https://miscreants.github.io/blog.trailofbits.com/categories/semgrep/Recent content in semgrep on The Trail of Bits BlogHugoen-usMon, 09 Dec 2024 09:00:43 -0500https://miscreants.github.io/blog.trailofbits.com/2024/12/09/35-more-semgrep-rules-infrastructure-supply-chain-and-ruby/Mon, 09 Dec 2024 09:00:43 -0500https://miscreants.github.io/blog.trailofbits.com/2024/12/09/35-more-semgrep-rules-infrastructure-supply-chain-and-ruby/We are publishing another set of custom Semgrep rules, bringing our total number of public rules to 115. This blog post will briefly cover the new rules, then explore two Semgrep features in depth: regex mode (especially how it compares against generic mode), and HCL language support for technologies […]https://miscreants.github.io/blog.trailofbits.com/2024/09/19/announcing-the-trail-of-bits-and-semgrep-partnership/Thu, 19 Sep 2024 09:00:30 -0400https://miscreants.github.io/blog.trailofbits.com/2024/09/19/announcing-the-trail-of-bits-and-semgrep-partnership/At Trail of Bits, we aim to share and develop tools and resources used in our security assessments with the broader security community. Many clients, we observed, don’t use Semgrep to its fullest potential or even at all. To bridge this gap and encourage broader adoption, our CEO, Dan Guido, initiated discussions with the Semgrep […]https://miscreants.github.io/blog.trailofbits.com/2024/01/17/30-new-semgrep-rules-ansible-java-kotlin-shell-scripts-and-more/Wed, 17 Jan 2024 08:30:32 -0500https://miscreants.github.io/blog.trailofbits.com/2024/01/17/30-new-semgrep-rules-ansible-java-kotlin-shell-scripts-and-more/We are publishing a set of 30 custom Semgrep rules for Ansible playbooks, Java/Kotlin code, shell scripts, and Docker Compose configuration files. These rules were created and used to audit for common security vulnerabilities in the listed technologies. This new release of our Semgrep rules joins our public CodeQL […]https://miscreants.github.io/blog.trailofbits.com/2024/01/12/how-to-introduce-semgrep-to-your-organization/Fri, 12 Jan 2024 09:00:26 -0500https://miscreants.github.io/blog.trailofbits.com/2024/01/12/how-to-introduce-semgrep-to-your-organization/Semgrep, a static analysis tool for finding bugs and specific code patterns in more than 30 languages, is set apart by its ease of use, many built-in rules, and the ability to easily create custom rules. We consider it an essential automated tool for discovering security issues in a […]https://miscreants.github.io/blog.trailofbits.com/2023/09/18/security-flaws-in-an-sso-plugin-for-caddy/Mon, 18 Sep 2023 08:00:42 -0400https://miscreants.github.io/blog.trailofbits.com/2023/09/18/security-flaws-in-an-sso-plugin-for-caddy/We identified 10 security vulnerabilities within the caddy-security plugin for the Caddy web server that could enable a variety of high-severity attacks in web applications, including client-side code execution, OAuth replay attacks, and unauthorized access to resources. During our evaluation, Caddy was deployed as a reverse proxy […]https://miscreants.github.io/blog.trailofbits.com/2023/08/29/secure-your-apollo-graphql-server-with-semgrep/Tue, 29 Aug 2023 08:00:14 -0400https://miscreants.github.io/blog.trailofbits.com/2023/08/29/secure-your-apollo-graphql-server-with-semgrep/tl;dr: Our publicly available Semgrep ruleset has nine new rules to detect misconfigurations of versions 3 and 4 of the Apollo GraphQL server. Try them out with semgrep –config p/trailofbits! When auditing several of our clients’ Apollo GraphQL servers, I kept finding the same issues over and over: cross-site request forgery (CSRF) […]https://miscreants.github.io/blog.trailofbits.com/2023/07/26/announcing-the-trail-of-bits-testing-handbook/Wed, 26 Jul 2023 07:00:28 -0400https://miscreants.github.io/blog.trailofbits.com/2023/07/26/announcing-the-trail-of-bits-testing-handbook/Trail of Bits is thrilled to announce the Testing Handbook, the shortest path for developers and security professionals to derive maximum value from the static and dynamic analysis tools we use at Trail of Bits. Why did we create the Testing Handbook? At Trail of Bits, we have spent countless hours studying, […]https://miscreants.github.io/blog.trailofbits.com/2022/10/03/semgrep-maching-learning-static-analysis/Mon, 03 Oct 2022 09:00:53 -0400https://miscreants.github.io/blog.trailofbits.com/2022/10/03/semgrep-maching-learning-static-analysis/tl;dr: Our publicly available Semgrep ruleset now has 11 rules dedicated to the misuse of machine learning libraries. Try it out now! Picture this: You’ve spent months curating images, trying out different architectures, downloading pretrained models, messing with Kubernetes, and you’re finally ready to ship your sparkling new machine learning (ML) product. […]https://miscreants.github.io/blog.trailofbits.com/2021/11/08/discovering-goroutine-leaks-with-semgrep/Mon, 08 Nov 2021 23:28:45 -0500https://miscreants.github.io/blog.trailofbits.com/2021/11/08/discovering-goroutine-leaks-with-semgrep/Originally published May 10, 2021 While learning how to write multithreaded code in Java or C++ can make computer science students reconsider their career choices, calling a function asynchronously in Go is just a matter of prefixing a function call with the go keyword. However, writing concurrent Go code can […]