Repository for my Semgrep hot spot rules.
In this context, hot spots are parts of code that might contain security vulnerabilities. You are not "always" looking for a specific problem, but rather bad practices, common mistakes, insecure configurations, and in short, places where bad things usually happen.
For more details and examples, please read the blog post at https://parsiya.net/blog/semgrep-hotspot/.
The audience for these rules are security engineers who want to find focus areas for code review. These rules are noisy and are not suitable for developer facing views and systems.
- Clone the repository.
- Run Semgrep with
--configpointing to the repository or any of the subdirectories.
$ semgrep --config /path/to/semgrep-hotspots/ . --sarif --output my-results.sarif
A list of rules and their triage guides. If you have any questions or have suggestions please make an issue.
TODO: Add rules and their guides here.
| Rule ID | Language | Triage Guide |
|---|---|---|
| Arrays passed to functions | C++ | Triage Guide |
| Encode/Decode in function name | C/C++ | Triage Guide |
| Encrypt/Decrypt in function name | C/C++ | Triage Guide |
| memcpy usage | C/C++ | Triage Guide |
| Out of Bounds Array Access | C/C++ | Triage Guide |
| Potentially Uninitialized Pointer | C/C++ | Triage Guide |
| snprintf usage | C/C++ | Triage Guide |
Please follow the Contributing through GitHub section of
Contributing to Semgrep rules article and make a pull request with your rules.
Please note the LICENSE.
At a minimum, add a rule with a good Semgrep message, tests (which can double as example code) and a short triage guide. The triage guide should explain why the rule is a hot spot and how a fellow security engineer can triage the results.
If in doubt, please use the current rules as reference or make an issue (or contact me via another way). Make sure to update the guide table in the readme.
TODO: Add info about the directory structure.
TODO: Add info about severity level.WARNING seems like a good choice. Ask the r2c team for their opinion.
Attribution-NonCommercial-ShareAlike 4.0 International. Please see LICENSE for details. I chose this license based on the Trail of Bits public Semgrep rules repository.