search

rafaroca / intro-to-semgrep

https://lab.github.com/returntocorp/intro-to-semgrep
MIT License
0 stars 0 forks source link

Welcome to Semgrep! #1

Open github-learning-lab[bot] opened 3 years ago

github-learning-lab[bot] commented 3 years ago

Welcome!

I'm excited you're here! 👋

Together we're going to see how we can quickly and easily set up continuous code scanning using Semgrep, an open source, lightweight static analysis tool.

We'll see how Semgrep's out-of-the-box rules can find and block a broad variety of vulnerabilities and enforce secure guardrails (also called "paved road" or "secure defaults").

We'll use the awesome OWASP Juice Shop project as the repo we'll scan, and we'll use GitHub Actions to scan every Pull Request (PR).

How This Lab Works

Basically, at each stage you'll be provided with some information, either as a GitHub issue, PR, or a comment on one of those.

Then, there'll be an ⌨️ Activity section at the bottom, that has you complete some concrete steps, either in this repo (like editing files, opening or closing PRs or Issues) or on Semgrep-related sites (e.g writing new rules, setting up and configuring your dashboard, etc.).

After you complete the steps in the Activity section, the bot will either autodetect what you've done and move you to the next step, or perhaps respond to a comment we ask you to write.

💡 Important Notes

If at any point throughout this lab you're not seeing a bot response or scan update that you'd expect to, try refreshing the page, sometimes things get in a wonky state.

⌨️ Activity: See Docs Links

  1. We created a new Issue with useful documentation for you to review if you get stuck. Give it a quick skim.
  2. Comment on this issue and the bot will respond with next steps 🚀

I'll respond in this pull request when I detect a comment posted to it.

rafaroca commented 3 years ago

Hi Bot

github-learning-lab[bot] commented 3 years ago

Getting Started

Alright, first we'll do a few quick things to get you up and running.

At a high level, here's what we're going to do:

Join the r2c Community Slack - There's a channel for this workshop you can ask questions in, and we'll use it to set up notifications when Semgrep finds issues.

Create a free Semgrep App account - This lets us easily manage Semgrep in CI, set up notifications, configure scanning policy, view results over time, and more.

⌨️ Activity: Create a Dashboard Account, Set up Slack Notifications

  1. Join the r2c community Slack and the #workshop-2021-owasp-devslop channel.
  2. Log in to the Semgrep Dashboard.
  3. Set up Slack Notifications.
    1. Go to the Incoming WebHooks page on the Slack App Directory, and in "Post to Channel" choose your name. This way, all notifications are going to be sent to you via direct message.
    2. Copy the "Webhook URL" generated on the next page (it should look like: https://hooks.slack.com/services/...) and go to the Semgrep Integrations page (you may need to click on "Integrations" in the left hand side navbar), create a new integration, select "Slack", provide a name, paste in the webhook url, then save it.
    3. Click the "Test" button, and you should see a message from Semgrep in Slack.
  4. Now, on the Semgrep Policies page, click on each policy, go to Settings -> Integrations -> Add, select the Slack notification you set up, and click "Save".

Comment on this pull request when you're ready and I'll respond with the next step.

rafaroca commented 3 years ago

Thanks semgrep bot. I can see your comments here.

github-learning-lab[bot] commented 3 years ago

Congrats, you'll now get visibility into any time new routes are added to this app without auth!

As a busy security engineer or developer, you probably don't have time to manually audit every newly added route, but you do have time to audit routes that are potentially risky.

This exercise showed how to quickly flag potentially dangerous code being added, that's unique to how your code is written.

No static analysis tool will have rules like this out of the box, as the tool creators have never seen your code nor do they know how it works.

But with Semgrep and a little hackery, we can easily create high signal, high ROI rules, tailored to our environment 🤘

⌨️ Next: Finding Secrets

In the next challenge, we'll see how to start scanning every PR for leaked secrets using out-of-the box rules, and write a new rule to find a custom secret type.

Let's go!

Visit the next PR to continue.