Useful Semgrep Links

[github-learning-lab[bot]]

This issue collects various links to useful Semgrep resources and documentation in one place so you can reference it if you ever get stuck.

• semgrep.dev - Semgrep's home page
  • @returntocorp/semgrep - Semgrep's source code on GitHub
• Semgrep Registry - Home of Semgrep's free, out-of-the-box rules (that is, security checks), written by r2c and the community.
  • These rules are grouped into "rulesets" that collect related functionality, like rules that check for secrets, target specific languages (e.g. javascript) or frameworks (e.g. django), or even entire vulnerability classes (e.g. xss or insecure transport).
  • @returntocorp/semgrep-rules - The source code of Semgrep's rules on GitHub.
  • Note that the Registry has more rules than what's just in the returntocorp/semgrep-rules repo, as the Registry includes Semgrep rules from other community repos, like NodeJSScan or Go rules by Damian Gryski.
• Semgrep Playground - Write and share Semgrep rules right from your browser, no installation required!

Rule Writing

There's a step by step rule writing tutorial here.

If you go to the Playground, you can also click the "Examples" button to view a number of illustrative built-in examples.

And of course, you can also review the over 1,000 rules in @returntocorp/semgrep-rules.

Docs

Semgrep has pretty extensive docs, which you can view here.

Of note:

• Pattern syntax - All of the ways you can match code within one pattern.
• Rule syntax - All of the ways you can combine Semgrep patterns to form more complex queries. For example, looking for code that matches this AND that, or this but NOT that, etc.

Community

Feel free to join the r2c community Slack to ask questions (we're super responsive!) or reach out to us on Twitter (@r2cdev), or send us an email at support@r2c.dev.

[artis3n]

Comment

[github-learning-lab[bot]]

Getting Started

Alright, first we'll do a few quick things to get you up and running.

At a high level, here's what we're going to do:

Join the r2c Community Slack - There's a channel for this workshop you can ask questions in, and we'll use it to set up notifications when Semgrep finds issues.

Create a free Semgrep App account - This lets us easily manage Semgrep in CI, set up notifications, configure scanning policy, view results over time, and more.

⌨️ Activity: Create a Dashboard Account, Set up Slack Notifications

1. Join a Slack channel that allows you to add webhook notifications, or create a new Slack instance if you don't have one available.
2. Log in to the Semgrep Dashboard.
3. Set up Slack Notifications.
   1. Visit the Slack App Directory (https://your_slacks_name.slack.com/apps), search "Incoming WebHooks", and in "Post to Channel" choose your name. This way, all notifications are going to be sent to you via direct message.
   2. Copy the "Webhook URL" generated on the next page (it should look like: https://hooks.slack.com/services/...) and go to the Semgrep Integrations page (you may need to click on "Integrations" in the left hand side navbar), create a new integration, select "Slack", provide a name, paste in the webhook url, then save it.
   3. Click the "Test" button, and you should see a message from Semgrep in Slack.
   4. See the Slack integration docs for additional details.
4. Now, on the Semgrep Policies page, click on each policy, go to Settings -> Integrations -> Add, select the Slack notification you set up, and click "Save".

Feel free to join the r2c community Slack and ask questions in #general or #workshop-2021-owasp-devslop if anything is unclear.

---

Comment on this pull request when you're ready and I'll respond with the next step.