Categorygithub.com/fullstorydev/semgrep-rules
module
0.0.0-20241203192202-8353034af04c
Repository: https://github.com/fullstorydev/semgrep-rules.git
Documentation: pkg.go.dev
Overview
Versions
1
Dependencies
0
Dependents
0
Files
0

# README

fs-semgrep-rules

At Fullstory, we leverage Semgrep as a core tool in our security engineering efforts to detect potential issues in our codebase. This involves not only optimizing existing rules but also developing new ones to identify code patterns that could lead to security vulnerabilities.

While many of the rules we create are tailored to our internal codebase, we also develop rules that are broadly applicable to a wide range of projects. The rules shared in this repository are designed to address common code patterns and potential vulnerabilities that are relevant to many codebases.

We are continually refining these rules and adding new ones to improve their effectiveness in finding code bugs that could result in security flaws.

Note: The setup of this repository was in part inspired by other semgrep repos which we have contributed in the past, including Semgrep's own repo of rules as well as Trail of Bits' Semgrep repo.

Running the rules

From your terminal, navigate to the directory containing the code you want to analyze, then run the following command:

$ semgrep -f /path/to/fs/semgrep-rules

Testing

You can run tests locally with:

semgrep --test --test-ignore-todo --metrics=off

To test a specific file:

semgrep --test --test-ignore-todo --metrics=off --config ./go/iterate-over-empty-map.yaml ./go/iterate-over-empty-map.go

Rules

go

IDImpactConfidenceDescription
creds-from-jwtconfig🟧🌘Using JWT configuration from JSON rather than using service accounts could lead to exposed credentials in code and other insecure key management practices
defer-in-loop🟩🌗Resource leak due improper use of defer
gcs-path-traversal🟧🌗An HTTP redirect was found to be crafted from user-input leading to an open redirect vulnerability
insecure-dir-creation🟧🌘Insecure handling of file and directory writes
missing-close-on-file🟩🌗Handling of open file descriptors
missing-defer-http🟩🌗Handling of HTTP response bodies

optimizations

IDImpactConfidenceDescription
math-random-used🟧🌗Finds likely cases where math/rand may be used insecurely. For the optimization, we exclude functions like Shuffle which are rarely used cryptographically

# Packages

No description provided by the author