{"id":28560718,"url":"https://github.com/fullstorydev/semgrep-rules","last_synced_at":"2025-06-10T09:38:13.298Z","repository":{"id":264573688,"uuid":"870299820","full_name":"fullstorydev/semgrep-rules","owner":"fullstorydev","description":null,"archived":false,"fork":false,"pushed_at":"2025-05-20T05:23:42.000Z","size":30,"stargazers_count":7,"open_issues_count":1,"forks_count":0,"subscribers_count":3,"default_branch":"main","last_synced_at":"2025-05-20T06:28:17.683Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/fullstorydev.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":"CODEOWNERS","security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2024-10-09T19:39:40.000Z","updated_at":"2025-04-15T01:41:03.000Z","dependencies_parsed_at":null,"dependency_job_id":"44146f11-dc75-46ec-a364-a81f86ddbfff","html_url":"https://github.com/fullstorydev/semgrep-rules","commit_stats":null,"previous_names":["fullstorydev/semgrep-rules"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/fullstorydev%2Fsemgrep-rules","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/fullstorydev%2Fsemgrep-rules/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/fullstorydev%2Fsemgrep-rules/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/fullstorydev%2Fsemgrep-rules/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/fullstorydev","download_url":"https://codeload.github.com/fullstorydev/semgrep-rules/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/fullstorydev%2Fsemgrep-rules/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":259049885,"owners_count":22798053,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2025-06-10T09:37:53.763Z","updated_at":"2025-06-10T09:38:13.259Z","avatar_url":"https://github.com/fullstorydev.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# fs-semgrep-rules\nAt Fullstory, we leverage Semgrep as a core tool in our security engineering efforts to detect potential issues in our codebase. This involves not only optimizing existing rules but also developing new ones to identify code patterns that could lead to security vulnerabilities.\n\nWhile many of the rules we create are tailored to our internal codebase, we also develop rules that are broadly applicable to a wide range of projects. The rules shared in this repository are designed to address common code patterns and potential vulnerabilities that are relevant to many codebases.\n\nWe are continually refining these rules and adding new ones to improve their effectiveness in finding code bugs that could result in security flaws.\n\n_Note:_ The setup of this repository was in part inspired by other semgrep repos which we have contributed in the past, including [Semgrep's own repo of rules](https://github.com/semgrep/semgrep-rules) as well as [Trail of Bits' Semgrep repo](https://github.com/trailofbits/semgrep-rules).\n\n### Running the rules\n\nFrom your terminal, navigate to the directory containing the code you want to analyze, then run the following command:\n\n```bash\n$ semgrep -f /path/to/fs/semgrep-rules\n```\n\n### Testing\n\nYou can run tests locally with:\n\n```bash\nsemgrep --test --test-ignore-todo --metrics=off\n```\n\nTo test a specific file:\n\n```bash\nsemgrep --test --test-ignore-todo --metrics=off --config ./go/iterate-over-empty-map.yaml ./go/iterate-over-empty-map.go\n```\n\n## Rules\n\n### go\n\n| ID | Impact | Confidence | Description |\n| -- | :----: | :--------: | ----------- |\n| [concurrent-writes-iteration](go/concurrent-writes-iteration.yaml) | 🟧 | 🌗 | Concurrent writes and iteration to a map will result in panic |\n| [creds-from-jwtconfig](go/creds-from-jwtconfig.yaml) | 🟧 | 🌘 | Using JWT configuration from JSON rather than using service accounts could lead to exposed credentials in code and other insecure key management practices |\n| [defer-in-loop](go/defer-in-loop.yaml) | 🟩 | 🌗 | Resource leak due improper use of `defer` |\n| [gcs-path-traversal](go/gcs-path-traversal.yaml) | 🟧 | 🌗 | A GCS file path was found to be crafted from user-input which could lead to path traversal within a bucket |\n| [insecure-dir-creation](go/insecure-dir-creation.yaml) | 🟧 | 🌘 | Insecure handling of file and directory writes |\n| [missing-close-on-file](go/missing-close-on-file.yaml) | 🟩 | 🌗 | Handling of open file descriptors |\n| [missing-defer-http](go/missing-defer-http.yaml) | 🟩 | 🌗 | Handling of HTTP response bodies |\n| [text-template-unsafe-html](go/text-template-unsafe-html.yaml) | 🟥 | 🌘 | Detected unsafe rendering of HTML content using text/template |\n\n\n### optimizations\n\n| ID | Impact | Confidence | Description |\n| -- | :----: | :--------: | ----------- |\n| [math-random-used](optimizations/math-random-used.yaml) | 🟧 | 🌗 | Finds likely cases where `math/rand` may be used insecurely. For the optimization, we exclude functions like `Shuffle` which are realy used cryptographically","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ffullstorydev%2Fsemgrep-rules","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ffullstorydev%2Fsemgrep-rules","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ffullstorydev%2Fsemgrep-rules/lists"}