►
Description
Luke O'Malley presented an overview of semgrep, a fast static analysis tool that supports many languages. He shared the techniques they use to included static analysis in their Jenkins jobs and areas (like code review) where they've found static analysis can be surprisingly helpful.
A
A
We're
pleased
that
you're
here
thanks
for
joining
us,
I
would
remind
you
that
jenkins
online
meetups
are
community
driven
virtual
meetups.
They
are
intentionally
focused
on
jenkins,
but
anything
about
jenkins.
They
can
be
case
studies.
They
could
be
success
stories.
They
could
be
things
you
learned
or
experienced
that
you
would
be
willing
to
share
with
others.
A
We
are
intentionally
looking
for
speakers
who
are
willing
to
be
voice
and
present
and
share
their
experiences
with
jenkins.
Please
reach
out
to
us,
through
the
advocacy
and
outreach
special
interest
group
on
gitter
at
this
url.
If
you
would
be
interested
in
being
a
speaker
at
a
jenkins
online
meetup,
we're
very
grateful
to
luke
today
that
he's
willing
to
present
to
us
grateful
for
what
we're
going
to
learn
from
this
and
excited
to
be
here
for
questions
and
answers.
A
We
encourage
you
to
ask
your
questions
through
the
zoom
question
and
answer
facility,
or
through
zoom
chat.
We
will
collect
those
questions,
invite
you
to
gather
them
together
and
as
we
find
them,
we'll
ask
questions
to
luke
and
let
him
answer
then.
After
the
official
recorded
portion
of
this
meeting,
we
will
stop
the
recording
and
allow
everyone
to
become
voice
so
that
we
can
ask
each
other
questions
off
the
record.
A
B
Go
ahead
awesome.
Thank
you
so
much
for
the
introduction
mark
and
hello
everybody.
Let
me
just
go
ahead
and
get
screen
sharing
here.
B
And
can
you
confirm
that
you
can
see
my
screen
that
that
is?
Can
I
can
see
it
just
great?
Thank
you.
Fantastic
well,
awesome
really
really
happy
to
be
here
and
if
you
have
questions,
please
feel
free
to
throw
them
in
the
chat.
It
is
much
more
fun
to
do
zoom
presentation
that
is
interactive
than
one.
That
is
not
so
just
a
quick
background.
B
So
today
my
plan
was
to
talk
about
a
static
analysis
tool
which
is
basically
a
tool
that
is
used
to
scan
source
code
and
find
bugs,
and
it
is
a
tool
that
is
works
across
many
languages
and
works
across
many
environments.
So
if
you
want
to
run
it
in
a
jenkins
environment
during
build
time
fantastic,
if
you
want
to
run
this
locally,
it
works
locally
on
linux,
based
systems,
so
mac
linux
windows,
subsystem
for
linux.
B
Things
like
that,
and
I
wanted
to
show
you
basically
what
is
semprep
what
it
does
well
and
then
how
to
actually
set
it
up
and
run
it
in
jenkins.
B
So
just
at
a
high
level,
and
I'm
curious
in
the
in
the
chat
who
has
interacted
with
or
encountered
a
static
analysis
tool
before.
Is
that
a
new
term
for
folks
I
see
mark,
I
can
see
mark
on
the
video
raising
his
hands.
So
just
a
quick
background.
Static
analysis
is
a
field
that
has
been
around
for
a
long
time.
B
Very
simply,
the
static
part
means
that
you
take
source
code,
you
just
take
source
code
files
and
you
basically
look
at
them
and
you
try
to
determine
what
they
do
without
running
so
just
like
reading
reading
source
code,
so
source
code
comes
in
and
kind
of
conclusions
about
that
code
comes
out,
but
you
haven't
run
it
on
any
kind
of
system.
You
haven't
necessarily
compiled
it.
B
I
think
we
found
that
there
have
been
other
efforts
before
us
that
have
kind
of
either
proprietary
rules
or
maybe
like
closed
ecosystems
and
so
for
some
grep.
There
actually
is
a
community
registry.
Anyone
can
contribute
to
the
registry,
so
you
can
publish
your
rules
kind
of
like
your
packages
to
it
and
there's
so
far
a
thousand
plus
rules
across
all
the
languages
that
we
support,
and
I
think
what
what
folks
will
see
if
you
take
a
look,
they
generally
get
broken
up
by
language.
B
So
there's
like
python
rules,
you
know
golang
rules
and
there's
also
rules
for
specific
frameworks.
So
let's
say
you're
doing
in
python,
django
web
app
development.
You
can
find
rules
for
something
like
that
and
then
sometimes
there's
just
things
that
are
more
like
topical,
so
cross-site
scripting
is
something
that
security
professionals
tend
to
care
about.
So
you
can
find
rules
with
that.
So
really
really
active
community,
particularly
on
slack
actually
so
folks
are
interested
in
getting
involved.
There's
a
an
active
community
on
slack
for
this
tool.
B
You
know
it's
really
fantastic,
that
there
are
so
many
rules
that
are
available
already,
but
everyone's
environment
and
code
base
and
company
is
a
little
bit
different,
and
so
we
have
focused
as
a
as
a
project
on
making
it
really
easy
to
write
rules,
and
so
you
write
rules
that
look
like
the
code
you're
trying
to
match,
and
so
I'll
show
you
what
that
looks
like,
but
you
don't
have
to
learn
any
kind
of
complicated.
B
You
know
domain
specific
language,
and
I'd
mentioned
this
a
little
bit
earlier,
but
it's
important
that
it
run
everywhere
and
so
for
our
project.
You
can
run
it
in
your
terminal.
You
can
run
it
in
the
editor.
You
can
run
it
in
jenkins,
so
it's
a
highly
portable
tool
and
the
last
piece
that
I
want
to
mention
this
will
be
relevant.
B
B
You
want
to
set
up
some
kind
of
code
scanning,
so
really
really
good
intentions
and
then
you're
punished
by
the
tool,
because
you
have
existing
violations,
and
so
you
can't
get
your
green
check
mark
on
your
build
and
we
all
know
that
we
love
our
green
check,
marks
up
and
down.
So
there
is
a
possibility
to
make
it
kind
of
looking
forward,
so
you
can
start
to
improve
the
quality
of
your
project,
and
I
I
mentioned
this
already.
B
If
you
use
docker,
there's
a
docker
image,
that's
published
so
there's
a
couple
different
ways
to
consume
it
or
get
it
running,
and
then
once
you
have
it
installed,
there's
a
pretty
it's
a
healthy
set
of
flags
that
you
can
pass
this
command
line
tool,
but
the
main
one
that
folks
use
is
this
dash
config
flag
and
that
lets
you
actually
specify
things
from
the
registry.
B
So
if
you
there's
a
rule
that
you
see
on
the
register,
you
like
or
collection
of
rules,
you
can
just
do
dash
dash
config
it
for
you
downloads,
the
rules
from
the
registry
and
then
runs
them
on
your
your
source
code,
so
pretty
straightforward
to
use,
use
there,
and
I
promise
you
that
it
was
an
open
source
project.
So
I
just
wanted
to
show
you
a
couple
stats.
It's
lgpl
2
licensed
for
those
of
you
at
companies
that
maybe
licensing
has
to
be
very
particular
for
the
tools
that
you
use.
B
We
have
a
growing
number
of
contributors,
so
if
you
write
python
or
you
want
to
learn
o'camel,
there
are
some
really
good
opportunities
there
and
we
release
very
frequently.
So,
since
the
project's
inception,
we've
had
95
releases,
we
release
every
one
to
two
weeks.
You
know
bug
fixes
improvements,
new
languages
and
things
like
that.
So
there's
a
really
fast
cadence
and
the
project
is
getting
better
better.
Every
day.
B
And
then
just
to
kind
of
round
out,
hey
so
there's
this
tool,
it
scans
code,
it
very
likely
runs
on
your
system
or
the
place
that
you
need
it
to
run
because
it's
portable
kind
of
does
it
actually
work
for
the
languages
that
my
organization
is
developing
in,
so
I'm
mostly
showing
here
languages
that
we
call
generally
available,
and
so
these
are
ones
that
the
community
spent
a
lot
of
time
to
harden
and
we
we
mostly
look
at
parse
rate.
B
So
how
much
code
are
we
able
to
successfully
parse
in
this
target
language
and
so
for
these
languages?
We're
at?
I
think
it's
99.9
percent
parse
rate
across
really
large
corpuses
of
open
source
projects
and
there's
a
bunch
of
stats
and
dashboards.
I
can
show
you,
but
we've
taken
this
really
data-driven
approach
to
like
what
does
it
mean
to
have
something
that's
generally
available
so
on
that
list
I
mentioned
kind
of
we'll
say
modern
languages,
so
we've
got
go.
B
We've
had
a
lot
of
work
recently
in
ruby
and
typescript
for
those
of
you
who
are
working
with
configuration
file
formats
a
little
bit
more
experimental,
but
we
have
this
thing
called
generic,
which
has
been
letting
us
do.
Yaml
files,
you
know
if
you
have
json
config,
we
actually
do
support
json,
natively,
so
kind
of
what
this
leads
to
is
hey
there's
one
tool.
B
It
probably
works
for
the
majority
of
the
things
that
you
know
your
organization
may
encounter
at
least
that's
what
I've
been
finding
so
far
for
the
the
people
that
I've
been
helping
and
you
can
write
rules
for
these
languages
too.
So
if
you
have
an
idea,
I'm
going
to
show
you
how
to
do
that
in
just
a
little
bit.
B
A
B
Exactly
and
I'm
gonna
I'm
actually,
I
will
pull
that
up,
because
we'll
do
what's
effectively
like
a
copy
paste
is
the
way
that
all
my
rules
when
I'm
starting
them-
I
say:
oh,
this
is
the
the
target
code,
the
stuff
that
I
want
to
match
and
I'll
actually
copy
and
paste
that,
and
that's
that's
the
basis
for
my
rule,
for
my
pattern.
A
Excellent,
thank
you,
okay,
and
I
assume
that
that
you'll,
some
point
maybe
describe
the
difference
between
generic
and
your
generic
model
and
some
more
specific
things
that
aggressively
target
yaml
syntax
checking.
But
for
me
this
one
that,
in
my
language
is,
is
quite
interesting
and
quite
important.
So.
B
Yeah,
so
I
and
I
I'll-
I
will
definitely
touch
on
that,
and
I
see
that
there's
a
question
in
the
chat
too
about
some
other
tools,
for
instance
the
sonar
cube
system.
I
think
I
will
touch
on
that
a
little
bit
later,
so
manuel,
if
you're,
if
you're,
okay,
I
will
delay
that
question,
but
keep
me
honest
and
feel
free
to
bring
that
up
in
like
five
minutes
awesome,
so
real,
quick
where
I
switched
over
to
I
just
went
to
the
semgrep
website.
It
got
a
facelift
yesterday.
B
So,
if
you've
been
on
this
previously,
we
had
a
different
logo
for
the
project
different
website
and
late
last
night.
It
got
updated.
So
I'm
just
on
the
website
and
a
lot
of
the
presentation
that
I'm
giving
I've
actually
pulled
from
the
website.
So
you'll
see
some
some
some
more
content.
B
What
I
wanted
to
draw
your
attention
to-
and
this
is
kind
of
in
the
vein
of
making
it
easier
to
write
rules-
is
that
we
have
a
thing
that
we
call
the
playground,
and
so
I'm
just
going
to
click
over
to
that
and
the
playground
is
effectively
a
online
kind
of.
We
call
it
the
editor,
a
rule
editor,
so
as
you're
experimenting
with
rules,
you
can
do
that
here,
so
you
don't
have
to
run
things
locally
and
maybe
most
powerfully.
The
thing
that
I
use
it
the
most
for
is
that
I
can
share
rules.
B
B
So
if
you
write
a
rule
in
the
editor
and
that's
where
you're
doing
your
development
with
there's
some
nice
debugging
niceties
and
things,
you
can
then
run
it
locally
to
actually
see
hey.
Would
this
have
caught
the
bug
that
I'm
trying
to
catch
so
there's
some
really
really
cool
stuff
there.
B
So
what
I
wanted
to
show
you
is:
I've
got
a
little
bit
of
python
code
and
I
promise
you
that
rules
look
like
the
code
you're
trying
to
match.
So
really,
I
won't
say,
like
trivial
use
case
here,
is
that
a
print
statement
makes
it
into
a
production
environment,
and
this
is
actually
a
rule
that
we
run.
We
don't
want
print
statements.
We
want
to
use
our
logging
framework.
B
So
I
want
to
show
you
what
it
looks
like
to
just
try
to
match
this,
and
what
I'm
going
to
do
is
I'm
just
going
to
start
by
copying
and
then
pasting
the
segment
of
code
that
I
want
to
match
and
if
I
run
this,
as
is
I'll,
get
a
basically
identical
match
right.
So
what
I
copied
matches
this
line,
but
that
is
probably
that's
only
useful
if
someone
exactly
types
out,
my
debugging
skynet,
init,
vector
statement.
B
What,
if
I
don't
care
about
what's
within
the
print
statement-
and
this
is
where
I'm
going
to
start
to
draw
a
bunch
of
analogies
to
grep-
I
have
the
ability
to
just
like
enter
in
a
wild
card
and
say:
hey,
I
don't
care
about
the
stuff,
that's
in
between
my
two
parentheses,
and
so
I'm
just
gonna.
Do
this
dot
dot
dot,
which
is
equivalent
to
like
a
dot
star
in
regex
I'm
kind
of
wild
card,
and
that
will
then
match
any
print
statement
that
has
one
or
more
arguments
in
it?
B
Actually,
it's
zero
or
more
arguments,
so
it
kind
of
generalizes
the
rule.
So
this
is
what
most
rules
snippets
or
kind
of
little.
I
guess
snippets
will
look
like
any
kind
of
questions
there.
I
just
wanted
to
quickly
show
you
and
I'll
talk
about
how
this
works
and
why
it's
not
actually
text
matching
and
all
the
kind
of
cool
tech
behind
it.
But
hopefully
you
have
a
sense
of
what
what
a
rule
would
look
like
and
what
it's
doing
so.
A
A
B
Is
actually
a
great
segue
into
how
it
works,
so
I
don't
know
actually
be
curious
for
the
group
who
has
used
regex
to
write
a
basic
like
a
code
rule
or
try
to
find
coding
issues.
It's
something
that
we
had
done
a
lot
on
on
the
team,
and
it
turns
out
that
actually
grep
is
maybe
one
of
the
greatest
static
analysis
tools
out
there.
B
But
it
has
some
problems
and
the
problem
is
that
strings
and
string
searching
is
not
equivalent
to
what
source
code
actually
looks
like
or
how
the
computer
understands
source
code,
which
is
as
a
treat
and
so
the
way
that
I
think
about
semgrep
is
that
it's
basically
grep
but
for
trees,
so
that
little
snippet
that
I
showed
you
you
know
we're
not
doing
a
string
search
on
it.
That
little
snippet
is
going
to
get
turned
into
basically
a
tree
matcher
and
it's
going
to
go.
B
B
So
I
can
just
give
you
a
quick
example
of
that,
where
maybe
grep
would
have
have
some
trouble.
So
this
is
a
javascript
example
now
and
pretty
classically
like
you,
don't
want
to
use
exec,
you
don't
want
to
execute.
You
know
arbitrary
input,
and
so
we
just
want
to
find
all
of
the
occurrences
of
that.
We
want
to
ban
it
from
our
our
code
base.
B
So
if
I
were
to
use
grep
you'd,
actually
I
think
be
able
to
get
pretty
far
here.
You
know
you
could
write
a
pattern
that
matches
the
word
exact
and
maybe
includes
a
left
parenthesis
and
that's
probably
a
pretty
good
indicator
that
there's
at
least
a
function
that
ends
in
the
word
exec.
You
know
you
start
you're
starting
a
function
call
but
where
you'll
run
into
I
think
pain
with
grep
is
when
it
comes
to
white
space.
B
So
what
if
someone
you
know
includes
a
space
before
the
parenthesis,
it
turns
out
that
that
is
valid,
a
valid
javascript.
What
if
there
are
new
line
characters?
That's
going
to
start
to
be
very
painful
in
grep,
so
your
expression
is
going
to
get
more
complicated.
B
B
B
There's
a
caveat
here
where,
for
I
think,
a
lot
of
tools,
particularly
in
the
open
source
domain,
so
you
think
of
like
eslint
bandit
and
some
others,
sometimes
they're
used
for
style
enforcement
and
so
for
some
grep.
We've
explicitly
made
this
decision
that
we
do
not
do
style
and
it's
not
even
possible
to
do
style
because
we
remove
white
space.
We
remove
comments
and
we
are
looking
at
just
that
true
representation
of
the
code.
B
This
is
a
diagram
that
came
out
of
instagram,
so
instagram
does
a
lot
of
static
analysis
and
I'm
I
stole
part
of
their
diagram,
so
they
were
trying
to
do
a
comparison
of
where
tools
fall
on
the
spectrum
of
you
know
easy,
but
dumb
code
scanning
all
the
way
to
powerful
but
complex
code
scanning
and
on
the
the
easy
side.
B
This
is
really
where,
where
grep
is,
and
on
the
more
powerful
but
complex
side,
you
get
a
lot
of
the
proprietary
kind
of
maybe
more
expensive
options,
and
so
for
us
with
semgrep.
We
really
wanted
to
sit
somewhere
in
the
middle,
so
we
said
hey,
we
think
the
opportunity
kind
of
with
the
community
is
that
we
need
an
easy
tool,
but
it's
smart,
it's
a
powerful
tool,
but
it's
simple
and
so
we're
trying
to
kind
of
make
the
right
set
of
right,
set
of
trade-offs
and
so
mark.
B
This
is
basically
the
statement
you
had
made
earlier.
You
know:
hey
you're,
telling
me
that
if
I,
if
I
can
write
c,
I
can
write
a
rule
and
see
it's
basically
the
case
for
for
any
of
the
languages
that
we
support.
B
Yeah,
so
just
looking
through
the
chat,
any
questions
so
far,
my
my
thought
just
to
kind
of
maybe
broadcast
where
I'm
going.
B
I
want
to
talk
a
little
bit
about
use
cases
that
I've
seen
for
the
tool
so
kind
of
talk
about
capabilities,
talk
about
some
use
cases
and
actually
wanted
to
show
you
how
how
my
team
is
using
semgrep
in
a
ci
type
of
setting
and
the
types
of
things
that
we
check
for
and
then
I
was
gonna
go
on
to
talk
about
jenkins,
specific
configs,
so
kind
of
from
the
group.
Are
there
any
questions
that
I
can
answer?
A
Was
a
there
was
a
question
that
was
asked
that
I
attempted
to
answer
on
my
own
related
to
coverage.
Asking
hey.
Does
this
report
coverage
and
my
assumption
was
it
doesn't
report
coverage
because
it's
not
actually
executing
the
code?
Therefore,
it
really
couldn't
report
coverage.
Is
there
a
coverage
kind
of
concept
in
some
prep
that
that
is
worth
discussing?
I'm
not
sure
I
would
know
what
that
might
be.
B
Yeah,
that's
that's
a
great
question,
so
we
don't
do
coverage
reports
right
now.
You
know
I
haven't
kendall.
I
haven't
thought
too
much
about
what
would
technically
be
involved
there.
I
think
one
of
the
interesting
parts
is
that,
because
it's
an
extensible
tool,
I
suspect
that
you
could
kind
of
mix
and
match
some
grep,
perhaps
with
basically
other
approaches
or
other
coverage
tools.
B
You
can
so
I
didn't
mention
this
early
on,
but
you
can
use
semgrep
as
a
python
library
as
well,
and
so,
if
you
want
to
basically
natively
call
semgrep
from
your
own
code,
you
can
you
can
do
that.
You
don't
have
to
you,
know
shell
out
or
try
to
build
a
pipeline
with
the
some
grip
cli.
B
Thank
you
yeah,
and
then
I
see
that
there's
a
question
just
on
how
to
get
started
on
the
the
website
that
I
was
on
at
semgrip.dev
website.
B
B
B
And
then
on
the
secrets
and
api
key
matching,
I
will
talk
a
little
bit
about
the
registry
in
just
a
little
like
towards
the
end
of
the
presentation.
So
there
are
some
rules
that
I
have
seen
for
secret
matching.
The
caveat
is
that
they
can
be
noisy,
which
I
think
quite
a
few
secret
tools
can
be,
and
so
there's
a
question
on
who
should
run
it?
B
If
you
should
run
it
at
ci
time
and
you
know,
break
the
build,
bring
it
to
developers
attention
or
if
those
types
of
rules
might
be
better
for
kind
of
like
audit
type
scans.
That
would
go
to
a
dedicated
team
like
the
security
team.
B
And
then,
meanwhile,
I
see
you
have
a
question
about
private
private
rules,
so
I'll
show.
When
I
get
to
the
jenkins
piece,
we
have
a
basically
like
a
wrapper
around
some
grip.
That's
called
some
grip
agent
and
it
understands
how
to
pull
in
like
local
config
files
and
actually,
when
you
run
some
grip
locally
for
the
command
line
tool,
you
can
pass
it
in
rule
files
as
well,
so
that's
an
option
for
private
organizations
and
then
something
I
won't
talk
about.
B
B
So
just
some
use
cases,
because
when
I,
when
I
first
started
using
some
grub,
I
didn't
quite
realize
all
the
things
you
could
do
with
it
so
go
through
some
of
the
the
greatest
hits
a
lot
of
folks.
When
they're
looking
for
static
analysis
tools,
it's
usually
some
kind
of
compliance
like
there's
a
contractual
obligation.
We've
got
to
run
it
and
so
there's
a
bunch
of
rules
for
os
top
ten
writing
your
own
rules.
B
So
I
didn't
really
touch
on
this.
But
you
know
if
you
write,
write
rules,
yeah
grep
is
really
easy.
Let's
say
you
want
to
extend
really
any
other
tool.
That's
out
there
like
yes
lent
bandit
or
even
some
of
the
commercial
ones
turns
out
just
like
really
hard
to
to
write
rules,
because
you
you
don't
get
to
express
the
rule
basically
as
code,
so
you
have
to
think
of.
Like
okay,
I
see
source
code.
What
does
that
look
like?
B
As
a
tree,
and
then
you
write
this
kind
of
complicated,
what's
called
like
a
node
visitor
right,
and
so
you
start
to
refer
to
specific
nodes
and
suddenly
you
have
to
have
expertise
on
program,
analysis
and
programming
languages,
and
so
I
think
for
us
really.
The
use
case
for
most
folks
is
that
they
have
a
rule
that
they
want
to
write
themselves
and
it's
just
the
simplest
way
of
doing
it.
B
So
the
idea
here
is
that
you
basically
ensure
that
people
are
using
the
correct
libraries
and
frameworks
and
if
you
use
these
libraries
and
frameworks,
you're
kind
of
default,
safe
and
so
really
really
nice
example
of
this
we've
probably
assumed
have
all
run
into
or
heard
of,
sql
injection
at
some
point
in
our
careers
right.
So
how
do
we
get
rid
of
sql
injection?
B
You
know
that
there
is
a
user
input
flowing
into
a
sql
query
or
you
could
say:
hey,
I'm
just
going
to
use
an
object,
relational
mapper,
I'm
going
to
use
one
of
these
many
libraries
that
wrap
sql,
and
in
doing
so
you
eliminate
almost
entirely
the
possibility
of
sql
injection,
because
you
are
actually
separating
out
basically
data
from
control,
and
so
that's
like
the
main
selling
point
of
using
object,
relational
mapper
if
you've
in
the
python
world
use
sql,
alchemy,
that's
a
great
example,
and
so
my
understanding
is
this
is
actually
the
approach
that
google
took
many
years
back
and
they've
never
looked
back
since
so
it's
just
you
choose
the
right
frameworks,
you
choose
the
right
libraries,
your
code
base
will
be
safer
and
so
let's
enforce
that
people
are
actually
using
them.
B
If
you
are
on
the
bug,
bounty
crowd,
you
could
hunt
vulnerabilities
and
you
can
also
just
standardize
library
and
api
usage.
So
deprecated
apis
is
a
pretty
common
one.
You
just
want
to
make
sure
that
people
are
using
the
new
stuff,
not
the
old
stuff,
and
so
you
can
do
that,
and
I
wanted
to
show
you
how
how
we're
using
it.
It's
not
a
security
example,
but
I
mean
really
for
us.
I
think
most
of
the
value
that
we
get
out
of
stem
grep
and
we
run
it.
B
You
know
it
runs
on
every
single
commit
at
r2c.
It's
really
around
enforcement
of
our
own,
like
standards.
So
if
we
have
a
user-facing
bug
security
performance,
like
whatever
it
might
be
oftentimes
as
a
consequence
of
that
bug,
report
we'll
write
a
semgrep
rule
to
try
to
catch
that
catch
or
prevent
that
issue
from
happening
again
in
the
future,
and
so
we're
just
kind
of
constantly
codifying
institutional
knowledge.
B
A
B
Okay,
so
I
I've
got
the
the
playground
open
again
and
it's
a
little
bit
more
advanced
this
time,
so
I've
got
actual
test
code
down
below
and
what
I
haven't
mentioned.
Yet
you
know
I
showed
you
these
really
really
simple
snippets
earlier
in
the
presentation-
and
I
did
not
mention
that
you
can
actually
combine
them
with
a
basically
a
boolean
logic,
and
this
is
what
gives
rules
I
want
to
say
like
most
of
their
power.
B
B
So
we
ran
into
this
issue
where
I
guess
some
browsers
as
a
security
security
feature,
don't
allow
you
to
access
a
local
storage
and
we
wanted
to
ensure
that
any
time
we
try
to
access
local
storage
for
our
front
end
code,
it
is
wrapped
with
a
try
catch
so
that
we
can
gracefully
gracefully
fail,
and
this
was
basically
causing
issues
for
us,
because
you
know
a
few
weeks
would
go
by.
Someone
would
forget
about
this.
B
You
try
to
access
local
storage,
it
would
work
for
you,
you
know
for
other
folks
or
for
kind
of
end
users.
It
wouldn't-
and
so
we
wanted
to
to
catch
this.
So
we
look
for
all
the
places
where
there
is
access
to
local
storage.
B
Again,
we
don't
care
about
what
the
the
arguments
are
and
we
actually
don't
care
about
what
method
we
use
and
so
there's
a
an
additional
concept
that
on
the
website,
if
you
go
through
it
or
you
go
through
our
our
tutorial.
You'll
learn
about
this
metavariable,
basically
named
capture
group
convention
that
we
have,
but
we're
saying,
hey,
find
me
all
the
places
where
you
use
local
storage.
B
So,
there's
a
couple
quite
a
few
test
examples
here,
as
we
we
dialed
in
the
rule,
but
I
think
this
would
be
a
great
great
use
for
some
grep,
where
it's
it's
highly
relevant
for
you,
it's
highly
relevant
for
the
members
of
your
engineering
team
and
again
it's
something
that
you
know
probably
doesn't
generalize,
because
these
are
things
that
are
specific
to
r2c
right.
These
are
these
like
helper
methods
that
we've
written,
so
you
would
have
to
write
the
rule
and
it's
it's
easy
to
do
so
with
some
grip.
B
We've
been
really
fortunate
that
members
of
the
community
who
have
basically
specialized
knowledge
either
in
security
or
go
performance
or
the
oauth
asvs
framework,
have
been
willing
to
step
up
and
make
contributions
to
the
to
the
registry,
and
so
I'm
clicking
through
I'm
on
some
group
again
and
I'm
just
under
rules
here.
So
this
is
the
rules
registry
you
can
go
through
and
you
can
look
at
kind
of
different
rule
sets.
B
Excuse
me
different
rule
sets
that
people
have
published
and
I'll
just
click
into
one
for
for
go
and
anytime
you're
you're.
Looking
for
these
rule
sets
you'll
always
see
that
they
have
this
subgrip
dash,
config
line
that
I
can
copy.
So
if
you
want
to
run
it
locally,
you
just
copy
it
that
way,
and
you
can
look
through
and
find
the
types
of
things
that
this
will
check
for
and
then
you
can
also
browse
all
of
the
rules
as
well.
B
B
Everyday,
so
I
was
thinking
that
I
would
start
to
transition
into
what
does
this
look
like
to
integrate
into
ci
so
before
I
make
that
transition?
Are
there
any
questions
that
I
can
answer
about?
The
registry
or
rule
writing,
or
some
group.
A
B
Great
so
it
sounds
like
I
should
talk
about
the
next
step,
then.
So,
let's,
let's
dive
in,
I
am
on
the
semgrip
docs
tab.
So
I've
got
that
open,
there's
a
bunch
of
different
infra,
there's
a
bunch
of
information
about
different
ci
providers
and
I'm
just
going
to
pop
down
to
the
standalone
providers,
because
that
would
give
me
a
chance
to
talk
about
how
some
grip
works.
So
in
ci
there
are
folks
who
are
running
some
grep,
just
kind
of
the
vanilla,
some
grub
command
line
tool
that
I
showed
you
before.
B
I
would
say
most
people,
though,
are
using
this
ci
wrapper
called
some
grip
agent,
and
so
this
is
a
separate
repository
on
github,
so
just
showing
it
here
and
some
grip
action
is
special
because
it
understands
or
has
like
greater
knowledge
of
git.
So
it's
actually
able
to
you
know,
do
things
like
get
log.
It
can
check
out
previous
commits
it
understands,
dot
get
ignores
it
understands
it
has
its
own,
ignore
file
a.semgrep
ignore.
B
So
if
you
want
to
exclude
vendor
code
as
an
example,
all
of
that
functionality
is
going
to
come
out
of
this
thing
called
sumgrip
action
and
again
it's
published
a
couple
different
ways,
so
you
can
either
install
it
as
a
python
library,
so
you
can
install
it
and
I
would
say
most
people
use
it
as
a
docker
image,
which
is
what
we're
going
to
use
in
just
a
little
bit
here
for
for
jenkins
and
what's
cool
about
this,
so
I'm
not
showing
it
here,
but
there's
a
couple
command
line
arguments
that
you
can
pass
specifically
to
deal
with
branches.
B
Where
I
mentioned
earlier
in
the
presentation,
you
know
shouldn't
be
punished
for
trying
to
add
a
tool
for
security
right,
so
you
shouldn't
have
to
like
fix.
However
many
issues
you
had
in
the
past:
let's
just
get
this
tool
installed
and
kind
of
looking
forward.
B
So
if
you're
running
semgrep
and
some
grip
agent
on
a
pull
request,
you
can
configure
it
so
that
it
will
basically
do
two
scans.
It
scans.
The
latest
commit
on
that
pull
request.
So
the
latest
version
of
the
code,
and
then
it
will
go
back
and
scan
the
base,
commit
of
the
pull
request
and
so
you're
looking
at
okay,
what
is
the
code?
That's
changed
from
when
the
person
you
know
branched
and
started
their
feature
development
to
conclusion
of
their
feature
development.
B
So
when
we
run
those
two
scans,
it
lets
us
look
at
the
results
and
say:
okay.
Well
now
we
know
which
results
are
new.
You
know,
as
of
this
base
commit
and
whatever
is
on
on
head,
so
you
can
then
show
your
basically
the
user.
The
developer
in
this
case
issues
that
they
are
responsible
for,
introducing
not
all
the
stuff
that
came
before
it's
also
faster.
So
if
you
use
some
grip
agent,
it
won't
scan
on
on
pull
requests
so
set
it
up.
B
In
this
stiff
aware
way,
it
won't
scan
the
entire
code
base.
It
will
only
scan
the
files
that
have
changed,
so
you
get
some
interesting
performance
improvements
there
and
because
you're
showing
people
results
that
they
have
introduced
the
likelihood
that
they
fix
those
issues
goes
way
up.
Instead
of
just
showing
them
hey.
There
were
pre-existing
issues.
Please
fix
them.
Well,
it's
not
in
code
that
I
touched.
I
don't
want
to
think
about
it.
B
This
is
actually
code
that
they've
touched
and
so
very
likely
that
they
fix
it,
and
so
we
mentioned
a
couple
of
these
things
here.
I
talked
about
this
baseline
ref.
It's
kind
of
a
key
feature
for
doing
the
diff
aware
scanning
and
is
what
most
people
are
are
doing.
B
So
I
mentioned
that
we
have
an
action
it
gets
published
as
a
docker
image.
Let
me
show
you,
then
what
jenkins
config
looks
like,
so
this
is
a
friend
of
mine
set
up
a
jenkins
file
and
he
has
a
sample
project
that
is
a
known
vulnerable
project
called,
let's
be
bad
guys,
so
things
to
note
we're
running
within
docker
we're
using
the
subgrip
agent
image.
So
most
folks
will
use
this
v1
tag,
which
is
basically
our
stable
tag
or
latest
tag.
B
So
it's
making
sure
that
you
get
the
the
latest
and
greatest
updates
to
some
grep,
but
it's
also
well
tested
and
not
unstable
and
then,
when
it
actually
comes
to
running
running
this,
the
call
that
that
he's
making
is
python
he's
calling
some
grip
agent
and
he's
using
in
a
way
that
is
actually
authenticated
with
the
registry,
and
this
is
so
that
you
could
do
private
rules
or
kind
of
custom
rule
sets.
B
B
This
is
because
so
for
for
dahan
who's.
The
name
of
the
person
who
set
this
up
this
work
is
that
he
gets
slack
notifications,
inline
pr
comments
and
kind
of
like
a
suite
of
other
things
that
are
not
possible
just
with
some
grip
agent,
but
he
actually
has
a
dependency
on
our
external
system
and
these
environment
variables
become
important
for
that.
B
So
just
wanted
to
show
you
that
and
then
in
terms
of
it
being
in
action,
if
I
just
pop
out
so
I've
got
my
jenkins
pipeline
and
there's
a
lot
of
red
because
we're
doing
testing
and
trying
to
trigger
failures.
I
promise,
but
let
me
show
you
what
it
looks
like
when
it
actually
runs
so
the
most
basic
output
that
you
would
get
when
you
use
the
semgrip
agent
is
something
that
looks
basically
looks
like
this.
B
It's
a
little
bit
dense,
but
if
there
are
issues,
you'll
get
printouts
just
directly
in
your
your
build
output,
and
so
here
we
can
see
that
in
this
file,
vulnerable
views,
we
found
a
string
comparison
using,
is
and
there's
some
issues
in
python.
If
you're
doing
string
comparison
with
is
so
we
flagged
that
issue,
and
then
we
also
flagged
an
issue
with
misuse
of
globals
here
and
so
we'll
print
out
a
little
bit
of
what
the
code
is
kind
of
give
the
the
developer
context
and
then
print
out.
B
What's
designed
to
be
a
helpful
actionable
error
message,
so
you
know
kind
of
what
your
next
step
should
be,
and
these
are
rules
that
are
just
coming
from
the
the
registry.
A
B
That
that
is
a
great
question.
So
if
I
go
back
to
the
config-
and
this
is
something
I'll
have
to
confirm
with
with
dahan-
I
actually
don't
see
him
using
the
the
baseline
ref
flag.
So
my
thought
is
on
on
the
basis
of
that.
These
are
actually
the
issues
that
are
in
the
project.
Okay,.
B
Exactly
and
if
I
just
take
a
look
here,
I'm
just
seeing
what
some
of
the
other
folks
have
done,
yeah,
so
I'm
looking
at
different
provider.
So
forgive
me
not
not
jenkins,
but
in
circleci
I
see
here
that
we
actually
are
passing
in
or
the
person
who
contributed.
This
config
is
passing
in
baseline
ref
and
my
understanding
is
that
is
necessary
to
do
the
differential
differential
work
and
there's
been.
I
got
to
say
so.
I
love
the
unix
philosophy
where
you
have
a
tool,
one
tool.
B
It
does
one
thing
well
and
then
people
can
kind
of
mix
and
match,
and
you
know
pipeline
that
that
tool,
so
someone
the
other
day,
wanted
to
scan
on
every
merge
to
main
or
develop
right.
So
they
want
to
run
semgrep
do
a
whole
scan,
but
they
didn't
want
to
scan
all
of
the
code
right.
They
just
want
to
scan
kind
of,
what's
recently
changed,
and
so
I
think
what
they
did
is
they
used
this
baseline
ref
argument
and
they
did
like
you
know,
head
tilde,
tilde,
two,
something
like
that.
B
So
it's
in
git
they
were
trying
to
go
back.
Two
commits
or
three
commits,
and
so
they
were
able
to
actually
not
do
pr
scanning,
but
they
were
doing
scanning
on
main
and
develop
and
they
were
looking
at
relatively
small
change
sets,
and
so
there
were
some
there's
some
cool
benefits
to
that
both
on
speed
and
then
really
old
issues
they
weren't
flagging.
They
were
still
flagging.
You
know
issues
that
had
happened
within
the
last
couple
days,
so
that
was
kind
of
their
their
hack
in
their
workflow,
so
yeah.
B
So
I
think
you'd
want
the
baseline
ref,
which
I
think
is
not
not
in
this
example
right
now
yeah,
so
it's
pretty
pretty
basic
output.
I
think
what
we'll
end
up
doing
we'll
put
a
little
bit
more
time
into
this.
The
feedback
that
I've
gotten
as
we've
been
trying
to
figure
out.
Okay:
what
what
tickets
do
we
want
to
act
on
and
prioritize
as
a
maintainer
group?
B
It
just
turns
out
that
I
think
most
developers
don't
particularly
want
to
go
to
build
out
output
to
find
the
issue
that
they
have
to
fix,
and
so
the
kind
of
number
one
there's
two
two
leading
requests.
One
is
just
give
me
a
comment
on
my
pull
request
and
so
that's
a
feature
that
we
support,
but
you
have
to
unfortunately,
go
through
the
logged
in
version
of
summer
up.dev,
it's
free,
but
you
do
have
to
go
through
it
and
then
the
other
feature
is.
B
I
want
to
just
run
this
stuff
in
my
editor,
and
so
when
I
look
towards
okay,
hey
it's
a
project.
What
are
we
doing
next
is
we're
focusing
on
adding
support
for
jetbrains.
B
So
we're
very
much
performance
success.
The
tool
is
already
very
fast.
It's
very
very,
very
unlikely
that
it's
the
slowest
part
of
your
test
and
build
system.
So
I
think
it
takes
about
a
minute
on
average,
but
we
want
it
to
be
better
and
then
we're
adding
additional
languages.
So
there's
been
a
bunch
of
interest
from
the
community
in
mobile
languages,
so
kotlin
and
swift
turns
out.
Scala
doesn't
have
a
lot
of
really
great
programming
analysis
tools,
so
we
talked
about
scala
and
then
c
sharp
has
been
top
of
mind
recently.
B
Let's
see
what
else
can
I?
What
else
can
I
show
you
all?
I
think
that
is
basically
coming
to
the
end
of
the
prepared
content,
but
would
love
to
answer
any
questions
and
and
click
around.
If
anyone
wants
to
see
more.
A
A
B
Yeah
yeah,
I
can
so
the
registry
right
now,
there's
not
a
internal
variant
of
the
registry,
so
the
registry
code
itself
is
not
basically
not
open
source
we've
talked
about
making
it
source
code
available.
We,
but
still
some
discussion
about
if
the
infrastructure
code
should
be
open,
source
and
openly
licensed
so
feedback.
Welcome
on
that
what
we
have
seen
people
do
is
that
you
can
you
can
download
rules
from
the
the
registry
and
actually
there
are.
B
You
basically
can
curl
and
I'm
happy
to
talk
through
the
end
points,
but
you
can
curl
configuration
endpoints,
and
so
you
can
just
download
the
raw
like
rule
config.
B
So
if
you
wanted
to
set
up
some
kind
of
cron
job
or
something
like
that,
just
to
make
sure
you
have
the
latest
and
greatest,
you
definitely
definitely
within
your
ability,
and
we
support
that
now
on
the
kind
of
like
playground
side.
So
currently,
there's
not
an
internally
hosted
version
of
that
we
have
basically
once
you
kick
over
to
to
no
longer
open
source
but
like
paid
stuff,
there's
an
enterprise
tier
and
that's
like
something
we
could
discuss
for
that.
But
there's
not
something
right.
A
B
That
is
a
great
question,
so
I'm
going
to
refresh
myself
and
I'm
hoping
it
is
in
our
documentation.
B
I
think
it
is
it's
definitely
python
3
and
I'm
looking
for
the
minimum
version,
so
I
will
update
our
docs
so
that
we
definitely
have
the
minimum
version
and
quite
surprised
so
python.
Three,
and
I
am
thinking
it's
three
six,
but
I
forget
offhand.
I
will
add
that
to
the
docs.
A
B
Yeah
and
worst
case,
I
know
that
python
can
be
a
pain
in
the
butt
for
everybody,
which
is
why
we
also
have
have
docker
just
that.
That
seems
to
be
the
the
big
camera
to
bring
out
if
your
python
environment's
not
working.
A
B
Yeah,
so
I
think
the
the
biggest
thing
earlier
I
talked
about
this
idea
of
like
code
guard
rails,
so
I
think
so
static
analysis
generally
gets
this
bad
rap
that
it's
it's
super
noisy,
and
it
tells
me
things
that
maybe
I
should
fix.
Maybe
I
shouldn't
it's
like
sql
injection.
I
brought
that
up
earlier
right.
It's
like
well
does
the
the
piece
of
software
really
understand.
B
You
know
how
you
do
user
input
sanitization
and
all
that
it's
like
that,
probably
doesn't,
and
so,
if
you
you
make
this
switch
to
code
guardrails
and
you
say:
hey
we
just
we
don't
use
raw
sql
here
we
use
an
object,
relational
mapper
that
switch
it's
no
longer
a
like.
Well,
this
might
be
a
problem,
it's
pretty
black
and
white.
It's
like
we
do.
We
do
this
and
we
don't
do
that
and
the
the
response
I
think,
is
that
oh,
this
tool
is
actually
valuable.
It
has.
B
It's
helped
me
because
it's
just
it's
less
like
I
can't
go
and
argue
with
it
as
much.
It's
like.
Oh,
no,
I'm
just
I'm.
I
need
to
follow
our
conventions
as
a
company
or
as
a
as
a
team
we've
agreed
to
this
so
kind
of.
B
I
think
my
big
learning
is
actually
maybe
more
like
the
like
the
psychology
of
static
analysis,
which
is
that
it's
far
more
effective
for
you
to
enforce
the
use
of
specific
frameworks
and
apis,
and
maybe
like
look
for
business
logic
issues
whatever
it
may
be,
that
are
specific
to
your
organization
than
to
have
a
well.
B
This
might
be
a
security
issue,
type
of
check,
and
so
a
lot
of
the
rules
that
that
we've,
written
and
added
to
the
registry
are
of
that
vein,
and
I
think
the
ones
that
we
get
the
most
value
out
of
internally
as
a
company
at
r2c
are
the
ones
that
are
like.
We
just
don't
do
it
this
way.
Here,
here's
what
you
should
be
doing
so
the
perception's,
much
more
positive.
A
B
You
know,
I
think
that
it's
not
the
full
answer
so
like
if
you're
using
static
analysis.
That
does
not
mean
that
your
code
base
is
secure
right.
So
I
think
that's
that's.
My
concern
is
particularly
on
the
I'm
adding
you
know,
static
analysis
for
compliance
and
to
kind
of
get
my
checkbox.
I
think
where
things
start
to
go
potentially
off
the
rails.
B
So
just
because
you
have
stag
analysis
doesn't
mean
you
just
get
to
like
live,
live,
free
and
party
in
your
code
base
all
day
every
day
you
still
have
to
be
thoughtful
about.
What's
the
architecture
of
our
system,
you
know
what
are
the
ramifications
of
how
we're
deploying
it
you
get
into
a
whole
host
of
issues
right
more
around
kind
of
your
deployment,
environment
and
network
configuration
everything
else,
so
I
love
static
analysis
because
it
lets
you
ensure
that
your
foundation
is
solid
right.
B
It
does
help
you
kind
of
at
the
source
address
security
issues,
but
there
are
still
many
other
layers
on
top
of
that,
and
so
you
probably
have
to
complement
with
other
tools
and
then
I'm
a
big
fan
of
find
the
right
tool
for
for
the
job,
and
so
sometimes
rules
are
complicated
enough.
That
some
grip
is
not
the
right
tool
to
try
to
use
you
know.
B
Maybe
you
should
go
with
one
of
those
tools
that
is
more
complicated,
so
in
the
sql
injection
case
right,
if
you
absolutely
have
to
scan
for
sql
injection
and
you
can't
do
paved
road,
you
might
need
a
tool
that
does
this
whole
program
analysis
and
that
you
really
need
to
spend
a
lot
more
time
to
figure
out
how
to
use
and
write
rules
for
some
group's
getting
more
powerful.
So
I
think
that
we
will
get
there,
but
as
of
today,
you
have
to
have
that.
B
Then
I
would
say,
like
this:
isn't
the
right
tool,
because
we
are
what
I
fail
to
mention
is
some
grip
is
fast
in
part
because
it
scans
single
files.
So
it's
not
trying
to
compile
your
entire
program.
It's
looking
at
you
know
individual
files,
and
that
is
particularly
good
for
this
kind
of
code.
Guard
rails
paved
road
approach,
but
it
is
less
good
at
things
like
sql
injection
where's.
B
This
cross
file
as
a
benefit,
though,
if
there's
any
java
users
out
there,
you
don't
have
to
build
your
java
code
in
order
to
use
some
grep.
It
runs
on
just
the
raw
source.
So
you're
you
do
not
have
to
have
a
compilable
project
to
run
simran.
A
So
pretty
so
now
that
there's
a
there's,
a
different
kind
of
question,
so
we've
got
a
new
question
that
just
arrived:
do
you
have
support
or
examples
using
cloud
native,
build
packs
and
and
I'll
I'll
leave
it
to
you
to
infer
the
meaning
of
that?
Is
there?
Is
there
anything
special
around
cloud
native
here.
B
Not
that
I
not
that
I
know
of
that
might
be.
I
see
that
jeff
has.
That
might
be
a
good
question
on
the
community
slack
and
I
think
what
I
found
is
that
a
lot
of
people
have
used
some
grub
in
a
lot
of
different
places,
and
so
it
might
be
a
good,
basically
community
question.
A
Yeah,
so
I
was
envisioning
that
okay.
This
is
because
you've
got
a
docker
image
available,
but
that
docker
image
could
be
executed
in
a
kubernetes
cluster
or
just
as
readily
as
it's
executed
anywhere
else
in
docker.
But
I'm
not
sure
that
that's
that's
really
addressing
the
specific
question
that
he
had
so
yeah.
So
jeff.
B
B
Any
refinement,
yes,
let
us
know
we
can
try
to
answer
well
and.
A
B
One
one
closing
thought
for
everybody
or
two
closing
thoughts,
because
there
were
some
getting
started
questions
earlier.
So
if
you
go
to
semcrep.dev,
that's
probably
the
best
kind
of
portal
and
starting
point,
and
you
can
learn
about
how
to
write
rules,
how
to
download
the
tool
all
that
and
then,
as
a
personal
favor,
I'm
very
curious
how
I
did
so
if,
if
folks
would
mind
filling
out
this
r2cc.dev
survey
link
that
that
helps
me
prepare
for
my.
B
My
next
presentation,
so
would
be
a
great
gift,
and
I
had
mentioned
that
we're
on.
On
slack,
it's
been
a
really
really
powerful
community,
so
those
folks
have
had
questions.
I
feel
like
the
community
is
getting
large
enough
now.
We're
kind
of
you
know
if
you
want
to
do
something
with
jenkins
you're,
probably
not
the
first
person.
B
A
Excellent,
thank
you
luke
thanks
very
much.
So
the
the
request
was
a
slack
invite.
So
I
suspect
we
may
need
the
slack
channel.
B
Identified
there
yeah.
That
is
a
great
question,
so
what
I'm
actually
going
to
do?
Let
me
just
go
to
the
home
page
and
it
is
it's
just
an
open
slack,
so
I'm
just
going
to
scroll
down
the
bottom,
because
I
think
it's
in
the
footer
yeah,
so
there's
actually
just
a
link
to
to
join
slack
here.
It's
also
linked
on
the
projects
readmes
and
you
can
just
click
and
sign
up
right
away.
A
All
right,
I
think
our
general
questions
have
reached
a
pause
point
luke.
If
it's
okay
with
you,
I'm
going
to
go
ahead
and
stop
the
recording
thank
everyone
for
for
participating
thanks
very
much.
We
will
remain
online
after
the
recording
has
stopped
for
at
least
a
period
to
allow
the
those
who
are
in
attendance
to
ask
questions.
A
So
thanks
very
much
again
luke.
This
has
been
a
jenkins
online
meetup.
The
recording
will
be
available
through
the
jenkins
youtube
channel,
it'll
think
about
24
hours,
we'll
also
post
a
link
to
the
recording
in
the
meetup.com.