In the fast-paced world of security engineering, identifying and mitigating vulnerabilities across multiple code repositories can be a challenging and involved task. Traditional Static Application Security Testing (SAST) approaches have their merits, but they often fall short when it comes to understanding the broader landscape of potential threats lurking within our code.

The Challenge of Scale

Consider a scenario where you are dealing with a huge number of code projects, each contributing to a larger system. How do you ensure that all these projects align with the security standards defined by your organization? Conventional SAST methods might be effective on a per-project basis, but the real challenge arises when you need a holistic view of your entire codebase.

The Pitfalls of Distributed Scanning Limitations

While distributed scanning is a powerful concept, practical constraints may prevent its seamless implementation. When dealing with sensitive code or compliance requirements, performing scans across distributed environments might not be feasible or could introduce unacceptable security risks.

Enter Explorative Searches

To address these challenges, we delve into the realm of what I like to call explorative searches. Imagine having the ability to ask dynamic questions about your codebase:

  • How many repositories are deserializing data in an unsafe manner?
  • What common bug classes persist across multiple projects?
  • Which endpoints do not enforce authentication?

This shift from a singular focus on individual vulnerabilities to a broader exploration of codebase security allows us to eliminate entire bug classes at scale.

Introducing Oracle: Your Sentry in Code Security

Oracle is not just a tool; it’s a guardian of code integrity. Designed to address the challenges posed by securing vast code landscapes, Oracle empowers security engineers with the ability to conduct explorative searches almost seamlessly. While Oracle is almost as simple as it gets, standing on the shulders of giants, Github actions and Semgrep, it offers a simple solution to a problem that we as security engineers are often faced with when we are presented with a bug in one of our services: Is this the only place we have this bug?

How Oracle Works

At its core, Oracle takes a list of repositories and a set of Semgrep rules as its arsenal. The repositories serve as the battleground, and the Semgrep rules act as the vigilant guardians, seeking out potential vulnerabilities.

The Power of Comprehensive Scans

What sets Oracle apart is its capacity for thorough exploration. It doesn’t just identify isolated vulnerabilities; it investigates entire bug classes, providing a panoramic view of your codebase’s security posture. With Oracle, you can ask complex questions about your code and receive actionable insights.

Customizable and Adaptable

Each codebase is unique. Hence, it offers flexibility by allowing you to tailor Semgrep rules to the specific needs of your projects. This adaptability ensures that Oracle aligns perfectly with your security requirements.

Take a look at https://semgrep.io for more information about how to write Semgrep rules.

Why Oracle Matters

In a world where security is of the utmost importance, Oracle emerges as an ally for security engineers aiming to fortify codebases at scale. Whether you’re dealing with a handful of repositories or an expansive code ecosystem, Oracle stands ready to unveil hidden threats and eliminate vulnerabilities systematically.

Get inspired

At https://github.com/hoeg/oracle you can find my simple implementation that enables me to scan multiple repositories on demand. I suspect that this is something others would like to have the possibility to do as well.