SecTools Podcast – Episode #20
Conversations with Isaac Evans about semgrep - a lightweight, offline, open-source, static code analysis tool.
Isaac Evans is the leader of r2c (https://r2c.dev/), a small startup working on giving security tools directly to developers. Previously, he conducted research into binary exploitation bypasses for techniques like control-flow integrity and novel hardware defenses on new architectures like RISC-V as a researcher at the US Defense Department under a SFS program and at MIT Lincoln Laboratory. Isaac received his BS/MS degrees in EECS from MIT. Other interests include next-generation programming languages, secure-by-design frameworks, software-defined radio, and the intersection of cryptography and public policy.
Simply match function calls
The pattern exec(…) matches exec() called with any arguments or across multiple lines - but not the string “exec” in comments or hard-coded strings, because it’s aware of the code structure.
Match function arguments
requests.get(..., verify=False, ...) matches requests.get(url, timeout=3, verify=False)
- Source code: https://github.com/returntocorp/semgrep
- Test in your browser: https://semgrep.live/
- Twitter @0xine