Semgrep's Fall 2021 Updates

Semgrep 0.70 introduces several enhancements, including taint-sanitizer-sink rules for improved data-flow based scanning, the ability to parse Terraform files for broader infrastructure-as-code coverage, and the --config=auto feature, which automatically selects appropriate Semgrep Registry rules based on a project's language and frameworks. The tool, known for its fast, open-source static analysis capabilities, now offers taint mode for smarter security scanning, making it easier to prevent vulnerabilities like SQL injection or XSS. Additionally, Semgrep has advanced its Terraform support by learning to parse HCL files, enhancing its ability to detect complex issues such as privilege escalation in AWS. The --config=auto feature streamlines configuration by automatically identifying inventory patterns in a codebase and selecting the relevant rules, minimizing manual configuration efforts. Performance improvements have been made, achieving a 5x speedup on large repositories, and the Semgrep App now offers new functionalities like organization-wide configuration and integration with Jira for enhanced usability. These updates reflect Semgrep’s commitment to evolving and enhancing its tool to support a wide range of technologies and use cases.