Security researchers at Apiiro have released two free, open-source tools designed to detect and block malicious code before they are added to software projects to curb supply chain attacks.
The two tools consist of a comprehensive ruleset for Semgrep and Opengrep designed to detect malicious code patterns with minimal false positives and PRevent, a GitHub-integrated scanner, that detects and alerts on suspicious code in pull requests (PRs).
According to Apiiro's security researcher Matan Giladi, the tools have a minimal false positive detection rate, making them particularly valuable in real-world practice.
Specifically, the detection accuracy of the ruleset for PyPI packages is 94.3%, while it drops to the still impressive 88.4% for npm packages. PRevent successfully flags malicious PRs in 91.5% of the examined cases.
Detection test results
Source: Apiiro
Catching malicious code
Apiiro's malicious code detection strategy is based on identifying "code anti-patterns," which are suspicious patterns in code that demonstrate behaviors that are rare in legitimate code but common in malware.
The detection system uses static analysis, meaning it examines code without executing it, keeping the environment safe from accidental infections.
These anti-patterns include:
... continue reading