Isaac Evans talks about semgrep - a lightweight, offline, open-source, static code analysis tool.

SecTools Episode 20 with Isaac Evans

Isaac Evans
  • Posed on

    Jul 5, 2020

Isaac Evans is the leader of r2c (, a small startup working on giving security tools directly to developers. Previously, he conducted research into binary exploitation bypasses for techniques like control-flow integrity and novel hardware defenses on new architectures like RISC-V as a researcher at the US Defense Department under a SFS program and at MIT Lincoln Laboratory. Isaac received his BS/MS degrees in EECS from MIT. Other interests include next-generation programming languages, secure-by-design frameworks, software-defined radio, and the intersection of cryptography and public policy.

Simply match function calls

The pattern exec(…) matches exec() called with any arguments or across multiple lines - but not the string “exec” in comments or hard-coded strings, because it’s aware of the code structure.

Match function arguments

requests.get(..., verify=False, ...) matches
requests.get(url, timeout=3, verify=False)

Supported languages: Python, JavaScript, Golang, Java, more coming.

Other Episodes

Michael Boelen

SecTools Episode 01

Michael Boelen

Ryan Dewhurst

SecTools Episode 04

Ryan Dewhurst

Didier Stevens

SecTools Episode 02

Didier Stevens