Skip to content

fullstorydev/semgrep-rules

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

11 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

fs-semgrep-rules

At Fullstory, we leverage Semgrep as a core tool in our security engineering efforts to detect potential issues in our codebase. This involves not only optimizing existing rules but also developing new ones to identify code patterns that could lead to security vulnerabilities.

While many of the rules we create are tailored to our internal codebase, we also develop rules that are broadly applicable to a wide range of projects. The rules shared in this repository are designed to address common code patterns and potential vulnerabilities that are relevant to many codebases.

We are continually refining these rules and adding new ones to improve their effectiveness in finding code bugs that could result in security flaws.

Note: The setup of this repository was in part inspired by other semgrep repos which we have contributed in the past, including Semgrep's own repo of rules as well as Trail of Bits' Semgrep repo.

Running the rules

From your terminal, navigate to the directory containing the code you want to analyze, then run the following command:

$ semgrep -f /path/to/fs/semgrep-rules

Testing

You can run tests locally with:

semgrep --test --test-ignore-todo --metrics=off

To test a specific file:

semgrep --test --test-ignore-todo --metrics=off --config ./go/iterate-over-empty-map.yaml ./go/iterate-over-empty-map.go

Rules

go

ID Impact Confidence Description
creds-from-jwtconfig 🟧 🌘 Using JWT configuration from JSON rather than using service accounts could lead to exposed credentials in code and other insecure key management practices
defer-in-loop 🟩 🌗 Resource leak due improper use of defer
gcs-path-traversal 🟧 🌗 An HTTP redirect was found to be crafted from user-input leading to an open redirect vulnerability
insecure-dir-creation 🟧 🌘 Insecure handling of file and directory writes
missing-close-on-file 🟩 🌗 Handling of open file descriptors
missing-defer-http 🟩 🌗 Handling of HTTP response bodies

optimizations

ID Impact Confidence Description
math-random-used 🟧 🌗 Finds likely cases where math/rand may be used insecurely. For the optimization, we exclude functions like Shuffle which are rarely used cryptographically

About

No description, website, or topics provided.

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published