Original Post: The birth of Semgrep Pro Engine
Semgrep Code specializes in SAST solutions for secure code development. One of their biggest challenges has been integrating interfile analysis while remaining developer-focused without community aid. Initially, Semgrep operated on a single-file basis to enforce secure coding practices like preventing XSS attacks in React, but the need for interfile analysis was recognized for broader security.
The development of interfile analysis began with a focus on Java, implementing key features like type inference, constant propagation, and taint analysis. Testing with users highlighted the need for more concrete examples and a structured feedback process. By reframing their goals and creating benchmarks focused on real repositories and SQL injection vulnerabilities, they could effectively develop and refine their interfile analysis tool.
The Semgrep Pro Engine was officially released on February 14, after rigorous testing and development, including collaborations with security researchers and feedback from beta testers. This tool allows comprehensive analysis across multiple files, enhancing the ability to detect vulnerabilities missed by single-file analysis.
The final product supports Java and JavaScript, featuring interfile analysis and specific taint rules. Future development aims to add more languages and features, driven by user feedback and evolving security needs. The journey emphasized the importance of user interaction and iterative development in creating a reliable security tool.
For more information about Semgrep Pro Engine features and rules, visit their product page.
Go here to read the Original Post