Summary: Security researchers at Apiiro have introduced two free, open-source tools aimed at detecting and blocking malicious code in software projects to prevent supply chain attacks. These tools include a ruleset for Semgrep and Opengrep, boasting minimal false positive rates, and a GitHub-integrated scanner called PRevent that alerts users to suspicious code in pull requests (PRs). The detection system focuses on identifying “code anti-patterns” through static analysis, keeping environments safe from accidental infections.
Affected: Software development organizations and systems
Keypoints :
- Apiiro’s tools have a detection accuracy of 94.3% for PyPI packages and 88.4% for npm packages.
- PRevent flags malicious code in 91.5% of tested pull requests and can block merges until review.
- Detection relies on identifying harmful code anti-patterns using static analysis, improving safety in CI/CD pipelines.