Conversation with Isaac Evans about semgrep - a lightweight, offline, open-source, static code analysis tool.

Isaac Evans is the leader of r2c (https://r2c.dev/), a small startup working on giving security tools directly to developers. Previously, he conducted research into binary exploitation bypasses for techniques like control-flow integrity and novel hardware defenses on new architectures like RISC-V as a researcher at the US Defense Department under a SFS program and at MIT Lincoln Laboratory. Isaac received his BS/MS degrees in EECS from MIT. Other interests include next-generation programming languages, secure-by-design frameworks, software-defined radio, and the intersection of cryptography and public policy.

Simply match function calls

The pattern exec(…) matches exec() called with any arguments or across multiple lines - but not the string “exec” in comments or hard-coded strings, because it’s aware of the code structure.

Match function arguments

requests.get(..., verify=False, ...) matches
requests.get(url, timeout=3, verify=False)

Supported languages: Python, JavaScript, Golang, Java, more coming.

• Source code: https://github.com/returntocorp/semgrep
• Test in your browser: https://semgrep.live/
• Twitter @0xine