I've been working recently in the policy-as-code space, statically scanning terraform plans for misconfigurations. Conftest has been super helpful in that regard. However misconfigurations in application code are not able to be detected by conftest.
Recently I came across an interesting tool named Semgrep. It calls itself "a lightweight, offline, open-source, static analysis tool".
Semgrep presents a great opportunity to expand early detection to the application security space. A common buzz word/phrase within security is "Shifting Left", providing feedback earlier in the software development lifecycle (SDLC).
The tool's site provides a great interactive tutorial which walks you through the various features of the tool, and how rule development works. The tutorial is pretty comprehensive including 16 different examples.
Another extremely helpful feature of the site is an interactive editor. This allows a user to experiment with custom rules without having to install the tool.
When you're ready to test locally, the getting started provides a few different install options including pip and homebrew. This page also includes a couple intentionally vulnerable sample projects that you can run the rules against
# juice-shop, a vulnerable Node.js + Express app $ git clone https://github.com/bkimminich/juice-shop $ semgrep --config p/r2c-security-audit juice-shop # railsgoat, a vulnerable Ruby on Rails app $ git clone https://github.com/OWASP/railsgoat $ semgrep --config p/r2c-security-audit railsgoat # govwa, a vulnerable Go app $ git clone https://github.com/0c34/govwa $ semgrep --config p/r2c-security-audit govwa # vulnerable Python + Flask app $ git clone https://github.com/we45/Vulnerable-Flask-App $ semgrep --config p/r2c-security-audit Vulnerable-Flask-App # WebGoat, a vulnerable Java + Spring app $ git clone https://github.com/WebGoat/WebGoat $ semgrep --config p/r2c-security-audit WebGoat
The output of the semgrep command points to which file and which lines it has identified a problem
Since we're using one of the shared ruleset, we can also look up the details. The "explore" feature of the tool website can be used to search for the rule name. Once found we can take a closer look at the rule details. Since the vulnerable app is using MD5 it was flagged as non compliant.
Semgrep also offers a VS Code extension, which could provide feedback without ever leaving the IDE
While Semgrep comes with plenty of rules out of the box, the ability to write your own presents a great way to enforce company best practices and standards. The full rule syntax is covered here. Rules can also be run locally in addition to the contributions online. Semgrep also has solid coverage of popular languages.
I hope you've found this overview of Semgrep helpful, and I'm excited to see more tools like this in the application security space!