FlagThis

Abstract

This technical session details the evolution of Semgrep, an open-source static analysis tool, focusing on performance optimizations and the transition to a more powerful rule engine. The talk introduces critical updates to rule syntax designed to reduce false positives and the General Availability (GA) of "Taint Mode," which enables the tracking of untrusted user input from sources to dangerous sinks. Key takeaways include methods for writing more secure and performant SAST rules and strategies for integrating fast security guardrails into CI/CD pipelines to prevent vulnerability classes like XSS and unsafe deserialization.