+1 on triage being the real problem. Question, when Semgrep surfaces something ambiguous, lets say a SQL query that looks parameterized but the ORDER BY is built elsewhere, what does reviewing that actually look like? I'm wondering how much context you get before needing to jump out to the codebase.
Great question. Right now (v2.0.1), The TUI is optimized for metadata triage. You see the Rule ID, Severity, the full Semgrep message (which often contains the taint trace), and the File/Line location.
The Workflow:
1. I see [High] SQL Injection in db.py:45.
2. If the description is obvious (like a string concatenation), I mark it Confirmed (c) or False Positive (f) right there.
3. For ambiguous cases (like your ORDER BY example where the context is split), I currently keep the TUI open on one side and my IDE on the other. I use the TUI to quickly filter the noise and jump to code only for the complex ones.
We are actually adding a Syntax widget to render the surrounding 10 lines of code and the taint trace directly in the TUI so you don't have to alt-tab, this is coming in v2.1. But for now, we prioritize keeping the interface snappy.
+1 on triage being the real problem. Question, when Semgrep surfaces something ambiguous, lets say a SQL query that looks parameterized but the ORDER BY is built elsewhere, what does reviewing that actually look like? I'm wondering how much context you get before needing to jump out to the codebase.
Great question. Right now (v2.0.1), The TUI is optimized for metadata triage. You see the Rule ID, Severity, the full Semgrep message (which often contains the taint trace), and the File/Line location. The Workflow:
1. I see [High] SQL Injection in db.py:45. 2. If the description is obvious (like a string concatenation), I mark it Confirmed (c) or False Positive (f) right there. 3. For ambiguous cases (like your ORDER BY example where the context is split), I currently keep the TUI open on one side and my IDE on the other. I use the TUI to quickly filter the noise and jump to code only for the complex ones.
We are actually adding a Syntax widget to render the surrounding 10 lines of code and the taint trace directly in the TUI so you don't have to alt-tab, this is coming in v2.1. But for now, we prioritize keeping the interface snappy.
It’s open source (Apache 2.0) and Written in Python/Textual.