Beyond Benchmarks: How Semgrep Redefines Javascript Security

Semgrep's new JavaScript and TypeScript analysis focuses on real-world code to identify nuanced, context-specific vulnerabilities, providing engine-level support for over 50 popular frameworks and libraries such as Express, NestJS, React, and Angular. This approach emphasizes embedding security into daily development workflows rather than relying solely on traditional benchmarks, which often fail to capture the complexities of modern applications. Led by Senior Security Researcher Vasilii Ermilov, Semgrep's initiative has uncovered critical vulnerabilities in open-source projects by addressing OWASP Top Ten vulnerabilities for server-side JavaScript and focusing on client-side issues like DOM XSS and privacy concerns. The evaluation process involves scanning numerous open-source repositories and manually triaging findings to ensure accurate language coverage, boasting a benchmark true positive rate of 63% before AI processing. The upcoming webinar on March 5th will offer a live demo of real vulnerabilities, showcasing how Semgrep's methodology can improve security practices.