Semgrep SAST ????????? Cost Optimization ?????????????????????
Semgrep ???????????? open-source SAST (Static Application Security Testing) tool ?????????????????????????????????????????????????????????????????????????????? ?????????????????? 30+ ???????????? ????????? pattern-based matching ?????? vulnerabilities, bugs ????????? code standards ?????????????????????????????? compile code
Cost Optimization ?????????????????? SAST ????????????????????? ????????????????????????????????????????????????????????? direct costs (license fees, infrastructure) ????????? indirect costs (developer time wasted on false positives, slow scans blocking CI/CD) ????????????????????????????????? security coverage ???????????????
???????????????????????? optimize ?????????????????????????????? Commercial SAST tools ????????????????????? ($50,000-500,000/??????), False positives ???????????? developer time 2-4 ?????????????????????/?????????????????????, Slow scans block CI/CD pipelines ?????? developer productivity, Over-scanning ????????? compute resources ?????????????????????????????? Semgrep ??????????????????????????????????????????????????????????????? Open-source core ?????????, ????????????????????? (10-100x ???????????????????????? traditional SAST), Custom rules ?????? false positives, Incremental scanning scan ??????????????? changed files
????????????????????? Semgrep ????????????????????????????????????
Setup Semgrep ?????????????????? cost-effective scanning
# === Cost-Effective Semgrep Setup ===
# 1. Install Semgrep (free, open-source)
pip install semgrep
# 2. Basic scan with free community rules
semgrep --config auto .
# 3. Optimized configuration
cat > .semgrep.yml << 'EOF'
# Selective rule sets (????????????????????? scan ????????? rules)
rules:
# OWASP Top 10 ??? Critical
- id: sql-injection-detection
patterns:
- pattern: |
cursor.execute($QUERY % ...)
- pattern: |
cursor.execute(f"...{$VAR}...")
- pattern: |
cursor.execute("..." + $VAR + "...")
message: "Potential SQL injection: use parameterized queries"
severity: ERROR
languages: [python]
metadata:
owasp: "A03:2021 Injection"
cwe: "CWE-89"
- id: xss-prevention
patterns:
- pattern: |
$RESPONSE.write($INPUT)
- pattern-not: |
$RESPONSE.write(escape($INPUT))
message: "Potential XSS: escape user input before rendering"
severity: WARNING
languages: [python]
metadata:
owasp: "A03:2021 Injection"
cwe: "CWE-79"
- id: hardcoded-secret
patterns:
- pattern: |
$VAR = "...$SECRET..."
- metavariable-regex:
metavariable: $SECRET
regex: "(password|secret|api_key|token)\\s*=\\s*['\"][^'\"]{8,}"
message: "Hardcoded secret detected: use environment variables"
severity: ERROR
languages: [python, javascript, typescript]
metadata:
cwe: "CWE-798"
EOF
# 4. Scan with specific rules only (faster)
semgrep --config .semgrep.yml --include="*.py" --include="*.js" .
# 5. Incremental scan (only changed files)
git diff --name-only HEAD~1 | xargs semgrep --config auto
# 6. Performance optimization
cat > semgrep_optimize.sh << 'BASH'
#!/bin/bash
# Optimized Semgrep scan
# Skip test files and vendor directories
EXCLUDES="--exclude='*_test.go' --exclude='test_*' --exclude='vendor/' --exclude='node_modules/' --exclude='*.min.js'"
# Use specific high-value rules only
RULES="--config=p/owasp-top-ten --config=p/security-audit"
# Limit to relevant languages
INCLUDES="--include='*.py' --include='*.js' --include='*.ts' --include='*.go' --include='*.java'"
# Run with timeout
timeout 300 semgrep $RULES $INCLUDES $EXCLUDES \
--json --output=semgrep-results.json \
--metrics=off \
--max-target-bytes=1000000 \
.
echo "Scan complete: $(cat semgrep-results.json | python3 -c 'import json,sys; d=json.load(sys.stdin); print(len(d.get("results",[])))') findings"
BASH
chmod +x semgrep_optimize.sh
echo "Optimized Semgrep setup complete"Custom Rules ?????? False Positives
??????????????? custom rules ??????????????????????????? ?????? noise
#!/usr/bin/env python3
# rule_optimizer.py ??? Semgrep Rule Optimization
import json
import logging
from typing import Dict, List
logging.basicConfig(level=logging.INFO)
logger = logging.getLogger("optimizer")
class SemgrepRuleOptimizer:
"""Optimize Semgrep rules to reduce false positives"""
def __init__(self):
self.rules_stats = {}
def analyze_results(self, results_file):
"""Analyze scan results for false positive patterns"""
# Simulated analysis
analysis = {
"total_findings": 150,
"by_rule": {
"sql-injection": {"findings": 25, "true_positives": 8, "false_positives": 17, "fp_rate": "68%"},
"xss-detection": {"findings": 30, "true_positives": 12, "false_positives": 18, "fp_rate": "60%"},
"hardcoded-secret": {"findings": 45, "true_positives": 40, "false_positives": 5, "fp_rate": "11%"},
"insecure-hash": {"findings": 20, "true_positives": 18, "false_positives": 2, "fp_rate": "10%"},
"open-redirect": {"findings": 15, "true_positives": 3, "false_positives": 12, "fp_rate": "80%"},
"debug-enabled": {"findings": 15, "true_positives": 14, "false_positives": 1, "fp_rate": "7%"},
},
"recommendations": [],
}
for rule, stats in analysis["by_rule"].items():
fp_rate = stats["false_positives"] / stats["findings"] * 100 if stats["findings"] > 0 else 0
if fp_rate > 50:
analysis["recommendations"].append({
"rule": rule,
"action": "REFINE",
"reason": f"High FP rate ({fp_rate:.0f}%): add pattern-not or taint tracking",
})
elif fp_rate > 30:
analysis["recommendations"].append({
"rule": rule,
"action": "REVIEW",
"reason": f"Moderate FP rate ({fp_rate:.0f}%): review patterns",
})
return analysis
def cost_impact(self, analysis):
"""Calculate cost impact of false positives"""
dev_hourly_rate = 1500 # ?????????/?????????????????????
review_time_per_fp = 0.25 # 15 minutes per false positive
total_fp = sum(r["false_positives"] for r in analysis["by_rule"].values())
total_tp = sum(r["true_positives"] for r in analysis["by_rule"].values())
wasted_hours = total_fp * review_time_per_fp
wasted_cost_monthly = wasted_hours * dev_hourly_rate * 4 # 4 scans/month
return {
"total_findings": analysis["total_findings"],
"true_positives": total_tp,
"false_positives": total_fp,
"fp_rate": f"{total_fp/analysis['total_findings']*100:.1f}%",
"wasted_hours_per_scan": round(wasted_hours, 1),
"wasted_cost_monthly": f"{wasted_cost_monthly:,.0f} ?????????",
"target_fp_rate": "< 20%",
"potential_savings": f"{wasted_cost_monthly * 0.6:,.0f} ?????????/??????????????? (??????????????? FP 60%)",
}
optimizer = SemgrepRuleOptimizer()
analysis = optimizer.analyze_results("results.json")
print("Semgrep Rule Analysis:")
for rule, stats in analysis["by_rule"].items():
print(f" {rule}: {stats['findings']} findings, FP rate: {stats['fp_rate']}")
print(f"\nRecommendations:")
for rec in analysis["recommendations"]:
print(f" [{rec['action']}] {rec['rule']}: {rec['reason']}")
cost = optimizer.cost_impact(analysis)
print(f"\nCost Impact:")
print(f" False Positives: {cost['false_positives']} ({cost['fp_rate']})")
print(f" Wasted time: {cost['wasted_hours_per_scan']} hrs/scan")
print(f" Wasted cost: {cost['wasted_cost_monthly']}/???????????????")
print(f" Potential savings: {cost['potential_savings']}")CI/CD Pipeline ????????? Cost-Effective
?????????????????? pipeline ?????????????????????????????????????????????????????????????????????????????????????????????
# === Cost-Effective CI/CD Pipeline ===
# 1. GitHub Actions with smart scanning
cat > .github/workflows/semgrep.yml << 'EOF'
name: Semgrep Security Scan
on:
pull_request:
branches: [main]
push:
branches: [main]
schedule:
- cron: '0 3 * * 1' # Weekly full scan
jobs:
# Fast incremental scan on PRs (< 2 min)
pr-scan:
if: github.event_name == 'pull_request'
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Get changed files
id: changed
run: |
FILES=$(git diff --name-only } -- '*.py' '*.js' '*.ts' '*.go' '*.java')
echo "files=$FILES" >> $GITHUB_OUTPUT
echo "count=$(echo "$FILES" | wc -w)" >> $GITHUB_OUTPUT
- name: Semgrep incremental scan
if: steps.changed.outputs.count > 0
uses: returntocorp/semgrep-action@v1
with:
config: >-
p/owasp-top-ten
p/security-audit
generateSarif: "1"
env:
SEMGREP_RULES: "--include='*.py' --include='*.js' --include='*.ts'"
# Full scan on push to main (< 10 min)
main-scan:
if: github.event_name == 'push'
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Semgrep full scan
run: |
pip install semgrep
semgrep --config=p/owasp-top-ten \
--config=p/security-audit \
--config=.semgrep.yml \
--exclude='vendor/' \
--exclude='node_modules/' \
--exclude='*_test.*' \
--json --output=results.json \
--max-target-bytes=1000000 \
.
# Fail only on ERROR severity
ERRORS=$(cat results.json | python3 -c "
import json,sys
d=json.load(sys.stdin)
errors=[r for r in d.get('results',[]) if r.get('extra',{}).get('severity')=='ERROR']
print(len(errors))
")
if [ "$ERRORS" -gt 0 ]; then
echo "::error::$ERRORS critical security findings"
exit 1
fi
# Deep weekly scan (< 30 min)
weekly-scan:
if: github.event_name == 'schedule'
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Full deep scan
run: |
pip install semgrep
semgrep --config=auto --json --output=full-results.json .
- name: Upload results
uses: actions/upload-artifact@v4
with:
name: weekly-scan-results
path: full-results.json
EOF
echo "CI/CD pipeline configured"???????????????????????????????????????????????????????????????????????? Tools ????????????
??????????????????????????????????????????????????????????????? SAST tools
#!/usr/bin/env python3
# cost_comparison.py ??? SAST Tool Cost Comparison
import json
import logging
from typing import Dict, List
logging.basicConfig(level=logging.INFO)
logger = logging.getLogger("cost")
class SASTCostComparison:
def __init__(self, team_size=10, repos=20):
self.team_size = team_size
self.repos = repos
def tools(self):
return {
"semgrep_oss": {
"name": "Semgrep OSS (Open Source)",
"license_annual": 0,
"infra_monthly": 0,
"ci_minutes_monthly": 500,
"ci_cost_monthly": 0,
"features": ["SAST", "Custom rules", "30+ languages", "CLI/CI"],
"limitations": ["No dashboard", "No triage", "Community rules only"],
"scan_speed": "Very fast (seconds)",
},
"semgrep_cloud": {
"name": "Semgrep Cloud (Team)",
"license_annual": 0,
"infra_monthly": 0,
"ci_minutes_monthly": 500,
"ci_cost_monthly": 0,
"features": ["Everything in OSS", "Dashboard", "Triage", "Pro rules", "Supply chain"],
"limitations": ["Free for < 10 contributors"],
"note": "Free tier up to 10 contributors",
"scan_speed": "Very fast",
},
"sonarqube_community": {
"name": "SonarQube Community",
"license_annual": 0,
"infra_monthly": 3000,
"ci_minutes_monthly": 1000,
"ci_cost_monthly": 500,
"features": ["Code quality", "Basic security", "Multi-language"],
"limitations": ["Limited security rules", "No branch analysis in free"],
"scan_speed": "Medium (minutes)",
},
"sonarqube_enterprise": {
"name": "SonarQube Enterprise",
"license_annual": 600000,
"infra_monthly": 5000,
"ci_minutes_monthly": 1000,
"ci_cost_monthly": 500,
"features": ["Full security", "OWASP", "Branch analysis", "Portfolio"],
"scan_speed": "Medium",
},
"checkmarx": {
"name": "Checkmarx SAST",
"license_annual": 1500000,
"infra_monthly": 10000,
"ci_minutes_monthly": 2000,
"ci_cost_monthly": 1000,
"features": ["Deep SAST", "Taint analysis", "Compliance", "Enterprise support"],
"scan_speed": "Slow (10-60 minutes)",
},
"snyk_code": {
"name": "Snyk Code",
"license_annual": 180000,
"infra_monthly": 0,
"ci_minutes_monthly": 500,
"ci_cost_monthly": 0,
"features": ["SAST", "SCA", "Container", "IaC", "IDE integration"],
"scan_speed": "Fast (seconds)",
},
}
def annual_cost(self):
"""Calculate total annual cost per tool"""
results = {}
for tool_id, info in self.tools().items():
annual = info["license_annual"] + (info["infra_monthly"] + info.get("ci_cost_monthly", 0)) * 12
results[tool_id] = {
"name": info["name"],
"annual_cost": annual,
"monthly_cost": round(annual / 12),
"per_dev_annual": round(annual / self.team_size),
"scan_speed": info["scan_speed"],
}
return dict(sorted(results.items(), key=lambda x: x[1]["annual_cost"]))
comparison = SASTCostComparison(team_size=10, repos=20)
costs = comparison.annual_cost()
print(f"SAST Cost Comparison (Team: 10 devs, 20 repos):")
for tool_id, info in costs.items():
print(f"\n {info['name']}:")
print(f" Annual: {info['annual_cost']:,} ????????? ({info['monthly_cost']:,}/???????????????)")
print(f" Per dev: {info['per_dev_annual']:,} ?????????/??????")
print(f" Speed: {info['scan_speed']}")Monitoring ????????? ROI Analysis
??????????????? ROI ????????? SAST program
#!/usr/bin/env python3
# roi_analysis.py ??? SAST ROI Analysis
import json
import logging
from typing import Dict, List
logging.basicConfig(level=logging.INFO)
logger = logging.getLogger("roi")
class SASTROIAnalysis:
def __init__(self):
pass
def dashboard(self):
return {
"scan_metrics": {
"total_scans_30d": 240,
"avg_scan_time": "45 seconds",
"total_findings_30d": 85,
"critical_findings": 8,
"fixed_findings": 72,
"fix_rate": "85%",
"mean_time_to_fix": "2.5 days",
},
"cost_savings": {
"vulnerabilities_found_pre_prod": 72,
"estimated_cost_if_found_in_prod": 3600000,
"cost_per_vuln_in_prod": 50000,
"actual_fix_cost_pre_prod": 360000,
"cost_per_vuln_pre_prod": 5000,
"net_savings": 3240000,
"roi_multiplier": "9x",
},
"developer_productivity": {
"avg_scan_time": "45 seconds (???????????????????????? workflow)",
"false_positive_rate": "18% (target < 20%)",
"time_wasted_on_fp_monthly": "8 hours",
"time_saved_vs_manual_review": "40 hours/month",
},
"tool_costs": {
"semgrep_license": "0 ????????? (OSS)",
"ci_compute": "2,000 ?????????/???????????????",
"developer_training": "20,000 ????????? (one-time)",
"total_annual": "44,000 ?????????",
},
}
analysis = SASTROIAnalysis()
dash = analysis.dashboard()
metrics = dash["scan_metrics"]
print(f"SAST Dashboard (30 days):")
print(f" Scans: {metrics['total_scans_30d']}, Avg time: {metrics['avg_scan_time']}")
print(f" Findings: {metrics['total_findings_30d']} ({metrics['critical_findings']} critical)")
print(f" Fix rate: {metrics['fix_rate']}, MTTF: {metrics['mean_time_to_fix']}")
savings = dash["cost_savings"]
print(f"\nCost Savings:")
print(f" Vulns found pre-prod: {savings['vulnerabilities_found_pre_prod']}")
print(f" If found in prod: {savings['estimated_cost_if_found_in_prod']:,} ?????????")
print(f" Actual fix cost: {savings['actual_fix_cost_pre_prod']:,} ?????????")
print(f" Net savings: {savings['net_savings']:,} ????????? (ROI: {savings['roi_multiplier']})")
costs = dash["tool_costs"]
print(f"\nTool Costs: {costs['total_annual']}/??????")
print(f" License: {costs['semgrep_license']}, CI: {costs['ci_compute']}")FAQ ??????????????????????????????????????????
Q: Semgrep OSS ????????? Semgrep Cloud ???????????????????????????????????????????
A: Semgrep OSS ????????? open-source CLI tool ????????? scan ?????????????????????????????? ??????????????? custom rules ????????? ??????????????? dashboard ???????????? parse JSON results ????????? ????????? community rules ???????????????????????? Semgrep Cloud (???????????????????????? Semgrep App) ??????????????? Dashboard ?????????????????? triage ????????? track findings, Pro rules (???????????????????????????????????? community), Supply chain analysis (SCA), Policy management, Team collaboration ??????????????????????????? teams < 10 contributors ??????????????? ??????????????????????????? OSS ???????????? ?????????????????????????????? dashboard/triage ???????????? upgrade ???????????? Cloud (?????????)
Q: ?????? False Positives ??????????????????????
A: ???????????????????????? ??????????????? Custom rules ?????????????????????????????????????????????????????? default rules ????????? pattern-not exclude known safe patterns, ????????? taint tracking (Semgrep Pro) ????????? pattern matching ?????????????????????????????? ?????? FP 50-70%, Exclude test files ????????? vendor code ?????????????????? scan, ????????? nosemgrep comment ?????????????????? known false positives ????????? verified ????????????, Review ????????? tune rules ???????????????????????? ?????? FP rate ????????? rule ????????? FP > 50% ???????????? refine, ????????? severity levels scan ??????????????? ERROR/WARNING ????????????????????? INFO ???????????????????????? FP rate < 20% ??????????????????????????????????????? developers ??????????????????????????? findings
Q: Semgrep ???????????????????????? tools ??????????????????????????????????
A: ???????????? Semgrep ????????? pattern matching ????????? optimized ????????????????????? compile code ?????????????????????????????? Benchmark (codebase 100K lines) Semgrep 10-30 ??????????????????, SonarQube 2-5 ????????????, Checkmarx 10-60 ????????????, Snyk Code 5-15 ?????????????????? ??????????????????????????????????????? ????????????????????? build/compile, Pattern matching ?????????????????? full semantic analysis, Incremental scan (??????????????? changed files), Parallel processing ???????????????????????? ?????????????????????????????? full semantic analysis ????????? miss vulnerabilities ????????????????????? deep taint tracking (Semgrep Pro ?????? taint mode ????????????) ?????????????????? CI/CD ???????????????????????????????????????????????? ????????? scan ????????? developers ?????? skip ???????????? disable
Q: ROI ????????? SAST program ???????????????????????????????
A: ?????????????????? Cost avoidance Vulnerability ??????????????? pre-production ?????????????????????????????? production 10-100 ???????????? (NIST study: $5,000 pre-prod vs $50,000+ in prod), ??????????????? vulnerabilities fixed ???????????? release, Reduction ?????? security incidents, Developer productivity scan ???????????? ???????????????????????? workflow ???????????? ROI = (Cost avoided - Tool cost) / Tool cost ???????????????????????? ?????? 72 vulns/??????????????? ??????????????????????????? prod cost $50K/vuln = 3.6M ?????????, Fix pre-prod cost $5K/vuln = 360K ?????????, Tool cost 44K/??????, ROI = (3.6M - 360K - 44K) / 44K = 72x Metrics ????????????????????? track Findings per scan, Fix rate, Mean time to fix, False positive rate, Scan time, Developer satisfaction
