Build a Secure-Coding Linter Ruleset for a Backend Team
Overview
What this challenge is about.
Receive the last 12 security-review findings, 3 representative repos (Node.js + TypeScript), and access to a CI pipeline (GitHub Actions). Build a custom Semgrep ruleset (or ESLint custom rules — choose and defend) targeting the 3 known patterns plus 5 additional ones drawn from OWASP Top 10 examples in the codebase. Validate the ruleset by running it against historical commits and showing it would have caught the past findings (with no more than 10 percent false positives). Ship the ruleset as a GitHub Action that fails the PR check on high-severity hits. Deliver the Semgrep ruleset repo, the validation report (true/false positives on historical data), the GitHub Action workflow, and a 4-page rollout note for the engineering team.
The Brief
What you'll do, and what you'll demonstrate.
Build a custom secure-coding linter ruleset that catches the 3 most-repeated security patterns in CI with under 10 percent false positives.
Earning criteria — what you'll demonstrate
- Translate real findings into reproducible static-analysis rules
- Calibrate rules for low false-positive rate without missing real bugs
- Ship security tooling as a developer-experience improvement, not a blocker
- Document rollout so adoption survives the original author leaving
Program Fit
Where this fits in your program.
Sharpens the same skills your degree expects you to demonstrate.
Skills
Skills you'll demonstrate.
Each one shows up on your verified credential.
Careers
Roles this prepares you for.
Real titles. Real skill bridges. Pick the one closest to your trajectory.
Career mappings coming soon.