Apiiro unveils free scanner to detect malicious code merges

Security researchers at Apiiro have released two free, open-source tools designed to detect and block malicious code before they are added to software projects to curb supply chain attacks. The two tools consist of a comprehensive ruleset for Semgrep and Opengrep designed to detect malicious code patterns with minimal false positives and PRevent, a GitHub-integrated scanner, that detects and alerts on suspicious code in pull requests (PRs). According to Apiiro's security researcher Matan Giladi, the tools have a minimal false positive detection rate, making them particularly valuable in real-world practice. Specifically, the detection accuracy of the ruleset for PyPI packages is 94.3%, while it drops to the still impressive 88.4% for npm packages. PRevent successfully flags malicious PRs in 91.5% of the examined cases. Detection test results Source: Apiiro Catching malicious code Apiiro's malicious code detection strategy is based on identifying "code anti-patterns," which are s ... Read full article.