Semgrep is an open source tool used to perform SAST scans. The tool is very powerful is it can integrate within the SDLC including the CI/CD pipleline. Semgrep is setup by using YAML rules that allow the identification of vulnerable code blocks based on pre-defined matching patterns. For example, you can identify detection patterns for an execution of a command or lacking input validation (XSS).
Based on the description from the Semgrep site, it currently supports lots of programming languages including: Python, C#, Go, Java, Ruby, JavaScript, Terraform and many more more details can be found here
The Semgrep tool community edition is free for a team of 20 or less. There are other tiers and other features that are available for a very affordable price. Semgrep 1.0 was released on December 1st and looks pretty cool at first glance, you can find more details on version 1.0 here
Semgrep rules can be found here highly recommend giving this tool a shot if your in search of a SAST solution.
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.