home.social

#semgrep — Public Fediverse posts

Live and recent posts from across the Fediverse tagged #semgrep, aggregated by home.social.

  1. I was at the first #bsidessf however many years ago, I’ve missed a few but it’s good to be back. I’ll be walking around or chilling at the #Semgrep booth, come say hi.

  2. I was at the first #bsidessf however many years ago, I’ve missed a few but it’s good to be back. I’ll be walking around or chilling at the #Semgrep booth, come say hi.

  3. I was at the first #bsidessf however many years ago, I’ve missed a few but it’s good to be back. I’ll be walking around or chilling at the #Semgrep booth, come say hi.

  4. I was at the first #bsidessf however many years ago, I’ve missed a few but it’s good to be back. I’ll be walking around or chilling at the #Semgrep booth, come say hi.

  5. I was at the first #bsidessf however many years ago, I’ve missed a few but it’s good to be back. I’ll be walking around or chilling at the #Semgrep booth, come say hi.

  6. Hey developers and vulnerability researchers!

    I'm currently working on improving my #Semgrep ruleset for C/C++ static code analysis, and I've just published the new v1.1.0 release: github.com/0xdea/semgrep-rules

    Some notable changes since the previous battle-tested release: new rules for detecting high-entropy assignments and ReDoS vulnerabilities, numerous enhancements to existing rules, reduced false positives without sacrificing coverage, optimized patterns across the board, and overall better documentation. Check the changelog for the full list (yes, there’s a changelog now).

    Please test it inside and out, and feel free to open issues or submit pull requests. Your feedback is invaluable and will help shape the project roadmap. I'm aiming for a major release sometime before spring.

  7. Hey developers and vulnerability researchers!

    I'm currently working on improving my #Semgrep ruleset for C/C++ static code analysis, and I've just published the new v1.1.0 release: github.com/0xdea/semgrep-rules

    Some notable changes since the previous battle-tested release: new rules for detecting high-entropy assignments and ReDoS vulnerabilities, numerous enhancements to existing rules, reduced false positives without sacrificing coverage, optimized patterns across the board, and overall better documentation. Check the changelog for the full list (yes, there’s a changelog now).

    Please test it inside and out, and feel free to open issues or submit pull requests. Your feedback is invaluable and will help shape the project roadmap. I'm aiming for a major release sometime before spring.

  8. Hey developers and vulnerability researchers!

    I'm currently working on improving my #Semgrep ruleset for C/C++ static code analysis, and I've just published the new v1.1.0 release: github.com/0xdea/semgrep-rules

    Some notable changes since the previous battle-tested release: new rules for detecting high-entropy assignments and ReDoS vulnerabilities, numerous enhancements to existing rules, reduced false positives without sacrificing coverage, optimized patterns across the board, and overall better documentation. Check the changelog for the full list (yes, there’s a changelog now).

    Please test it inside and out, and feel free to open issues or submit pull requests. Your feedback is invaluable and will help shape the project roadmap. I'm aiming for a major release sometime before spring.

  9. Hey developers and vulnerability researchers!

    I'm currently working on improving my #Semgrep ruleset for C/C++ static code analysis, and I've just published the new v1.1.0 release: github.com/0xdea/semgrep-rules

    Some notable changes since the previous battle-tested release: new rules for detecting high-entropy assignments and ReDoS vulnerabilities, numerous enhancements to existing rules, reduced false positives without sacrificing coverage, optimized patterns across the board, and overall better documentation. Check the changelog for the full list (yes, there’s a changelog now).

    Please test it inside and out, and feel free to open issues or submit pull requests. Your feedback is invaluable and will help shape the project roadmap. I'm aiming for a major release sometime before spring.

  10. Hey developers and vulnerability researchers!

    I'm currently working on improving my #Semgrep ruleset for C/C++ static code analysis, and I've just published the new v1.1.0 release: github.com/0xdea/semgrep-rules

    Some notable changes since the previous battle-tested release: new rules for detecting high-entropy assignments and ReDoS vulnerabilities, numerous enhancements to existing rules, reduced false positives without sacrificing coverage, optimized patterns across the board, and overall better documentation. Check the changelog for the full list (yes, there’s a changelog now).

    Please test it inside and out, and feel free to open issues or submit pull requests. Your feedback is invaluable and will help shape the project roadmap. I'm aiming for a major release sometime before spring.

  11. Как мы профукали базу клиента и научились безопасности

    Больше восьми лет я работал backend‑разработчиком. Мы создавали веб‑приложения для автоматизации логистики и закупок. Команда росла, процессы крепли. Всё было правильно и красиво: CI/CD, код‑ревью, споры о чистоте архитектуры и идеальном нейминге. Мир был прост, предсказуем и казалось, что так будет всегда. Но однажды утром всё изменилось. Что же случилось?

    habr.com/ru/articles/959542/

    #semgrep #dfd #DREAD #stride #безопасная_разработка

  12. Как мы профукали базу клиента и научились безопасности

    Больше восьми лет я работал backend‑разработчиком. Мы создавали веб‑приложения для автоматизации логистики и закупок. Команда росла, процессы крепли. Всё было правильно и красиво: CI/CD, код‑ревью, споры о чистоте архитектуры и идеальном нейминге. Мир был прост, предсказуем и казалось, что так будет всегда. Но однажды утром всё изменилось. Что же случилось?

    habr.com/ru/articles/959542/

    #semgrep #dfd #DREAD #stride #безопасная_разработка

  13. Как мы профукали базу клиента и научились безопасности

    Больше восьми лет я работал backend‑разработчиком. Мы создавали веб‑приложения для автоматизации логистики и закупок. Команда росла, процессы крепли. Всё было правильно и красиво: CI/CD, код‑ревью, споры о чистоте архитектуры и идеальном нейминге. Мир был прост, предсказуем и казалось, что так будет всегда. Но однажды утром всё изменилось. Что же случилось?

    habr.com/ru/articles/959542/

    #semgrep #dfd #DREAD #stride #безопасная_разработка

  14. Как мы профукали базу клиента и научились безопасности

    Больше восьми лет я работал backend‑разработчиком. Мы создавали веб‑приложения для автоматизации логистики и закупок. Команда росла, процессы крепли. Всё было правильно и красиво: CI/CD, код‑ревью, споры о чистоте архитектуры и идеальном нейминге. Мир был прост, предсказуем и казалось, что так будет всегда. Но однажды утром всё изменилось. Что же случилось?

    habr.com/ru/articles/959542/

    #semgrep #dfd #DREAD #stride #безопасная_разработка

  15. I interviewed Kim Wuyts for a #Semgrep fireside chat called Privacy by Design: Making Threat Modeling Work for Data Protection, and it was super fun!

    Watch us here: twp.ai/4ipiK6

    @KimWuyts #privacy #threatmodeling

  16. I interviewed Kim Wuyts for a #Semgrep fireside chat called Privacy by Design: Making Threat Modeling Work for Data Protection, and it was super fun!

    Watch us here: twp.ai/4ipiK6

    @KimWuyts #privacy #threatmodeling

  17. I interviewed Kim Wuyts for a #Semgrep fireside chat called Privacy by Design: Making Threat Modeling Work for Data Protection, and it was super fun!

    Watch us here: twp.ai/4ipiK6

    @KimWuyts #privacy #threatmodeling

  18. I interviewed Kim Wuyts for a #Semgrep fireside chat called Privacy by Design: Making Threat Modeling Work for Data Protection, and it was super fun!

    Watch us here: twp.ai/4ipiK6

    @KimWuyts #privacy #threatmodeling

  19. I interviewed Kim Wuyts for a #Semgrep fireside chat called Privacy by Design: Making Threat Modeling Work for Data Protection, and it was super fun!

    Watch us here: twp.ai/4ipiK6

    @KimWuyts #privacy #threatmodeling

  20. ⏰ 2 days left! Submit your CtF level for a shot at $500 worth of Semgrep prizes at AppSec Village, @defcon 33.

    Enter by Aug 3: appsecvillage.com/ctf

    #defcon33 #ctf #semgrep #appsec #sponsors #win #challenge #capturetheflag

  21. ⏰ 2 days left! Submit your CtF level for a shot at $500 worth of Semgrep prizes at AppSec Village, @defcon 33.

    Enter by Aug 3: appsecvillage.com/ctf

    #defcon33 #ctf #semgrep #appsec #sponsors #win #challenge #capturetheflag

  22. ⏰ 2 days left! Submit your CtF level for a shot at $500 worth of Semgrep prizes at AppSec Village, @defcon 33.

    Enter by Aug 3: appsecvillage.com/ctf

    #defcon33 #ctf #semgrep #appsec #sponsors #win #challenge #capturetheflag

  23. #Semgrep static analysis tool for #code scanning at ludicrous speed 🔍

    🔍 Supports 30+ languages including #Python #JavaScript #Java #Go #C #Rust #TypeScript #php and more

    🛡️ Finds bugs, enforces #security guardrails and coding standards with semantic pattern matching

    ⚡ Runs locally by default - code never uploaded, works in #IDE, pre-commit hooks & #CI/CD workflows

    🤖 #AI-powered #SemgrepAssistant provides intelligent triaging and step-by-step remediation guidance

    🧵 👇

  24. #Semgrep static analysis tool for #code scanning at ludicrous speed 🔍

    🔍 Supports 30+ languages including #Python #JavaScript #Java #Go #C #Rust #TypeScript #php and more

    🛡️ Finds bugs, enforces #security guardrails and coding standards with semantic pattern matching

    ⚡ Runs locally by default - code never uploaded, works in #IDE, pre-commit hooks & #CI/CD workflows

    🤖 #AI-powered #SemgrepAssistant provides intelligent triaging and step-by-step remediation guidance

    🧵 👇

  25. #Semgrep static analysis tool for #code scanning at ludicrous speed 🔍

    🔍 Supports 30+ languages including #Python #JavaScript #Java #Go #C #Rust #TypeScript #php and more

    🛡️ Finds bugs, enforces #security guardrails and coding standards with semantic pattern matching

    ⚡ Runs locally by default - code never uploaded, works in #IDE, pre-commit hooks & #CI/CD workflows

    🤖 #AI-powered #SemgrepAssistant provides intelligent triaging and step-by-step remediation guidance

    🧵 👇

  26. #Semgrep static analysis tool for #code scanning at ludicrous speed 🔍

    🔍 Supports 30+ languages including #Python #JavaScript #Java #Go #C #Rust #TypeScript #php and more

    🛡️ Finds bugs, enforces #security guardrails and coding standards with semantic pattern matching

    ⚡ Runs locally by default - code never uploaded, works in #IDE, pre-commit hooks & #CI/CD workflows

    🤖 #AI-powered #SemgrepAssistant provides intelligent triaging and step-by-step remediation guidance

    🧵 👇

  27. #Semgrep static analysis tool for #code scanning at ludicrous speed 🔍

    🔍 Supports 30+ languages including #Python #JavaScript #Java #Go #C #Rust #TypeScript #php and more

    🛡️ Finds bugs, enforces #security guardrails and coding standards with semantic pattern matching

    ⚡ Runs locally by default - code never uploaded, works in #IDE, pre-commit hooks & #CI/CD workflows

    🤖 #AI-powered #SemgrepAssistant provides intelligent triaging and step-by-step remediation guidance

    🧵 👇

  28. I interviewed Kim Wuyts for a #Semgrep fireside chat called Privacy by Design: Making Threat Modeling Work for Data Protection, and it was super fun!

    Watch us here: twp.ai/4inxqU

    @KimWuyts #privacy #threatmodeling

  29. I interviewed Kim Wuyts for a #Semgrep fireside chat called Privacy by Design: Making Threat Modeling Work for Data Protection, and it was super fun!

    Watch us here: twp.ai/4inxqU

    @KimWuyts #privacy #threatmodeling

  30. I interviewed Kim Wuyts for a #Semgrep fireside chat called Privacy by Design: Making Threat Modeling Work for Data Protection, and it was super fun!

    Watch us here: twp.ai/4inxqU

    @KimWuyts #privacy #threatmodeling

  31. I interviewed Kim Wuyts for a #Semgrep fireside chat called Privacy by Design: Making Threat Modeling Work for Data Protection, and it was super fun!

    Watch us here: twp.ai/4inxqU

    @KimWuyts #privacy #threatmodeling

  32. I interviewed Kim Wuyts for a #Semgrep fireside chat called Privacy by Design: Making Threat Modeling Work for Data Protection, and it was super fun!

    Watch us here: twp.ai/4inxqU

    @KimWuyts #privacy #threatmodeling

  33. I interviewed Kim Wuyts for a #Semgrep fireside chat called Privacy by Design: Making Threat Modeling Work for Data Protection, and it was super fun!

    Watch us here: twp.ai/4io15f

    @KimWuyts #privacy #threatmodeling

  34. I interviewed Kim Wuyts for a #Semgrep fireside chat called Privacy by Design: Making Threat Modeling Work for Data Protection, and it was super fun!

    Watch us here: twp.ai/4io15f

    @KimWuyts #privacy #threatmodeling

  35. I interviewed Kim Wuyts for a #Semgrep fireside chat called Privacy by Design: Making Threat Modeling Work for Data Protection, and it was super fun!

    Watch us here: twp.ai/4io15f

    @KimWuyts #privacy #threatmodeling

  36. I interviewed Kim Wuyts for a #Semgrep fireside chat called Privacy by Design: Making Threat Modeling Work for Data Protection, and it was super fun!

    Watch us here: twp.ai/4io15f

    @KimWuyts #privacy #threatmodeling

  37. I interviewed Kim Wuyts for a #Semgrep fireside chat called Privacy by Design: Making Threat Modeling Work for Data Protection, and it was super fun!

    Watch us here: twp.ai/4io15f

    @KimWuyts #privacy #threatmodeling

  38. GitLab CI-CD semgrep SAST (Static Application Security Test) configuration example; blocks the MR if there is any finding.

    gitlab.com/carvilsi/sast-cicd-

    #CI_CD #sast #semgrep #gitlab #security #devops

  39. GitLab CI-CD semgrep SAST (Static Application Security Test) configuration example; blocks the MR if there is any finding.

    gitlab.com/carvilsi/sast-cicd-

    #CI_CD #sast #semgrep #gitlab #security #devops

  40. GitLab CI-CD semgrep SAST (Static Application Security Test) configuration example; blocks the MR if there is any finding.

    gitlab.com/carvilsi/sast-cicd-

    #CI_CD #sast #semgrep #gitlab #security #devops

  41. One static analysis tool tells me to use `lstat` and `fstat` to avoid (or at least detect) malicious replacement of a file that I `open`. Then, after doing this, my other static analysis tool complains that I’ve introduced a TOCTOU (time-of-use, time-of-check) between `lstat` and `open`.

    Sure, but I’m going to detect that. Real issue I have with all of this is that there’s still a window (which I estimate to be the about the same size in both versions of this program) between creating this pseudoterminal file and the next interaction I have with it (be that pulling file stats with `lstat` or `open`ing it).
    #SemGrep #Coverity #StaticAnalysis #Programming #C

  42. One static analysis tool tells me to use `lstat` and `fstat` to avoid (or at least detect) malicious replacement of a file that I `open`. Then, after doing this, my other static analysis tool complains that I’ve introduced a TOCTOU (time-of-use, time-of-check) between `lstat` and `open`.

    Sure, but I’m going to detect that. Real issue I have with all of this is that there’s still a window (which I estimate to be the about the same size in both versions of this program) between creating this pseudoterminal file and the next interaction I have with it (be that pulling file stats with `lstat` or `open`ing it).
    #SemGrep #Coverity #StaticAnalysis #Programming #C

  43. One static analysis tool tells me to use `lstat` and `fstat` to avoid (or at least detect) malicious replacement of a file that I `open`. Then, after doing this, my other static analysis tool complains that I’ve introduced a TOCTOU (time-of-use, time-of-check) between `lstat` and `open`.

    Sure, but I’m going to detect that. Real issue I have with all of this is that there’s still a window (which I estimate to be the about the same size in both versions of this program) between creating this pseudoterminal file and the next interaction I have with it (be that pulling file stats with `lstat` or `open`ing it).

  44. One static analysis tool tells me to use `lstat` and `fstat` to avoid (or at least detect) malicious replacement of a file that I `open`. Then, after doing this, my other static analysis tool complains that I’ve introduced a TOCTOU (time-of-use, time-of-check) between `lstat` and `open`.

    Sure, but I’m going to detect that. Real issue I have with all of this is that there’s still a window (which I estimate to be the about the same size in both versions of this program) between creating this pseudoterminal file and the next interaction I have with it (be that pulling file stats with `lstat` or `open`ing it).
    #SemGrep #Coverity #StaticAnalysis #Programming #C