This repository contains Semgrep rules to detect dynamic code execution and obfuscation, patterns found in most malicious code incidents reported to this day. Only rules with low false-positive rates and strong correlation with malicious code are included.
Bash, Clojure, C#, Dart, Go, Java, JavaScript, TypeScript, Lua, PHP, Python, Ruby, Rust, Scala
- Install Semgrep:
Opengrep or any other Semgrep fork could also be used.
pip install semgrep
- Clone this repository:
git clone https://github.com/apiiro/malicious-code-ruleset.git
- Run Semgrep with the following command:
Notice that Semgrep loads the rules corresponding to the extensions of the code files.
semgrep --config ./malicious-code-ruleset
This ruleset was developed for integration with any CI/CD pipeline, enabling detection at any stage. To monitor pull requests in real-time using this ruleset, enforce policies and trigger workflows, check out Apiiro's PRevent.
The rules are designed to run on comment-free code. As this is already handled by PRevent, comment filtering patterns were omitted for performance to avoid redundant processing. To avoid comments matching in other locations, simply add them.
A typical flow (and how PRevent is handling the Semgrep scan):
- Selecting a relevant scanning target (e.g. updated file).
- Filtering relevant and irrelevant parts (e.g. remove comments).
- Writing the result to a temporary file.
- Scanning it.
- Removing the temporary file when done.
If you're I/O bound before CPU bound, and your only processing is comments-removal, consider adding comment filtering to your rules instead of using temp files.
Contributions to improve the ruleset are welcome via pull requests or issues with new patterns (after comprehensive testing) or suggestions.
This repository is licensed under the MIT License.
For more information:
https://apiiro.com/blog/guard-your-codebase-practical-steps-and-tools-to-prevent-malicious-code/