1 of 28

Secure code review with Semgrep

2 of 28

About me

Bishwajeet Biswas�Security Enthusiast

3 of 28

What is Semgrep??

Semgrep is a static code analysis tool that helps identify security vulnerabilities. It is known for its flexibility and ease of use, allowing users to create custom rules using code-like patterns.

4 of 28

Semgrep VS other SAST tools

5 of 28

  • Fast and lightweight, ideal for CI/CD pipelines without slowing builds.
  • Highly customizable with code-like patterns—easy to write and modify rules.
  • Context-aware scanning reduces false positives by understanding code flow.
  • Offers an open-source version with premium features available at lower cost.
  • Simple to integrate into CI/CD with minimal setup.

6 of 28

Agenda

Basics of Semgrep

Metavariable analysis for entropy analysis

Taint mode for flow analysis

7 of 28

Syntax

rules:

- id: simple_print

pattern: print()

message: Semgrep found a match

languages:

- python

severity: Warning

8 of 28

How to pattern match?

9 of 28

Ellipsis Operator (...)

10 of 28

11 of 28

Metavariables

12 of 28

Challenge

13 of 28

Don’t worry Semgrep has got you covered

14 of 28

But how? (Pattern-not)

15 of 28

Hardcoded secrets detected!!

16 of 28

Metavariable-analysis �to the rescue

Metavariable analysis helps detect vulnerabilities, code smells, or unsafe flows by tracking these placeholders across multiple patterns in a rule.

17 of 28

Detecting hardcoded secrets

18 of 28

Code vulnerable to XSS!!

19 of 28

Taint mode

Taint mode is used to detect taint flows. It helps identify potential vulnerabilities, such as injection attacks (e.g., SQL injection, command injection), by tracking how data flows from sources (input points) to sinks (places where the data is used).

20 of 28

Detecting XSS

21 of 28

Code vulnerable to Path traversal!!

22 of 28

Taint mode again for the rescue

23 of 28

Detecting path traversal

24 of 28

Code vulnerable to SQLi!!

25 of 28

Pattern-not-inside �has got your back

pattern-not-inside ensures that a specific code pattern is flagged only when it’s not inside a particular context. This is useful when you want to ensure that unsafe code (like direct string concatenation) is reported only if it's not inside a block where validation or sanitization happens.

26 of 28

Detecting SQLi

27 of 28

28 of 28

Please join our community