https://appsec.fyi/tools.html#semgrep Curated semgrep resources from appsec.fyi en-us Sun, 07 Jun 2026 04:05:35 +0000 carl@chs.us (Carl Sampson) https://semgrep.dev/blog/2025/popular-github-action-tj-actionschanged-files-is-compromised/ https://semgrep.dev/blog/2025/popular-github-action-tj-actionschanged-files-is-compromised/ Semgrep rule for detecting compromised GitHub Actions, specifically targeting `tj-actions/changed-files` and `reviewdog/action-setup@v1`. This action, `tj-actions/changed-files`, was previously compromised and may have leaked secrets. The rule helps identify usages of these actions within CI pipelines, enabling prompt remediation and security audits. Users can run this rule locally or within the Semgrep AppSec Platform in blocking mode to prevent further compromise. semgrep news Thu, 16 Apr 2026 21:04:58 +0000 https://semgrep.dev/docs/learn/vulnerabilities/insecure-deserialization/python https://semgrep.dev/docs/learn/vulnerabilities/insecure-deserialization/python Library for detecting insecure deserialization vulnerabilities in Python code, focusing on the dangers of libraries like `pickle`, `dill`, `jsonpickle`, and `shelve` when processing untrusted input. It highlights how these libraries can lead to remote code execution and provides examples of exploitation, including a demonstration with `pickle.dumps` and `os.system`. The library's rules identify data flow from untrusted sources to sensitive deserialization functions, offering practical recommendations to avoid risks such as avoiding `pickle` for untrusted data, using safer alternatives like JSON or `PyYAML`'s `safe_load`, and integrating Semgrep scans into CI pipelines. Specific mitigations for Django, NumPy, and PyTorch are also mentioned. semgrep intermediate Fri, 03 Apr 2026 15:56:33 +0000 https://semgrep.dev/s/chegg:log4j2_tainted_argument?mc_cid=6b70dd5f33&mc_eid=45008603ab https://semgrep.dev/s/chegg:log4j2_tainted_argument?mc_cid=6b70dd5f33&mc_eid=45008603ab Semgrep semgrep beginner Mon, 13 Dec 2021 16:12:00 +0000