r2c blog

Shift left with fast static analysis

r2c is passionate about improving software security and reliability. We make tools for security engineers, researchers, and hackers that simplify program analysis and make it accessible in the development workflow.

Testing autofix behavior of SAST rules

by Pieter De Cremer on August 03, 2022

Automatically test the autofix behavior of custom Semgrep rules

Security scanning with Semgrep in CI

by Holden McGovern on July 20, 2022

Integrating security scans into GitHub, GitLab, CircleCI, and other CI providers

My experience interning at r2c

by Vivek Khimani on June 30, 2022

Vivek's experience interning at r2c

Announcing Semgrep's general availability support of PHP

by Pablo Estrada on June 22, 2022

Semgrep adds PHP support including 40+ new rules

Write custom rules with the new Playground

by Milan Williams on June 14, 2022

Use the new Playground to make rule-writing simple, fast, and flexible

Introducing DeepSemgrep

by Isaac Evans and Iago Abal on May 24, 2022

DeepSemgrep is a proprietary extension to Semgrep that allows inter-file analysis to help reduce false positives and negatives

Semgrep's May 2022 updates: Introducing DeepSemgrep, plus new Playground, and self managed GitHub + GitLab support!

by Chinmay Gaikwad on May 11, 2022

See all that’s shipped between February and May and how to get the latest enhancements

Tips and tricks for writing fixes

by Pieter De Cremer on April 18, 2022

A few tips you might not know to improve your Semgrep usage

Semgrep Spring 2022 meetup recap

by Emily Fortuna on April 06, 2022

A look into the information shared at Semgrep's Spring 2022 meetup

Scaling Semgrep rule coverage by spidering language documentation

by Kurt Boberg on March 10, 2022

How we made it easy to follow .NET coding best practices by scraping the MSDN documentation for recommendations and concerns.

Semgrep's February 2022 Updates: Developer Feedback, Editor, and much more!

by Chinmay Gaikwad on February 10, 2022

Summary of Semgrep releases from October to February

Keep your rules simple with symbolic propagation

by Iago Abal on February 07, 2022

Symbolic propagation is an experimental feature that enables Semgrep to perform matching modulo variable assignments, so you can keep rules simple but powerful.

The best free, open-source supply-chain security tool? The lockfile

by Isaac Evans on January 20, 2022

Lockfiles: the best investment you can make for supply chain security

Understanding and mitigating the Log4Shell vulnerability

by Vasilii Ermilov and Pablo Estrada on December 16, 2021

A guide to determining exposure and mitigation of the vulnerability in Log4j

Scanning Shell Scripts With Semgrep

by Martin Jambon on December 13, 2021

Semgrep now has experimental support for Bash. This allows detecting problems in shell scripts when it would be hard or impossible with plain grep.

New, high-signal rules for the JavaScript ecosystem

by Vasilii Ermilov on November 16, 2021

Updates for Node, Express, and other JavaScript rules

Semgrep: a static analysis journey

by Yoann Padioleau and Emma Jin on November 09, 2021

How an academic project for the Linux kernel evolved into a multilingual security tool

Announcing general availability of C#

by Pablo Estrada on November 08, 2021

C# parse rate is now over 99%

Semgrep App's Fall 2021 Updates

by Bence Nagy on October 21, 2021

Announcing the rule board, finding triage, and Jira integration

Semgrep's Fall 2021 Updates

by Bence Nagy on October 21, 2021

Announcing taint mode, Terraform support, and auto-configuration

Taint mode is now in beta

by Iago Abal on October 21, 2021

Using the flexibility of Semgrep patterns with taint mode to find injection vulnerabilities

Seattle Java User Group: Detect complex code patterns using Semgrep

by Pablo Estrada on October 07, 2021

A walk through of practical and real-world Semgrep examples for Java

Protect Your GitHub Actions with Semgrep

by Grayson Hardaway on October 01, 2021

Semgrep rules for GitHub Actions

Recording: Semgrep Summer 2021 Meetup

by Pablo Estrada on August 23, 2021

Video from our meetup on August 11th

BSides Las Vegas: the power of guardrails

by Pablo Estrada on August 18, 2021

Research on guardrails and how to slash the risk of XSS in half

Slack on scaling static analysis with Semgrep

by Pablo Estrada on August 10, 2021

Slack’s DEF CON 29 AppSec Village presentation

r2c's Series B funding

by Isaac Evans on July 07, 2021

Announcing new funding and our partnership with GitLab

JavaScript static analysis comparison: ESLint vs Semgrep

by Colleen Dai on June 30, 2021

A deep dive tool comparison

Introducing Semgrep for GitLab

by Bence Nagy and Pablo Estrada on June 22, 2021

Semgrep now has 1st-class integration into GitLab

Python static analysis comparison: Bandit vs Semgrep

by Grayson Hardaway and Clint Gibler on June 22, 2021

A deep dive tool comparison

Announcing C# alpha support

by Iago Abal on June 04, 2021

Semgrep v0.52.0 includes alpha C# support

🤫 Don't leak your secrets

by Pablo Estrada on April 14, 2021

A new Semgrep ruleset to detect leaked secrets

How we made Semgrep rules run on Semgrep rules

by Emma Jin on April 02, 2021

Semgrep now has alpha support for YAML

Jenkins Meetup: An open source security scanner for most languages

by Pablo Estrada on February 18, 2021

Integrating open source static analysis into Jenkins jobs

Should random() be banned?

by Luke O'Malley on February 11, 2021

The most important static analysis metric

Appsec Development: Keeping it all together at scale

by Jacob Salassi (Snowflake) & Clint Gibler on February 08, 2021

Appsec Development: Keeping it all together at scale

Executable XSS cheat sheets for popular web frameworks

by Pablo Estrada on January 21, 2021

Run a single Semgrep command to check your app for XSS

r2c named Disruptive Innovator by Forbes

by Pablo Estrada on January 12, 2021

Forbes’ inaugural Cybersecurity Awards

Four levels of maturity that bridge the AppSec / engineering divide

by Jacob Kaplan-Moss on January 08, 2021

Practical ways to bridge the gap between AppSec and development

When DevSecOps goes wrong: a short lesson from Huawei's source code

by Isaac Evans on December 18, 2020

A quick look at a breakdown in the security and developer team interface

Announcing Ruby GA support

by Matt Schwager on December 17, 2020

Semgrep v0.35.0 includes GA Ruby support

Experimental feature: generic pattern matching

by Pablo Estrada on December 03, 2020

Match code patterns in configuration files, structured data, and more

Exploiting dynamic rendering engines to take control of web apps

by Vasilii Ermilov on November 19, 2020

Leveraging weaknesses in Rendertron and other headless renderers

Introducing Semgrep and r2c

by Isaac Evans on October 29, 2020

Announcing r2c's funding and Semgrep.dev

The future of AppSec and why I joined r2c

by Clint Gibler on October 28, 2020

Why I’m betting on r2c and where I think application security is headed

Fixing leaky logs: how to find a bug and ensure it never returns

by Nathan Brahms on October 28, 2020

Enabling developers to rapidly solve security issues

Writing Semgrep rules: a methodology

by r2c team on October 23, 2020

How to think about and approach writing new Semgrep rules

Not all attacks are equal: understanding and preventing DoS in web applications

by Jacob Kaplan-Moss on September 11, 2020

Modeling DoS attacks through attacker leverage

r2c meetup on writing Semgrep rules

by Pablo Estrada on September 09, 2020

Video from meetup hosted on August 26th

Type-awareness in semantic grep

by Emma Jin on August 05, 2020

How we’re making Sempgrep patterns more precise with type support

How to prevent HTML email injection in Python web apps

by Grayson Hardaway on July 01, 2020

Avoid accidental HTML injection when sending emails from an application

Hardcoded secrets, unverified tokens, and other common JWT mistakes

by Vasilii Ermilov on June 19, 2020

Examining 2,000+ npm modules for common mistakes when using JWT

Be careful what you request for

by Grayson Hardaway on May 28, 2020

Injection using the HTTP verb in Django

Bay Area OWASP Meetup presentation

by Pablo Estrada on May 22, 2020

Video from the Bay Area OWASP Meetup on May 21

Semgrep: Stop grepping code

by Isaac Evans on May 19, 2020

Semgrep is an open-source tool that is like a code-aware grep

Pain-free Custom Linting: Why I moved from ESLint and Bandit to Semgrep

by Ulziibayar Otgonbaatar on May 15, 2020

An inside look at writing program analysis using Semgrep

Preventing SQL injection: a Django author's perspective

by Jacob Kaplan-Moss and Grayson Hardaway on May 12, 2020

The creator of Django on preventing SQL injection

Semgrep at Hella Secure HellaConf 2020

by Pablo Estrada on May 05, 2020

Video from Hella Secure’s virtual AppSec conference, HellaConf

Silicon Valley Cyber Security: Detect complex code patterns using semantic grep

by Pablo Estrada on April 24, 2020

Video from the Silicon Valley Cyber Security Meetup on April 9

Improving ReDoS detection and finding more bugs using Dlint and r2c

by Matt Schwager on April 13, 2020

Improving regular expression denial-of-service detection

SF Python: Writing robust Flask apps

by Pablo Estrada on April 09, 2020

Material from the presentation at the SF Python Virtual Meetup

Bento check: Detecting authentication credentials leaked over HTTP

by Grayson Hardaway on March 22, 2020

A check for the Requests library to detect credentials sent over HTTP

Bento 0.9: Checks for a high-severity Python vulnerability and Jinja templates

by Pablo Estrada on February 19, 2020

Catch a high-severity Python vuln and new checks for Jinja templates

Bento check: Catch catastrophic backtracking ReDoS bugs

by Matt Schwager on February 05, 2020

Find severe regular expression denial-of-service bugs in Python using Bento

Finding Python ReDoS bugs at scale using Dlint and r2c

by Matt Schwager on February 05, 2020

Automating regular expression denial-of-service detection

Bento 0.8: Updated workflows and new specialty checks

by Luke O'Malley on January 24, 2020

Changes to Bento’s default behavior integrate it more smoothly into your workflow

Using Bento individually and on team projects

by Pablo Estrada on January 23, 2020

Our learnings from user feedback and how to use Bento individually and on teams

Bento check: Securing your Flask routes with JWT decorators

by Sharon Lin on January 14, 2020

Check for missing authorization decorators in apps using JWTs

Bento check: Flask template files that aren’t autoescaped by default

by Grayson Hardaway on January 07, 2020

Detect possible XSS in unescaped Jinja templates used in Flask

Bento check: Use jsonify() instead of json.dumps() in Flask

by Grayson Hardaway on December 19, 2019

Find use of json.dumps() in Flask where jsonify() should be used instead

Bento check: Keeping your cookies safe in Flask

by Grayson Hardaway on December 19, 2019

Ensure cookie settings are set securely in Flask

Flask check: send_file() with a file handle

by Grayson Hardaway on November 26, 2019

Bento check to detect if send_file() will throw an exception

Our quest to make world-class security and bugfinding available to all developers, for free

by Isaac Evans on November 14, 2019

Introducing Bento, a free and opinionated toolkit for easily adopting linters and program analysis in a codebase

Three things your linter shouldn’t tell you

by Grayson Hardaway on November 14, 2019

How we’ve curated our code checks in Bento

DEF CON 27 workshop on finding vulnerabilities at scale

by Pablo Estrada on August 15, 2019

Material from our DEF CON workshop on finding vulnerabilities at ecosystem-scale

Surprising subtleties of Docker permissions

by Ash Zahlen on May 14, 2019

Our unique infrastructure leads to unique challenges related to how Docker interacts with filesystem permissions