search

fabio-r-souza / intro-to-semgrep

https://lab.github.com/returntocorp/intro-to-semgrep
MIT License
0 stars 0 forks source link

Useful Semgrep Links #2

Open github-learning-lab[bot] opened 3 years ago

github-learning-lab[bot] commented 3 years ago

This issue collects various links to useful Semgrep resources and documentation in one place so you can reference it if you ever get stuck.

Rule Writing

There's a step by step rule writing tutorial here.

If you go to the Playground, you can also click the "Examples" button to view a number of illustrative built-in examples.

And of course, you can also review the over 1,000 rules in @returntocorp/semgrep-rules.

Docs

Semgrep has pretty extensive docs, which you can view here.

Of note:

Community

Feel free to join the r2c community Slack to ask questions (we're super responsive!) or reach out to us on Twitter (@r2cdev), or send us an email at support@r2c.dev.

fabio-r-souza commented 3 years ago

Aprendendo semgrep

github-learning-lab[bot] commented 3 years ago

Getting Started

Alright, first we'll do a few quick things to get you up and running.

At a high level, here's what we're going to do:

Join the r2c Community Slack - There's a channel for this workshop you can ask questions in, and we'll use it to set up notifications when Semgrep finds issues.

Create a free Semgrep App account - This lets us easily manage Semgrep in CI, set up notifications, configure scanning policy, view results over time, and more.

⌨️ Activity: Create a Dashboard Account, Set up Slack Notifications

  1. Join a Slack channel that allows you to add webhook notifications, or create a new Slack instance if you don't have one available.
  2. Log in to the Semgrep Dashboard.
  3. Set up Slack Notifications.
    1. Visit the Slack App Directory (https://your_slacks_name.slack.com/apps), search "Incoming WebHooks", and in "Post to Channel" choose your name. This way, all notifications are going to be sent to you via direct message.
    2. Copy the "Webhook URL" generated on the next page (it should look like: https://hooks.slack.com/services/...) and go to the Semgrep Integrations page (you may need to click on "Integrations" in the left hand side navbar), create a new integration, select "Slack", provide a name, paste in the webhook url, then save it.
    3. Click the "Test" button, and you should see a message from Semgrep in Slack.
    4. See the Slack integration docs for additional details.
  4. Now, on the Semgrep Policies page, click on each policy, go to Settings -> Integrations -> Add, select the Slack notification you set up, and click "Save".

Feel free to join the r2c community Slack and ask questions in #general or #workshop-2021-owasp-devslop if anything is unclear.

Comment on this pull request when you're ready and I'll respond with the next step.

fabio-r-souza commented 3 years ago

Semgrep notification to Slack: Done

github-learning-lab[bot] commented 3 years ago

Great! Now we're going to set up Semgrep scanning every PR via GitHub actions by creating a semgrep.yml.

Though we're going to be using GitHub Actions in this workshop, because Semgrep is nice and portable, easily runnable as a standalone binary or Docker, it's pretty easy to set up Semgrep in pretty much any CI platform under the sun.

See these docs for info about setting up Semgrep in GitLab, Buildkit, CircleCI, or other providers, and see here for more info about Semgrep in CI.

⌨️ Activity: Set up Semgrep in CI

  1. On the Projects page, select the "Add CI job to GitHub project" option, and click the "Get started" button.
    1. Semgrep's GitHub App is going to ask for a few, minimal permissions so it can auto-set things up for you (create a PR adding semgrep.yml to repos you want to onboard, etc.).
    2. If you want, you can only add the Semgrep GitHub App to this intro-to-semgrep repo. If you want to add more repos, you select "All repositories" or hand select a few more. You can always update this later via your GitHub profile Installed Applications settings.
  2. After you've authorized the Semgrep GitHub App, navigate back to the Projects page, click the "Refresh projects from GitHub button", and then click the "Add CI job" button next to the intro-to-semgrep repo row.
  3. On the next page, click the "Commit file" button, then follow the instructions for setting up a GitHub Secret on the intro-to-semgrep repo.
    1. Note that we're adding the Secret to just this repo. If you want to run Semgrep across many of your or your org's repos, you probably want to add this Secret at your profile or org level, so you don't have to add it one repo at a time.
  4. A Semgrep scan will automatically start. We'll examine the results later, for now, comment on this PR and let's get writing some rules!

Comment on this Pull Request once you've finished onboarding Semgrep (semgrep.yml GitHub Action) to this repo.

fabio-r-souza commented 2 years ago

aaa

github-learning-lab[bot] commented 2 years ago

Congrats, you'll now get visibility into any time new routes are added to this app without auth!

As a busy security engineer or developer, you probably don't have time to manually audit every newly added route, but you do have time to audit routes that are potentially risky.

This exercise showed how to quickly flag potentially dangerous code being added, that's unique to how your code is written.

No static analysis tool will have rules like this out of the box, as the tool creators have never seen your code nor do they know how it works.

But with Semgrep and a little hackery, we can easily create high signal, high ROI rules, tailored to our environment 🤘

⌨️ Next: Finding Secrets

In the next challenge, we'll see how to start scanning every PR for leaked secrets using out-of-the box rules, and write a new rule to find a custom secret type.

Let's go!

Visit the next PR to continue.