Application security posture management company Apiiro today has released two open-source tools to help organizations defend against malicious code in their applications. The action comes on the heels of Apiiro’s security research that shows thousands of malicious code instances in repositories and packages.
According to the company, its focus in the research was deep code analysis and analyzing malicious samples for patterns to find ways to defend against malicious code. “Malicious code is one of the most accessible and easy-to-execute attack vectors,” the company wrote in a blog about the research. “The security of dependency managers and source code hosting platforms is still evolving, with large gaps in areas like human-to-digital identity verification, source and release validation, and more. Major security gaps also exist in build systems, artifact managers, and pipeline tools.”
Malicious code is introduced via anti-patterns, the research found, and obfuscated code is a key anti-pattern. A second anti-pattern is naive code execution, under which the code is received as data and executed on the fly, without any opportunity to scan it prior to delivery.
The research found that the introduction of malicious code can be detected a majority of the time using the new open-source tools the company is releasing today. The first is PRevent, which the company described as “an open-source app for scanning pull requests events, notifying you of suspicious code, and offering seamless integration, high configurability, and essential orchestration features.”
The second open-source tool released today is a malicious code detection ruleset to run on Semgrep, which has been forked by Opengrep after the former decided to move its engine onto a proprietary license as that company looks to monetize parts of the project.
Apiiro suggests that the best place to prevent malicious code from entering the codebase is through use of a pre-merge hook, which it explained is “triggered by pull request events via webjooks and managed by strictly permissioned entities.” PRevent can kick off code reviews or even block merges until a scan passes or a reviewer grants approval.
More on Opengrep
The Semgrep project has been around since 2017, and is widely used in the industry. Its two elements are the pattern-matching OSS Engine and OSS Rules, a shared repository of rules created by Semgrep and open for contributions from the community.
In December 2024, Semgrep announced changes to the OSS Engine license, taking it behind a commercial license, in effect removing that critical piece from the open source community. One of the things Semgrep did was to take away JSON and Serif, a format for outputting results from the OSS Engine, according to Varun Badhwar, founder and CEO at Endor Labs, which is one of more than 10 companies that have created the Opengrep fork. “The writing is on the wall to change the name from open source to Community Edition,” he said. “We think the Semgrep OSS Engine is all too important for it to be now in the hands of one company to determine the future.”
Organizations that create open source and then change their licenses – for any number of reasons – it is usually for financial reasons. Ann Schlemmer, CEO at open source database company Percona, said that “By doing so, they’re breaking the community’s trust and undermining what open source is meant to be.”
“What I would rather see is people being as clear as they can,” she added. “If you believe in your project that you’ve done, and you also want to continue to add value, then be unapologetic about going open core, or deciding what you are going to give to the community under that open source license, and then what you are going to hold back. Your IP is your IP, but if you put something out under an open source license, it’s very well defined. It’s kind of everybody’s IP at that point.”
Badhwar noted that the companies behind the Opengrep fork are only temporary stewards of the project. “We have very clearly committed publicly that we are just as an interim [group] organizing this long term. We want to hand this over to a foundation to run.” He said the companies have not yet determined which foundation would be most appropriate, but added, “We have already collectively come together and invested in hiring full-time engineers to work on this engine. Our goal is to bring back, at the very least, everything that Semgrep took away in December’s announcement, but more importantly, put in even more investment on performance, on compatibility with Windows, for example, with removing some of the restrictions on multi-file analysis that it has in the open source edition.”
Schlemmer thinks this move to put open-source projects into foundations is going to be a trend. “If companies have a very popular open source project that is widely used, and then they decide they want to change their license — again, monetary reasons, no apologies for somebody making money off of what they’ve put out – running to the foundations, I think, is a way to make sure that we maintain trust in open source, and also have a sustainability of a really popular project.”