How to write and continuously test vulnerability detection rules for SAST

1 · · Sept. 8, 2021, 6:44 p.m.
In summer 2021, the Vulnerability Research and Static Analysis teams launched the Google Summer of Code (GSoC) project: Write vulnerability detection rules for SAST. For this project, we built and implemented a framework to helps transition GitLab away from our current SAST tools over to Semgrep. Semgrep is a language-agnostic SAST tool that is gaining popularity in CI/CD environments. Before replacing an analyzer with the corresponding Semgrep configuration (called rule-sets), we need to ensure...