🛠️ = user, 🤖 = Lab 🤖 Before - forks vulnerable repo
- Set the Semgrep repo secret 🤖 Set up semgrep.yml 🤖 Issue PR with X == X and watch it fail 🛠️ Change the code to 3 = 5 or something else and have it succeed 🛠️ Walk briefly though Semgrep App - what it does, where things are
- Intro to ellipses operator - block eval(...)
- Intro to metavar
- Warn on new route - audit only
- Create owasp_devslop community Slack channel - point webhook there
- Audit @csrf_exempt or other authn/authz
- XSS
- < write some custom rule and add it to policy >