Static analysis can be expensive, time consuming, full of false positives, a pain in the rear to manage multiple languages, and not very configurable. But no more! At Slack, we’ve designed a static analysis program which utilizes one free, highly configurable tool to scan over 60 different codebases in six languages and has saved us over $700,000 annually. Semgrep, an open source static analysis engine, uses highly configurable rules. Tuning these rules to our specific environment saves developer time while providing useful guard rails against dangerous code patterns. We’ve been able to reduce false positives by over 80%, and we’ve removed rules that don’t apply in our environment. Adding a new codebase to our scanning pipeline adds almost no additional overhead; we merely add one line to a file to enable the scans and review new results. Implementing our program this way has allowed us to meet our compliance requirements while providing a useful, low overhead static analysis program.

We will demo tuning static analysis rules to specific environments. Attendees will need to download Semgrep, the static analysis engine our program is based upon, beforehand. We have tuned our rules extensively, which has greatly reduced our false positive rate.