Original Post: Semgrep's Fall 2021 Updates
Semgrep has introduced several significant updates, which include:
-
Taint-Sanitizer-Sink Rules: This feature enables smarter, data-flow-based security scanning, enhancing the ability to prevent issues like SQL injection or XSS. The new taint mode simplifies complex detection patterns, reducing extensive rule lines to just three key elements: sources, sanitizers, and sinks.
-
Terraform Parsing: Semgrep now supports parsing Terraform files written in HCL, making security scans for infrastructure-as-code projects more reliable. This addition bolsters its existing support for other infrastructure-as-code languages like YAML and JSON.
-
–config=auto: The new auto-configuration feature automatically selects the appropriate Semgrep Registry rules based on the project’s languages and frameworks, eliminating the need for manual rule selection and ensuring the use of the latest rules.
- Performance Improvements: Semgrep has significantly optimized its performance, achieving a 5x speedup compared to six months ago, with the goal of performing as efficiently as tools like ripgrep. This optimization allows for faster scans on large repositories.
Additionally, updates to the Semgrep App have made it easier to configure Semgrep across organizations, track findings, dismiss false positives, and integrate with Jira for issue tracking.
Future plans include continuously enhancing these features and engaging with the Semgrep community for further development.
Go here to read the Original Post