semgrep-rules
blog-spring-actuator-example
| semgrep-rules | blog-spring-actuator-example | |
|---|---|---|
| 8 | 2 | |
| 707 | 2 | |
| 1.1% | - | |
| 9.4 | 10.0 | |
| 4 days ago | over 1 year ago | |
| Solidity | Java | |
| GNU General Public License v3.0 or later | Apache License 2.0 |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
semgrep-rules
-
Powerful SAST project for Android Application Security
Nice and all, but why not contribute to https://github.com/returntocorp/semgrep-rules ?
-
Semgrep - Beta support for Rust
Well, the rules they actually added are pretty noisy. There's also not a lot of them.
-
Spring Actuator - Finding Actuators using Static Code Analysis - Part 2
The semgrep registry contains lots of rules for many issues, and you can contribute your own.
-
Just Say No To `:Latest`
Hadolint is great! If you want to customize your lint logic beyond the checks in it, I recently wrote a Semgrep rule to require all our Dockerfiles to pin images with a sha256 hash that could be a good starting point: https://github.com/returntocorp/semgrep-rules/pull/1861/file...
-
RCE 0-day exploit found in log4j, a popular Java logging package
Semgrep Rules for searching source code
-
Hacktoberfest and open-source security
Interested? More details are in this Hacktoberfest README.
- Semgrep rules registry: 1300 linter rules
blog-spring-actuator-example
-
Spring Actuator - Finding Actuators using Static Code Analysis - Part 2
Semgrep rules are fairly easy to wrap your head around, so let's build one for our example application from the previous part of this series. To be able to showcase some of the capabilities of semgrep, we'll be using the YAML configuration syntax for Spring. This is what a basic vulnerable Spring configuration could look like:
-
Spring Actuator - Stealing Secrets Using Spring Actuators - Part 1:
I've created a basic, vulnerable Spring application that exposes all endpoints if you want to follow along at home. Running it locally on your machine and accessing the Spring actuators endpoint, you will get the following output:
What are some alternatives?
find-sec-bugs - The SpotBugs plugin for security audits of Java web applications and Android applications. (Also work with Kotlin, Groovy and Scala projects)
CVE-2021-44228-Log4Shell-Hashes - Hashes for vulnerable LOG4J versions
ZAP - The ZAP core project
pyre-check - Performant type-checking for python.
Log4JShell-Bytecode-Detector - Local Bytecode Scanner for the Log4JShell Vulnerability (CVE-2021-44228)
ThreatMapper - Open source cloud native security observability platform. Linux, K8s, AWS Fargate and more.
hadolint - Dockerfile linter, validate inline bash, written in Haskell
apache-log4j-rce-poc
dockerfile-image-update - A tool that helps you get security patches for Docker images into production as quickly as possible without breaking things
semgrep - Lightweight static analysis for many languages. Find bug variants with patterns that look like source code.
active-scan-plus-plus - ActiveScan++ Burp Suite Plugin
apache-log4j-rce-poc