Update 2025-2-24-AutoGrep-Automated-Generation-and-Filtering-of-Semgrep-Rules-from-Vulnerability-Patches.md

Author: codelion

_posts/2025-2-24-AutoGrep-Automated-Generation-and-Filtering-of-Semgrep-Rules-from-Vulnerability-Patches.md

@@ -2,7 +2,11 @@
 layout: post
 title: "Autogrep: Automated Generation and Filtering of Semgrep Rules from Vulnerability Patches"
 ---
-Static Analysis Security Testing (SAST) tools are essential for modern secure software development, yet the maintenance and creation of high-quality detection rules remain challenging and resource-intensive. This paper presents Autogrep, an automated system for generating and filtering security rules for static analysis tools. Motivated by recent licensing changes in the Semgrep ecosystem, Autogrep addresses the critical need for maintaining and expanding permissively licensed security rules. By leveraging Large Language Models (LLMs) and a multi-stage filtering pipeline, Autogrep transforms vulnerability patches into precise, generalizable security rules while eliminating duplicates and overly specific patterns. Our evaluation demonstrates that Autogrep can process 39,931 vulnerability patches to generate 645 high-quality, reusable security rules across 20 programming languages. The system achieves an effective balance between coverage and precision, with the filtering pipeline removing 71.15% of overly specific rules and 10.75% of duplicates. We provide detailed analysis of the rule generation process, quality metrics, and validation methodology, establishing Autogrep as a viable approach for automating security rule creation at scale.
+Static Analysis Security Testing (SAST) tools are essential for modern secure software development, yet the maintenance and creation of high-quality detection rules remain challenging and resource-intensive. This paper presents Autogrep, an automated system for generating and filtering security rules for static analysis tools. Motivated by recent licensing changes in the Semgrep ecosystem, Autogrep addresses the critical need for maintaining and expanding permissively licensed security rules. By leveraging Large Language Models (LLMs) and a multi-stage filtering pipeline, Autogrep transforms vulnerability patches into precise, generalizable security rules while eliminating duplicates and overly specific patterns. 
+
+![Autogrep flow](../images/autogrep-flow-chart.png)
+
+Our evaluation demonstrates that Autogrep can process 39,931 vulnerability patches to generate 645 high-quality, reusable security rules across 20 programming languages. The system achieves an effective balance between coverage and precision, with the filtering pipeline removing 71.15% of overly specific rules and 10.75% of duplicates. We provide detailed analysis of the rule generation process, quality metrics, and validation methodology, establishing Autogrep as a viable approach for automating security rule creation at scale.
 
 ## 1. Introduction
 
@@ -745,10 +749,10 @@ As static analysis continues to play a critical role in securing software develo
 
 [6] Li, X., Wang, W., Zhang, X., & Wang, H. (2020). SWAN: A static analysis system for detecting security vulnerabilities in web applications. In USENIX Security Symposium.
 
-[7] Semgrep Project. https://github.com/semgrep/semgrep
+[7] [Semgrep Project](https://github.com/semgrep/semgrep)
 
-[8] OpenGrep Project. https://github.com/opengrep/opengrep
+[8] [OpenGrep Project](https://github.com/opengrep/opengrep)
 
-[9] Patched Codes Semgrep Rules. https://github.com/patched-codes/semgrep-rules
+[9] [Patched Codes Semgrep Rules](https://github.com/patched-codes/semgrep-rules)
 
-[10] MoreFixes Dataset. https://zenodo.org/records/13983082
+[10] [MoreFixes Dataset](https://zenodo.org/records/13983082)