There's something truly special happening in the static analysis world.

Now, this is a world that is full of dinosaurs. Tools that are monolithic and expensive and really don't work well in pipelines, no matter what the account managers tell you.

Yes, some might "plug" in, but often that's via clunky connectors or you having to fork your repo so the SAST/DAST can scan and then report back.

Hello 2010, Bad Romance by Lady Gaga is a great track

Anyway, for those who don't want to spend hundreds of thousands on dinosaurs, two players came in and shook up the world:

https://lgtm.com/  now part of the @github fam and Semgrep https://semgrep.live/ 

Both take the approach of scanning for defects in a more modern CI/CD way. I've already proclaimed my love for LGTM and felt today was a perfect time to show off how damn cool Semgrep is.

So set the scene. I have a huge codebase that I want to quickly scan for a few issues

I do not want to use a GUI, or fork or fanny around with some clunky tool. I want to use the command line or get it into my pipeline asap.

Semgrep lets me build up packs, where packs are individual checks. I mean I can just run a single check, for example, deserialisation

Java and deserialisation are highschool lovers. Sloppy and messy and gross to watch.

I could just use

semgrep --config=" https://semgrep.live/c/r/java.rmi.security.server-dangerous-object-deserialization.server-dangerous-object-deserialization"

The pattern is simples

pattern: |
interface $INTERFACE extends Remote {
$RETURNTYPE $METHOD(Object $PARAM) throws RemoteException;
}

But I want to make my own custom pack, with individual rules and this is where http://semgrep.live  is so dreamy. I choose what I want and make me a pack

I've now got my super cool pack, ready to run in a few ways. I can use the CLI

semgrep --config " https://semgrep.live/p/danielcuthbert.you-even-security-bro" * > bugseverywhere.txt

Or I can add it to actions, because that's kinda what we want right? We don't want to throw the kitchen sink at every damn commit as that's lazy and 2010 and Lady Gaga doesn't approve.

include:
- template: 'Workflows/MergeRequest-Pipelines.gitlab-ci.yml'

semgrep:
image: returntocorp/semgrep-action:v1
script:
- python -m semgrep_agent --config https://semgrep.live/p/danielcuthbert.you-even-security-bro

So far, it's quick and modular and the best part is that it is community-driven and this is important.

Why? well @r2cdev and @OWASP_ASVS are joining forces and writing community rules that allow anyone to automate the checking of L1 rules (we made L1 to be automated)

This is a huge step in moving away from the "we scan for owasp top 10" bullshit we've sadly been subjected to for years.

So if you do code scanning and want to see how you can use or contribute, head over to https://semgrep.live/r?lang=javascript,python,c,ruby,go,java&sev=ERROR,WARNING,INFO&tag=nodejsscan,dlint,security,correctness,shelljs-exec-injection,best-practice,no-eval,weak-hashes-md5,maintainability,performance,compatibility

For all the other vendors who sell SAST/DAST tools, when are we going to see you adopting the ASVS?

You've been promising me for years you were working on it, that's a long sprint.