Semgrep is an open-source static code analysis tool for finding bugs and security vulnerabilities. Here is a round up of a few of the recent updates from the past month that you may have missed.
🚨 GitHub Action Compromised
Important: The GitHub Action tj-actions/changed-files was compromised. Read more about the discovery and impact of this critical issue.
A Critical severity level is supported in rules processed by the Semgrep engine to identify what you really should be paying attention to according to the Common Vulnerability Scoring System (CVSS). A malicious dependency finding is critical because simply downloading the affected package or version could impact your applications. That's maliciously evil, but with new Semgrep rules added not today!
📈 Semgrep Added 312 New Rules Last Month
Semgrep's built-in rules provide out of the box coverage while still allowing for customization. Last month, the Semgrep security research team was busy contributing hundreds of new rules to secure applications for all of our customers. Read more about the new JavaScript analysis with coverage of OWASP Top 10 across 50 frameworks and libraries including Express, NestJS, React, Koa, Angular, and more. Watch the video presentation about it or learn from the code and see how we did it!
The registry allows you to explore these and over 4000 rules. To extend one you can load the rule in the playground and test writing rules or running them on your own sample code.
ICYMI: Semgrep Raised Series D
Covered by the Wall Street Journal, new funding gives confidence that Semgrep will continue making it expensive to exploit software for the foreseeable future: Semgrep Raises $100 Million to Develop Bug-Hunting Software.
We’re looking to add a few new roles to the team including Software Engineering, Technical Support, Sales, and Design. If you know talented folks looking for new career opportunities forward a link over to them.
TIL: Community AppSec Learning Resources
Tanya Janca discussed The Art of Teaching Secure Coding on The Application Security Podcast and appeared on The Security Ledger Podcast. She also discussed input validation, data source trust, and the intersection of security with the law on the StackOverflow podcast.
Meanwhile, in the #269th edition of the tl;dr sec newsletter there is a round up of AI-powered web vulnerability scanning resources and a detailed guide on hacking AI agents/apps.
🎓 New Security Headers Course and WebApp Testing Tools
The new Security Headers course teaches how to add an additional layer of security for web applications. This includes how to set up policy headers, strict transport security, and shares some free testing tools for evaluating your current web browser security.
Take the free Security Headers course on Semgrep Academy taught by Tanya Janca and Scott Helme.
Semgrep Source Code Vulnerabilities + Wiz Real-world Infrastructure Monitoring
Semgrep excels at application security testing and Wiz is great at Cloud-Native risk detection. Put them together and you have a unified approach to application & cloud security. This is easier now through platform integration. Learn more about why and how to view Semgrep findings in Wiz's Security Graph from the integration guide.
You can also learn more or Apply to be a Semgrep Partner.
🤫 User Testing Opportunity - Private Beta
There are new features coming. We'd like you to participate and be part of our user research program to provide early feedback on what is useful. Reach out to our account team for a demo or to learn more. You may also follow Semgrep Product Updates to watch when the features are mature and ready for all to use.
Bitbucket Cloud Repos Scanning with One Click
There is now one-click onboarding of Bitbucket Cloud and Data Center repositories. This makes it as easy to use Bitbucket as it was to use GitHub, GitLab, and Azure already and quickly set up regular project scans across many repositories. The docs to Add a Bitbucket repository can guide you when you are ready.
The Autotriage, Autofix, and other AI Assistant remediation features that accelerate developer workflows are all supported with Bitbucket too.
"The ability to have Assistant remember what I told it and automatically triage for me in the future is game changing. I have to spend a lot of time verifying the validity of vulnerabilities and being able to essentially hit the 'save' button on the work Iv'e done and just pass it on to Assistant has really helped streamline my triage process."
We're Just Getting Started
If you've only just learned about Semgrep, here's some ways to get started:
The Semgrep Community Edition is free open-source software that powers many teams with basic functionality.
The Semgrep Pro capabilities are available to test on any project with fewer than ten (10) contributors for free. Just hop over to semgrep.dev, sign-up, and follow the Quick Start. If you have any questions or feedback, hop onto the Community Slack and let’s chat!
Top comments (0)