►
From YouTube: Adding in Semgrep SAST job and configuring custom rules
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
So,
first,
just
to
give
you
a
little
context
here,
this
customer
is
interested
in
in
our
security
analyzers.
They
have
other
scanners
that
they're
using
today
and
as
part
of
that,
they
have
a
number
of
different
custom
rules
and
some
rules
that
they
want
to
have
for
specific
languages,
to
detect
vulnerabilities
that
they've
identified
to
be
things
that
they
want
to
be
looking
for
as
part
of
their
sas
scan.
A
Now,
with
our
security
scanners.
Out
of
the
box,
specifically
with
some
grip
today
for
customizing
rule
sets
the
only
option.
If
you
want
to
do
that,
for
for
for
some
grip,
is
you
can
only
you
can
only
you
can
only
disable
the
pre-defined
rules
that
come
with
the
analyzer
itself,
modifying
the
behavior
of
the
rules
or
adding
in
new
rules
or
configuring.
Those
rules
are
only
available
for
node.js
scan
and
gosek.
A
So
if
you
go
to
this
page,
they
have
this
here,
where
I
have
this
nice
configuration
for
spinning
up
a
job
for
your
project
and
also
includes
things
like
automatically
posting
back
to
the
merge
request
and
the
dashboards
and
all
that
kind
of
stuff.
So
it
works
very,
very
similarly
to
how
our
scanner
works
today.
But
what
you
can
do
is
now
you
can
configure
the
semgrip
rules
that
are
associated
with
it
as
well.
So
you
can
see
here
they
define
that
as
variables.
A
This
is
running
two
different
rules
here:
security,
audit
and
secrets
out
of
the
box
and
what's
powerful
about
this-
is
that
you
can
show
how
you
can
configure
rules
very
easily,
and
so
you
could
just
as
a
customer.
You
could
use
this
as
a
job.
You
know
in
a
upstream
yaml
file
that
people
could
include
into
that.
You
can
use
compliance
pipelines
which
actually
I'm
doing
in
this
case
here,
to
enforce
this
job.
A
In
the
same
way
you
would
with
sas
job,
but
with
the
configuration
you
can
you
can,
you
can
show
a
better
demo
where
you
can
actually
add
in
a
custom
rule
to
it
and
see
it
execute
against
the
project.
So
what
I
mean
by
that
is
the
easy
way
to
do
this
from
a
demonstration.
Standpoint
is:
if
you
go
to
some
grip
site
and
you
go
to
the
rules
tab,
you
know
you
can
look
for
a
specific
rule
set.
That
applies
to
your
language
that
you
want
to
add,
and
so
you
can
filter
by
this.
A
I
filtered
already
here,
because
I
have
a
react
application.
This
one
here
is
just
an
html
parser,
and
I
want
to
add
this
rule
in
here
to
to
detect
if
there's
cross,
scripting
vulnerabilities
associated
to
that,
and
so
it
gives
you
all
this
information
here
and
and
what's
really
nice
about.
A
This,
too,
is
also
gives
you
the
test
code
right
here
as
well,
and
so
I
can
instrument
my
code
base
with
this
test
code
and
add
the
rule
into
my
job,
and
it's
going
to
find
that
rule
and
display
it
back
into
into
the
merge
request
here.
So
show
you
that,
really
quickly
here,
you
can
see
that
it
has
found
that
specific
rule
violation
and
it's
a
high
vulnerability
risk,
and
I
can
see
the
information
that's
associated
with
it,
where
it's
identified.
A
That
specifically,
which
is
that
that
that
rule
that
I
had
found
back
there.
So
essentially,
what
you
can
do
for
a
demo
here
is
that
in
my
job
itself,
where
I've
defined
that
so,
like
I
said,
I
am
doing
this
upstream
inside
a
compliance
framework,
compliance
pipeline
here
and
here's
my
some
grip
job.
So
I
copied
that
from
their
site,
and
the
only
thing
that
I
changed
here
was
adding
in
that
rule.
A
So
the
all
you
have
to
do
to
add
in
one
of
these
contributed
rules
is
use
their
syntax
here
for
r,
which
is
what
they
use
for
the
community,
contributed
rules
and
and
then
instrument
my
code
and
then
I'm
off
and
running.
So
in
my
project
itself.
Here
what
you
can
do
is
create
a
merge
request
in
that
merge
request,
use
that
sample
code
from
the
from
the
document
rules
itself.
A
So
this
sample
code,
depending
on
the
language
you
may
have
to
do
some
things
like
I
had
to
add
react:
html
parser
to
my
project,
things
like
that,
but
pretty
straightforward,
so
yeah.
So
basically
I
instrumented
that
into
my
js
file
here
and
and
then
and
then
where's
that
yeah.
Then
I
had
to
add
in
that
package
into
my
json
file
added
that
code
in
there
ran
this
pipeline
and
the
output
of
that
pipeline
shows
that
vulnerability.
A
So
two
nice
things
here
is
once
you
can
show
the
the
simplicity
of
adding
in
custom
rules
to
this.
These
custom
rules.
You
can
also
write
your
own
to
store
those
in
your
data
and
store
that
into
your
repository
and
reference
it
in
the
same
exact
way.
That's
obviously
a
lot
more
work
because
you
have
to
actually
add
the
rule
in
and
all
the
configuration
that's
associated
with
it.
A
This
is
also
a
nice
way
to
just
easily
add
in
a
new
vulnerability,
because
they
give
you
that
that
sample
code-
that's
that's
associated
to
it
here,
so
just
wanted
to
show
that
quick
demo
any
if
there
are
any
questions
happy
to
to
walk
you
through
the
project
itself.
But
I
find
this
to
be
a
very
valuable
thing
to
one
show
the
flexibility
of
using
some
grip.
A
Also,
it
also
shows
the
ability
to
add
in
a
custom
analyzer,
even
though
it's
the
same
one,
that
we're
using
in
our
sas
scan
it's
just
showing
the
full
job
itself
and
and
the
ability
to
always
add
in
a
new
vulnerability
into
your
merge
request
very
easily
without
having
to
find
some
some
code
out
in
the
internet
or
writing
some
insecure
code
handles
that
very
easily.
For
you,
that's
all
thanks.