1.
Semgrep
Developer-friendly SAST in DevOps Pipeline

2.
About Me
Sam Benjamin Pragasam
Product Security Engineer @ Traceable
Love to Connect
https://www.linkedin.com/in/samsbp/
https://topmate.io/sam_benjamin_pragasam

3.
Agenda
● What’s and why’s
● Evaluating SAST Tools
● How SAST works
● Continuous Testing with Semgrep
● Semgrep Rules & Patterns
● Alternatives

4.
Manual secure code
review
Automated secure
code review
SAST
What? Why? Why not?
Evaluating SAST Tools
Where Semgrep Falls
How SAST Works?
Taint Propagation

5.
What?
● Acronym “Static Application Security Testing”
● Automated secure code review
● Similar to linters but with focus in security
● Flexible and manageable via rules
Why?
● Quality Enabler
● Shift left - early feedback in pipeline which
increases fix rate
● Whitebox Testing - blindspot for blockbox
testing
● Increased Coverage
Why Not?
● False positives
● Lack of developer focused pipeline
● Scalability - Prioritizing Issues without
context
2021 Data

6.
Evaluating SAST Tools
Broader Programming Language Support Capability for prioritization
Api Integration Low false positives
Jira Integration - vulnerability management Time taken to analyse the code
CI integration CLI capabilities
Less Cognitive load in pipeline Scan customizations such as sanitizers,
rulesets
IDE Integration Secret Detection

7.
Where Semgrep Falls
Broader Programming Language Support Capability for prioritization
Api Integration Reduced false positives - taint mode and
sanitizers supported
Jira Integration - vulnerability managment Time taken to analayse the code
CI integration CLI capabilities
Less Cognitive load in pipeline Scan customizations such as sanitizers,
rulesets
IDE Integration Secret Detection

8.
Source
Sink
How SAST works?

9.
Taint Propagation

10.
Continuous Testing
The Pipeline
Github CI with semgrep
Integration with defectDojo

11.
The Pipeline
https://github.com/samsbp/semgrep-workflow

12.
Pipeline - Github CI Action
https://github.com/samsbp/semgrep-workflow

13.
Pipeline - Semgrep Autofix

14.
Pipeline - Push Findings to DefectDojo

15.
Pipeline - DefectDojo Findings UI

16.
Rules
● Grep like patterns
● Autofix suggestion
● Generic Pattern Matching
● Taint Propagation
Pattern
● String matching
● Ellipsis Operator
● Metavariables
● statement blocks
● Equivalences
● Constants

17.
Semgrep Patterns - Metavaraibles, block stmt, ellipsis

18.
Semgrep Taint Propogation

19.
Alternatives
This is not endorsement to any of the listed products. This is a collected list of SAST products in the market.

20.
References
1. https://engineering.razorpay.com/building-a-sast-program-at-razorpays-scale-719887fe0aec
2. https://www.anshumanbhartiya.com/posts/sast-workflow
3. https://appsecmap.com/
4. https://www.defectdojo.org/
5. https://whimsical.com/
6. https://semgrep.dev/playground
7. https://github.com/samsbp/semgrep-workflow
8. https://www.contrastsecurity.com/hubfs/DocumentsPDF/2021-Application-Security-
Observability-Report_Executive-Summary_Final.pdf
9. https://docs.github.com/en/actions/using-workflows/reusing-workflows