Apiiro security researchers have released open source tools that can help organizations detect malicious code as part of their software development lifecycle: PRevent (a scanner for pull requests), and a malicious code detection ruleset for Semgrep and Opengrep static code analysis tools.
PRevent in action (Source: Apiiro)
The tools work by detecting two anti-patterns the researchers pinpointed after analyzing thousands of malicious code instances in repositories and packages: obfuscated / unreadable source code, and dynamic execution (i.e., code execution at runtime instead of at build or compile time).
“Some malicious patterns are common in legitimate code and would cause false-positives (e.g., command-execution patterns). However, we focus on coding anti-patterns – patterns that go against best practices, are rare in typical codebases, but common in malicious code,” Apiiro security research Matan Giladi explained.
The malicious code detection ruleset
This collection of Semgrep/Opengrep rules detects the two aforementioned anti-patterns, in code written in 15 programming languages: Bash, Clojure, C#, Dart, Go, Kotlin, Java, JavaScript, TypeScript, Lua, PHP, Python, Ruby, Rust, and Scala.
It’s designed to run on comment-free code, and has been developed for integration with any CI/CD pipeline, enabling detection at any stage (build, testing, pre-deployment, production, etc.)
PRevent
PRevent, on the other hand, is triggered by pull request events. It scans them for malicious code and comments detections directly in them.
It’s a GitHub app that developers can create within their GitHub organization or account, and deploy to a server.
The application communicates with GitHub and aside from scanning and commenting pull requests when the need arises, it can also be configured to esclude or include select repositories and branches from the scan, block merging until a reviewer’s approval is granted, trigger code reviews from designated reviewers, and more.
“Designed for full privacy and control, PRevent ensures data stays in your internal network (for GitHub Enterprise accounts), or between GitHub and your private server only,” Giladi stressed.
PRevent supports the same coding languages as the malicious code detection ruleset.
“Detection of dynamic execution and obfuscation is simple yet powerful, catching nearly all known incidents and forming a rock-solid foundation for malicious code defense. However, its success hinges on the adoption of correct workflows,” Giladi pointed out.
“For example, our ruleset correctly flags the xz backdoor payload, but without the right workflow, the code just won’t be scanned. Scanning pull requests is a baseline and an essential first step.”
