Now here’s two tools I wish I was more experienced with - Semgrep and Jupyter. Beyond this cool article from NCC, I’m interested to hear from anyone who uses either one of these tools. How did you get started, what do you do with them, etc…

  • himazawa
    link
    fedilink
    English
    arrow-up
    1
    ·
    edit-2
    1 year ago

    I used semgrep in the past, my team is still evaluating which tool for SAST to use as a standard internally but we are mostly oriented on CodeQL

    • shellsharksOPMA
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      What do you like about CodeQL? Haven’t used that yet either.

      • himazawa
        link
        fedilink
        English
        arrow-up
        2
        ·
        1 year ago

        Report quality (less FP) compared to semgrep, snyk and sonarcloud but a killer feature for me is that you get the call paths so you can see when and how a vulnerable dependency is called. Pretty useful on big codebases.