You want to ship new features quickly, but you also want your code to be robust. And fast. And secure. This can be tough to do within one team, let alone companies with many teams and hundreds to thousands of developers.

In this workshop, we’ll do a deep dive into Semgrep, an open source, lightweight static analysis tool, that’s like a Swiss Army Knife for finding bad code. Semgrep supports 15+ programming languages, infrastructure as code (e.g. Terraform), YAML and more. Learn once, use everywhere. It can scan millions of lines of code in minutes, and it ships with over 1,600 open source rules covering the OWASP Top 10 and other security vulnerabilities, as well as performance, correctness and robustness checks as well.

The workshop will primarily be hands-on exercises, including:

• How to start continuously scanning every pull request in CI in minutes.
• How to automate the repetitive parts of code review: automate the comments you always make to free up your time for higher impact work. Automate your company’s internal code review guidelines.
• Best practices in rolling out continuous code scanning - what to focus on, what to ignore, and how to maintain high development velocity without sacrificing security.
• How to use this scanning to enforce secure defaults across your org, or prevent variants of known vulnerabilities or bugs from re-entering your code.
• How to write custom Semgrep rules - find anti-patterns and enforce security best practices unique to your organization.
• Advanced mode: we’ll also show how Semgrep can be used for a variety of purposes - alerting you whenever a new route is added (new attack surface), when new dependencies are added or Dockerfiles are modified (detect potential supply chain risk), or when generally sensitive files are modified, such as core authorization logic or secret management.

You’ll leave this workshop with the knowledge, skills, and tools to immediately start improving your company’s code quality and security at scale.