Article Details
Scrape Timestamp (UTC): 2025-02-20 21:05:24.178
Original Article Text
Click to Toggle View
Apiiro unveils free scanner to detect malicious code merges. Security researchers at Apiiro have released two free, open-source tools designed to detect and block malicious code before they are added to software projects to curb supply chain attacks. The two tools consist of a comprehensive ruleset for Semgrep and Opengrep designed to detect malicious code patterns with minimal false positives and PRevent, a GitHub-integrated scanner, that detects and alerts on suspicious code in pull requests (PRs). According to Apiiro's security researcher Matan Giladi, the tools have a minimal false positive detection rate, making them particularly valuable in real-world practice. Specifically, the detection accuracy of the ruleset for PyPI packages is 94.3%, while it drops to the still impressive 88.4% for npm packages. PRevent successfully flags malicious PRs in 91.5% of the examined cases. Catching malicious code Apiiro's malicious code detection strategy is based on identifying "code anti-patterns," which are suspicious patterns in code that demonstrate behaviors that are rare in legitimate code but common in malware. The detection system uses static analysis, meaning it examines code without executing it, keeping the environment safe from accidental infections. These anti-patterns include: This ruleset can be integrated into CI/CD pipelines for automatic repository scanning, used for scanning npm and PyPI packages, or adapted to other platforms using Semgrep or Opengrep. PRevent, which uses the same anti-patterns, is designed to scan pull request events in real-time before code is merged, stopping any threats before they reach production. It can be set to block the merging until an authorized reviewer approves it or add comments on detected issues to ensure developers are alerted of the risks. Apiiro acknowledges that its tools are still practically limited, as they cannot detect malware hidden in compiled binaries nor scan npm and PyPI packages directly, but plans to add more features like deep code analysis and AI-assisted scans in future updates. Both the malicious code detection ruleset and the PRevent tool are available for free on GitHub, with instructions on how to use them. BleepingComputer has not tested these security tools and cannot guarantee their effectiveness or safety.
Daily Brief Summary
Apiiro has introduced two free, open-source tools aimed at preventing malicious code from being added to software projects.
The tools, a ruleset for Semgrep and Opengrep and a GitHub-integrated scanner named PRevent, are designed to detect and alert on suspicious code patterns in pull requests.
They target supply chain attacks by integrating security measures in CI/CD pipelines and during pull request reviews before code merges.
The detection accuracy is notably high, with 94.3% for PyPI packages and 88.4% for npm packages, while PRevent flags 91.5% of malicious pull requests.
Apiiro's strategy uses "code anti-patterns" identified during static analysis, which does not require code execution, thereby enhancing safety.
Currently, the tools do not support detection in compiled binaries or direct scanning of npm and PyPI packages but future enhancements are planned.
Despite the high effectiveness, limitations exist and BleepingComputer has not independently verified the performance or safety of these tools.
Both tools are freely available on GitHub, complete with usage instructions, broadening access to advanced security measures.