Semgrep Avantages et Inconvénients

The Semgrep supply chain is a boon for application and product security teams. Backed by the already solid Semgrep engine, it can quickly surface vulnerabilities that are *actually* vulnerabilities and materially improves our security and risk management. It feels like it gave me new superpowers. I would recommend this to any security team, along with the base product. Most importantly, the r2c engineers and support team are first-rate. They are incredibly supportive and responsive, and I felt like their most important customer every step of the way. Avis collecté par et hébergé sur G2.com.

There are very few downsides I can think of, but one that comes to mind is the ability to extend or templatize existing rules. The base rules and rulesets are good but may produce false positives without customization. I would love the ability for Semgrep to offer a way to further customize rules and layer on specificity that increase accuracy. Avis collecté par et hébergé sur G2.com.

The customization helps teams shift left. I can create my own rules to avoid false positives and decide which rules block vs. comment vs. just monitor. This helps keep the noise down, makes it easy for software developers to fix findings immediately, and block vulnerabilities from production. Avis collecté par et hébergé sur G2.com.

I can't run different rulesets at different times. I'd like the ability to run a certain subset of rules in a CI/CD pipeline to block from deploying high-fidelity findings from production; while also running a larger set of best practices and lower-fidelity rules in a separate pipeline to help us with training and fixing less concerning issues that are more complex as tech debt. Avis collecté par et hébergé sur G2.com.

Custom rules and being able to fork + modify the existing rules make Semgrep a lot more valuable as a SAST tool. For certain rules, a couple of additional "pattern-not"s have reduced our false-positive rate by as much as 30%. That kind of thing is easy in Semgrep and pretty much impossible with all other SAST tools I've used. Many other providers claim that you don't need that capability with their tools; because they have teams of people who already improve their false-positive rate. In reality, I've found Semgrep's approach works much better to cut down on spurious results. Avis collecté par et hébergé sur G2.com.

Semgrep App is still noticeably immature. There are many minor bugs around the editor, creating private rules, and the rule board. I haven't found any without some sort of workaround thus far, and R2C's support team is extremely responsive. On balance, the upsides of centralizing your rule management and having a single pane of glass to view all findings are worth the sometimes buggy UI and lacking features (such as the inability to delete rules published via the CLI). Avis collecté par et hébergé sur G2.com.

Easy to add custom rules (e.g. by using the online rule editor). Also, Semgrep App has some nice, convenient features (like private rule repository). Avis collecté par et hébergé sur G2.com.

Most of the paid Semgrep features can be worked around with the open source version (e.g. using a private git repository to store private rules), so I am not 100% sure the Semgrep Team license and the whole Semgrep App are mature enough to justify the price tag.

Also, we ran into many bugs since we started to roll it out within the organization. The good news is that Semgrep Support is responsive (although with 9 hours time zone diff); the bad news is that I require their help constantly since I find 1-2 new bugs every week. Avis collecté par et hébergé sur G2.com.

Semgrep est rapide et nous permet d'écrire des règles supplémentaires très facilement. Cela le rend très efficace, et il y a un support pour de nombreuses langues. Le tableau de bord est convivial et il est facile de rechercher les résultats signalés. Avis collecté par et hébergé sur G2.com.

Semgrep ne montre pas de corrélation avec plusieurs fichiers. Par exemple, si une entrée n'est pas filtrée et est reflétée sur une autre page où elle serait rendue, il serait difficile de l'identifier dans Semgrep. Avoir un moyen de corrélation entre plusieurs fichiers serait formidable. Avis collecté par et hébergé sur G2.com.

C'est très facile à utiliser et ne gêne pas. La capacité de créer des règles personnalisées et d'ignorer facilement les règles existantes rend cet outil remarquable par rapport à tous les autres outils d'analyse statique que j'ai utilisés jusqu'à présent. Avis collecté par et hébergé sur G2.com.

Honnêtement, il n'y a pas grand-chose que je n'aime pas. Peut-être que ce serait bien d'avoir des boutons interagissant directement avec les commentaires github ? Avis collecté par et hébergé sur G2.com.

Useful for tracking the open vulnerabilities, repository wise, until they're closed. I find the ability to create custom vulnerability config manually to be very useful, to extend the functionality beyond the vulnerabilities that could be picked up by existing available config templates. Avis collecté par et hébergé sur G2.com.

I think the findings could be improved. There's a limit to what static analysis tools can dig out from the code, and probably it's the limitation of technology itself, rather than semgrep. Avis collecté par et hébergé sur G2.com.

Very easy to use, no matter which language you are using. Unlike more legacy static code analysis tools, there is no need to spend a lot of time learning rule types and syntaxes; new rules can be spun up and tested very quickly. Also, results are of high quality. Avis collecté par et hébergé sur G2.com.

Community support is not as developed as they are pretty new. The breadth of rules and integrations is not as extensive as some other tools. However, this is improving rapidly and the rules that are present have much lesser false positives. Avis collecté par et hébergé sur G2.com.

Semgrep's powerful rule language and engine blends usability with flexibility. Developers being able to write their own rules in Semgrep without knowing exactly how Semgrep works has helped us scale our deployment. Avis collecté par et hébergé sur G2.com.

Without fine-tuning, Semgrep (like any SAST) can be pretty noisy. I know they've been working on surfacing developer feedback to rule writers and maintainers, but I still wish there was a more scalable way to reduce noise (e.g. rule change suggestions based on where developers report false positives). Avis collecté par et hébergé sur G2.com.

We were sold on the idea that Semgrep was Python based and detections were community driven. While still providing us with the ability to write custom detections. Avis collecté par et hébergé sur G2.com.

Nothing in particular. If anything, I'd like Semgrep to add GitHub Dependabot / Snyk like features so we can manage more controls around our source code through a single vendor. The latest Supply Chain feature is a new addition. Avis collecté par et hébergé sur G2.com.