Useful Semgrep Links - Githubissues

github-learning-lab[bot] commented 3 years ago

This issue collects various links to useful Semgrep resources and documentation in one place so you can reference it if you ever get stuck.

semgrep.dev - Semgrep's home page
- @returntocorp/semgrep - Semgrep's source code on GitHub
Semgrep Registry - Home of Semgrep's free, out-of-the-box rules (that is, security checks), written by r2c and the community.
- These rules are grouped into "rulesets" that collect related functionality, like rules that check for secrets, target specific languages (e.g. javascript) or frameworks (e.g. django), or even entire vulnerability classes (e.g. xss or insecure transport).
- @returntocorp/semgrep-rules - The source code of Semgrep's rules on GitHub.
- Note that the Registry has more rules than what's just in the returntocorp/semgrep-rules repo, as the Registry includes Semgrep rules from other community repos, like NodeJSScan or Go rules by Damian Gryski.
Semgrep Playground - Write and share Semgrep rules right from your browser, no installation required!

Rule Writing

There's a step by step rule writing tutorial here.

If you go to the Playground, you can also click the "Examples" button to view a number of illustrative built-in examples.

And of course, you can also review the over 1,000 rules in @returntocorp/semgrep-rules.

Docs

Semgrep has pretty extensive docs, which you can view here.

Of note:

Pattern syntax - All of the ways you can match code within one pattern.
Rule syntax - All of the ways you can combine Semgrep patterns to form more complex queries. For example, looking for code that matches this AND that, or this but NOT that, etc.

Community

Feel free to join the r2c community Slack to ask questions (we're super responsive!) or reach out to us on Twitter (@r2cdev), or send us an email at support@r2c.dev.

tveiga1689 commented 3 years ago

ok

github-learning-lab[bot] commented 3 years ago

Congrats, you'll now get visibility into any time new routes are added to this app without auth!

As a busy security engineer or developer, you probably don't have time to manually audit every newly added route, but you do have time to audit routes that are potentially risky.

This exercise showed how to quickly flag potentially dangerous code being added, that's unique to how your code is written.

No static analysis tool will have rules like this out of the box, as the tool creators have never seen your code nor do they know how it works.

But with Semgrep and a little hackery, we can easily create high signal, high ROI rules, tailored to our environment 🤘

⌨️ Next: Finding Secrets

In the next challenge, we'll see how to start scanning every PR for leaked secrets using out-of-the box rules, and write a new rule to find a custom secret type.

Let's go!

Visit the next PR to continue.