It is still a great aid for code reviewers, it helps to quickly locate areas of interest in code.

It's cheaper than commercial scanners, which can also be noisy when not tuned properly.

It's better than not looking for security bugs in code at all.

Developers can use this to become better educated on potential security bugs.

It's fun! And a good challenge to develop effective regular expressions. Using regular expressions to find bugs in source code is a very rudimentary method. Results will tend to be noisy (many false positives). So why bother with this approach when there are more advanced scanners that can find bugs more reliably? feedback? / help?



download all the greps

https://grebugs.com/rules



