At Fullstory, we leverage Semgrep as a core tool in our security engineering efforts to detect potential issues in our codebase. This involves not only optimizing existing rules but also developing new ones to identify code patterns that could lead to security vulnerabilities.
While many of the rules we create are tailored to our internal codebase, we also develop rules that are broadly applicable to a wide range of projects. The rules shared in this repository are designed to address common code patterns and potential vulnerabilities that are relevant to many codebases.
We are continually refining these rules and adding new ones to improve their effectiveness in finding code bugs that could result in security flaws.
Note: The setup of this repository was in part inspired by other semgrep repos which we have contributed in the past, including Semgrep's own repo of rules as well as Trail of Bits' Semgrep repo.
From your terminal, navigate to the directory containing the code you want to analyze, then run the following command:
$ semgrep -f /path/to/fs/semgrep-rules
You can run tests locally with:
semgrep --test --test-ignore-todo --metrics=off
To test a specific file:
semgrep --test --test-ignore-todo --metrics=off --config ./go/iterate-over-empty-map.yaml ./go/iterate-over-empty-map.go
ID | Impact | Confidence | Description |
---|---|---|---|
creds-from-jwtconfig | 🟧 | 🌘 | Using JWT configuration from JSON rather than using service accounts could lead to exposed credentials in code and other insecure key management practices |
defer-in-loop | 🟩 | 🌗 | Resource leak due improper use of defer |
gcs-path-traversal | 🟧 | 🌗 | An HTTP redirect was found to be crafted from user-input leading to an open redirect vulnerability |
insecure-dir-creation | 🟧 | 🌘 | Insecure handling of file and directory writes |
missing-close-on-file | 🟩 | 🌗 | Handling of open file descriptors |
missing-defer-http | 🟩 | 🌗 | Handling of HTTP response bodies |
ID | Impact | Confidence | Description |
---|---|---|---|
math-random-used | 🟧 | 🌗 | Finds likely cases where math/rand may be used insecurely. For the optimization, we exclude functions like Shuffle which are rarely used cryptographically |