Custom Semgrep Rules for Business Logic Vulnerabilities
Technical Deep Dive
Standard SAST tools are great for finding common injection vulnerabilities (SQLi, XSS), but they struggle with Business Logic Vulnerabilities. For example, checking if a user has access to a specific resource ID requires understanding the application's authorization framework.
The Problem
We noticed a pattern of IDOR (Insecure Direct Object Reference) vulnerabilities during manual code reviews that our commercial SAST suite was not flagging.
The Solution: Custom Semgrep Rules
By using Semgrep, we were able to write patterns that look for specific function calls in our proprietary framework that lack appropriate decorators or check calls.
rules:
- id: missing-tenant-isolation-check
patterns:
- pattern: |
query($ID)
- pattern-not-inside: |
with_tenant_scope(...)
message: "Potential multi-tenancy bypass detected. Always wrap queries in a tenant scope."
languages: [python]
severity: ERROR
Results
The integration into our CI/CD pipeline ensures that these rules are checked on every PR, preventing known bad patterns from ever reaching production.
The Context
A growing microservices codebase exposed recurring business-logic flaws (IDOR, multi-tenancy bypass) that standard SAST tools consistently missed due to lack of domain context.
The Approach
Analyzed 3 months of bug-bar review findings to identify defect patterns. Authored 30+ custom Semgrep YAML rules targeting proprietary framework patterns. Integrated rules into GitHub Actions as a blocking PR check with triage dashboards.
The Impact
Reduced time-to-detect logic-layer vulnerabilities by 60%. Blocked 12 critical findings in the first sprint post-deployment across 50+ repositories.