______                ____
  / ____/_______  ____  / __ )__  ______ ______
 / / __/ ___/ _ \/ __ \/ __  / / / / __ `/ ___/
/ /_/ / /  /  __/ /_/ / /_/ / /_/ / /_/ (__  )
\____/_/   \___/ .___/_____/\__,_/\__, /____/
              /_/                /____/        
grep all the bugs!

Using regular expressions to find bugs in source code is a very rudimentary method. Results will tend to be noisy (many false positives). So why bother with this approach when there are more advanced scanners that can find bugs more reliably?
  • It is still a great aid for code reviewers, it helps to quickly locate areas of interest in code.
  • It's cheaper than commercial scanners, which can also be noisy when not tuned properly.
  • It's better than not looking for security bugs in code at all.
  • Developers can use this to become better educated on potential security bugs.
  • It's fun! And a good challenge to develop effective regular expressions.


download all the greps
https://grebugs.com/rules

scan utilities

GrepBugs
- https://github.com/foospidy/GrepBugs

GitGrepBugs
- https://github.com/foospidy/GitGrepBugs

Also see GrepBugs plugins.

Screen capture of GrepBugs scanning hundreds of open source projects


Other utilities (these tools don't use Grepbugs rules)
Visual Code Grepper
- http://sourceforge.net/projects/visualcodegrepp/
Graudit
- https://github.com/wireghoul/graudit/
Flawfinder
- http://www.dwheeler.com/flawfinder/
Others
- https://github.com/phpstan/phpstan
- https://github.com/lafkuku/GREP.Net
- http://www.dwheeler.com/flawfinder/#othertools
- https://www.owasp.org/index.php/Static_Code_Analysis#Tools
- http://samate.nist.gov/index.php/Source_Code_Security_Analyzers.html
- http://en.wikipedia.org/wiki/List_of_tools_for_static_code_analysis
- https://fuzzing-project.org/
- https://scan.coverity.com/projects *free for open source projects
- https://www.hpfod.com/open-source-review-project *free for open source projects
- https://www.codewatch.org/
online regex tools

http://regexpal.com/
http://www.regexr.com/
https://regex101.com/


Tweets by @grepbugs