At Trail of Bits, we aim to share and develop tools and resources used in our security assessments with the broader security community. Many clients, we observed, don’t use Semgrep to its fullest potential or even at all. To bridge this gap and encourage broader adoption, our CEO, Dan Guido, initiated discussions with the Semgrep team. Through these discussions, we identified areas where our expertise could enhance Semgrep’s capabilities and vice versa. We are excited to announce a new partnership with Semgrep, born from these conversations. This collaboration allows us to deliver Semgrep’s advanced features to our clients faster.
At Semgrep, we are thrilled to partner with Trail of Bits, whose rigorous approach to security engineering and research directly complements our focus on embedding secure coding practices within the development pipeline. Their expertise in identifying and mitigating vulnerabilities aligns with our efforts to provide precise and actionable guardrails, enabling teams to produce secure software by design. -Daghan Altas, CRO, Semgrep
But why Semgrep?
Much like mechanics have a toolbox for their work, so do engineers. We use a suite of tools on every engagement that aid our manual testing. But Semgrep is one of the first tools our application security team implements when auditing a codebase. It helps us find low-complexity bugs and specific code patterns without building the target code. Its more advanced capabilities allow us to strategically ignore parts of code and to write custom rules. We also train our clients on using Semgrep and other testing tools/methodologies during our assessments.
We encourage not just our clients to use Semgrep in their testing strategies—we believe it’s an incredibly valuable tool for any dev team.
Semgrep resources
Since our team uses Semgrep frequently during client engagements and in our research, we’ve learned a lot about its capabilities. We share our insights through blog posts, covering topics like custom rules we’ve developed, securing ML projects, and discovering bugs. We also have a comprehensive Testing Handbook with an entire chapter dedicated to Semgrep. Below is just a handful of our Semgrep resources and research:
General resources about Semgrep
- Announcing the Trail of Bits Testing Handbook
- The Trail of Bits Testing Handbook: Semgrep Chapter
- Introduction to Semgrep webinar
- How to introduce Semgrep to your organization
Detailed Semgrep use cases
- 30 new Semgrep rules: Ansible, Java, Kotlin, shell scripts, and more
- Secure your Apollo GraphQL server with Semgrep
- Secure your machine learning with Semgrep
- Discovering goroutine leaks with Semgrep
If you’re interested in learning more about using Semgrep and other custom tooling to enhance your application’s security throughout its SDLC, we’re here to help. Contact us to discuss how we can provide tailored training for your team.