Meetup on April 9
Improving regular expression denial-of-service detection
Material from the presentation at the SF Python Virtual Meetup
A check for the Requests library to detect credentials sent over HTTP
Catch a high-severity Python vuln and new checks for Jinja templates
Find severe regular expression denial-of-service bugs in Python using Bento
Automating regular expression denial-of-service detection
Changes to Bento’s default behavior integrate it more smoothly into your workflow
Our learnings from user feedback and how to use Bento individually and on teams
Check for missing authorization decorators in apps using JWTs
Detect possible XSS in unescaped Jinja templates used in Flask
Find use of json.dumps() in Flask where jsonify() should be used instead
Ensure cookie settings are set securely in Flask
Bento check to detect if send_file() will throw an exception
Introducing Bento, a free and opinionated toolkit for easily adopting linters and program analysis in a codebase
How we’ve curated our code checks in Bento
Material from our DEF CON workshop on finding vulnerabilities at ecosystem-scale
Our unique infrastructure leads to unique challenges related to how Docker interacts with filesystem permissions