r2c blog

Shift left with fast static analysis

r2c is passionate about improving software security and reliability. We make tools for security engineers, researchers, and hackers that simplify program analysis and make it accessible in the development workflow.

🤫 Don't leak your secrets

by Pablo Estrada on April 14, 2021

A new Semgrep ruleset to detect leaked secrets

How we made Semgrep rules run on Semgrep rules

by Emma Jin on April 02, 2021

Semgrep now has alpha support for YAML

Jenkins Meetup: An open source security scanner for most languages

by Pablo Estrada on February 18, 2021

Integrating open source static analysis into Jenkins jobs

Should random() be banned?

by Luke O'Malley on February 11, 2021

The most important static analysis metric

Appsec Development: Keeping it all together at scale

by Jacob Salassi (Snowflake) & Clint Gibler on February 08, 2021

Appsec Development: Keeping it all together at scale

Executable XSS cheat sheets for popular web frameworks

by Pablo Estrada on January 21, 2021

Run a single Semgrep command to check your app for XSS

r2c named Disruptive Innovator by Forbes

by Pablo Estrada on January 12, 2021

Forbes’ inaugural Cybersecurity Awards

Four levels of maturity that bridge the AppSec / engineering divide

by Jacob Kaplan-Moss on January 08, 2021

Practical ways to bridge the gap between AppSec and development

When DevSecOps goes wrong: a short lesson from Huawei's source code

by Isaac Evans on December 18, 2020

A quick look at a breakdown in the security and developer team interface

Announcing Ruby GA support

by Matt Schwager on December 17, 2020

Semgrep v0.35.0 includes GA Ruby support

Experimental feature: generic pattern matching

by Pablo Estrada on December 03, 2020

Match code patterns in configuration files, structured data, and more

Exploiting dynamic rendering engines to take control of web apps

by Vasilii Ermilov on November 19, 2020

Leveraging weaknesses in Rendertron and other headless renderers

Introducing Semgrep and r2c

by Isaac Evans on October 29, 2020

Announcing r2c's funding and Semgrep.dev

The future of AppSec and why I joined r2c

by Clint Gibler on October 28, 2020

Why I’m betting on r2c and where I think application security is headed

Fixing leaky logs: how to find a bug and ensure it never returns

by Nathan Brahms on October 28, 2020

Enabling developers to rapidly solve security issues

Writing Semgrep rules: a methodology

by r2c team on October 23, 2020

How to think about and approach writing new Semgrep rules

Not all attacks are equal: understanding and preventing DoS in web applications

by Jacob Kaplan-Moss on September 11, 2020

Modeling DoS attacks through attacker leverage

r2c meetup on writing Semgrep rules

by Pablo Estrada on September 09, 2020

Video from meetup hosted on August 26th

Type-awareness in semantic grep

by Emma Jin on August 05, 2020

How we’re making Sempgrep patterns more precise with type support

How to prevent HTML email injection in Python web apps

by Grayson Hardaway on July 01, 2020

Avoid accidental HTML injection when sending emails from an application

Hardcoded secrets, unverified tokens, and other common JWT mistakes

by Vasilii Ermilov on June 19, 2020

Examining 2,000+ npm modules for common mistakes when using JWT

Be careful what you request for

by Grayson Hardaway on May 28, 2020

Injection using the HTTP verb in Django

Bay Area OWASP Meetup presentation

by Pablo Estrada on May 22, 2020

Video from the Bay Area OWASP Meetup on May 21

Semgrep: Stop grepping code

by Isaac Evans on May 19, 2020

Semgrep is an open-source tool that is like a code-aware grep

Pain-free Custom Linting: Why I moved from ESLint and Bandit to Semgrep

by Ulziibayar Otgonbaatar on May 15, 2020

An inside look at writing program analysis using Semgrep

Preventing SQL injection: a Django author's perspective

by Jacob Kaplan-Moss and Grayson Hardaway on May 12, 2020

The creator of Django on preventing SQL injection

Semgrep at Hella Secure HellaConf 2020

by Pablo Estrada on May 05, 2020

Video from Hella Secure’s virtual AppSec conference, HellaConf

Silicon Valley Cyber Security: Detect complex code patterns using semantic grep

by Pablo Estrada on April 24, 2020

Video from the Silicon Valley Cyber Security Meetup on April 9

Improving ReDoS detection and finding more bugs using Dlint and r2c

by Matt Schwager on April 13, 2020

Improving regular expression denial-of-service detection

SF Python: Writing robust Flask apps

by Pablo Estrada on April 09, 2020

Material from the presentation at the SF Python Virtual Meetup

Bento check: Detecting authentication credentials leaked over HTTP

by Grayson Hardaway on March 22, 2020

A check for the Requests library to detect credentials sent over HTTP

Bento 0.9: Checks for a high-severity Python vulnerability and Jinja templates

by Pablo Estrada on February 19, 2020

Catch a high-severity Python vuln and new checks for Jinja templates

Bento check: Catch catastrophic backtracking ReDoS bugs

by Matt Schwager on February 05, 2020

Find severe regular expression denial-of-service bugs in Python using Bento

Finding Python ReDoS bugs at scale using Dlint and r2c

by Matt Schwager on February 05, 2020

Automating regular expression denial-of-service detection

Bento 0.8: Updated workflows and new specialty checks

by Luke O'Malley on January 24, 2020

Changes to Bento’s default behavior integrate it more smoothly into your workflow

Using Bento individually and on team projects

by Pablo Estrada on January 23, 2020

Our learnings from user feedback and how to use Bento individually and on teams

Bento check: Securing your Flask routes with JWT decorators

by Sharon Lin on January 14, 2020

Check for missing authorization decorators in apps using JWTs

Bento check: Flask template files that aren’t autoescaped by default

by Grayson Hardaway on January 07, 2020

Detect possible XSS in unescaped Jinja templates used in Flask

Bento check: Use jsonify() instead of json.dumps() in Flask

by Grayson Hardaway on December 19, 2019

Find use of json.dumps() in Flask where jsonify() should be used instead

Bento check: Keeping your cookies safe in Flask

by Grayson Hardaway on December 19, 2019

Ensure cookie settings are set securely in Flask

Flask check: send_file() with a file handle

by Grayson Hardaway on November 26, 2019

Bento check to detect if send_file() will throw an exception

Our quest to make world-class security and bugfinding available to all developers, for free

by Isaac Evans on November 14, 2019

Introducing Bento, a free and opinionated toolkit for easily adopting linters and program analysis in a codebase

Three things your linter shouldn’t tell you

by Grayson Hardaway on November 14, 2019

How we’ve curated our code checks in Bento

DEF CON 27 workshop on finding vulnerabilities at scale

by Pablo Estrada on August 15, 2019

Material from our DEF CON workshop on finding vulnerabilities at ecosystem-scale

Surprising subtleties of Docker permissions

by Ash Zahlen on May 14, 2019

Our unique infrastructure leads to unique challenges related to how Docker interacts with filesystem permissions