Iago Abal is a software engineer with 14 years' experience specializing in static analysis and formal software verification, based in Pontevedra, Galicia. He contributes to prominent open-source projects like Semgrep and Coccinelle, improving language support, control-flow analysis, and inter-procedural taint propagation to make automated vulnerability detection more precise. His work spans engine-level enhancements (constant propagation, parsing tricky language constructs) and practical security rule maintenance, closing real-world gaps such as injection flaws and insecure transport patterns. Comfortable in back-end and security-focused roles, he combines careful refactoring with feature development to strengthen tooling reliability. Notably, his contributions improve both the theoretical analysis (CFG and variability parsing) and the day-to-day utility of widely used security scanners.
Lightweight static analysis for many languages. Find bug variants with patterns that look like source code.
Role in this project:
Back-end Developer & Security Engineer
Contributions:1311 reviews, 480 commits, 698 PRs in 2 years 5 months
Contributions summary:Iago primarily contributed to the improvement of Semgrep's static analysis capabilities, focusing on enhancing the engine's support for various programming languages. Their work involved implementing and refining constant propagation, which improves the detection of vulnerabilities. They also addressed several issues related to accurately parsing and analyzing specific language constructs (like Ruby's block syntax and C#'s and Java's synchronized statements), as well as improving the accuracy of the code analysis by addressing problems like handling different assignment operations, recognizing function calls and arguments and taking into account the special tokens. Furthermore, they added support for inter-procedural taint analysis using `pattern-propagators`.
Contributions:23 reviews, 16 commits, 33 PRs in 1 year 7 months
Contributions summary:Iago's contributions primarily involve improving and maintaining security rules within the `semgrep-rules` repository. They addressed vulnerabilities and fixed rules related to insecure code patterns, including injection flaws, insecure transport protocols, and the use of potentially unsafe configurations. The user demonstrated expertise in identifying and mitigating security risks by updating existing rules and adapting them to the latest Semgrep features and improvements. They also corrected test expectations, reflecting a strong understanding of the project's testing framework.
Find and Hire Top DevelopersWe’ve analyzed the programming source code of over 60 million software developers on GitHub and scored them by 50,000 skills. Sign-up on Prog,AI to search for software developers.