A day in the life: Supply Chain Security Researcher

A day in the life of a Semgrep Security Researcher on the Software Supply Chain Team involves evaluating security vulnerabilities in open-source software packages and writing Semgrep rules to prioritize fixing significant issues. Researchers utilize reachability analysis to determine the impact of vulnerabilities, using tools like CVSS scores to assess severity. The team prioritizes vulnerabilities based on parameters such as severity and impact on customers, using a mix of manual review and data science to enhance coverage. Writing a Semgrep rule involves three phases: analysis of the vulnerability, construction of the rule syntax, and testing to ensure accuracy. The process requires a deep understanding of the vulnerability, as exemplified by contrasting well-documented advisories with those lacking detail. Researchers aim to flag specific functions while avoiding false positives and negatives, using Python rules that leverage fully qualified function names for precision. Semgrep researchers also engage with the community through feedback channels and are preparing for their 2025 Summer Internship Program.