Background
“The early bird catches the worm” - a classic idiom fitting for security. The sooner vulnerabilities are remediated, the less risk an organization takes on while saving on resources that become costlier the longer a vulnerability remains exploitable. Static Application Security Testing (SAST) tools have been built with this promise of detecting vulnerabilities sooner than other methods, leading to quicker remediation. However, traditional SAST solutions are plagued with the same core issues: they are slow to scan, don’t integrate into developer workflows, and are full of false positives.
Over the past few years, Semgrep open source (OSS) has gained tremendous popularity among developers and security teams as a powerful tool for code analysis. Given the aforementioned shortcomings of existing SAST products, teams of all kind have leveraged Semgrep OSS as the underlying tool to build their SAST programs given its customizability, speed, and ease of use.
Semgrep Code
Today, we're excited to announce Semgrep Code! Semgrep Code is born from our work deploying, managing, and monitoring Semgrep OSS with the world's leading security teams.
After living with the power and design limitations of Semgrep OSS, we believe that shifting left and scaling a security program demands deeper analysis and even higher-confidence, higher-coverage rules. Semgrep Code delivers both by combining the new Semgrep Pro Engine with Pro rules, going past Semgrep OSS to give you what's necessary to quickly detect and remediate complex vulnerabilities.
Pro Engine
Last year, we announced interfile analysis in private beta as a proprietary extension to Semgrep OSS.
Today, we are launching Semgrep Pro Engine, which uses interfile analysis to uncover vulnerabilities that aren’t detectable with Semgrep OSS. Understanding cross file interactions can reduce noise, uncover new vulnerabilities, and make your results easy to understand. Interfile analysis is available in open beta for Java and JavaScript.
Semgrep Pro Engine also improves pull request results for developers by adding fast inter-procedural analysis that surfaces vulnerabilities across function boundaries. This provides developers with the best results, at the right time to catch a vulnerability — before it happens.
We’ve also added experimental support for Apex: an enterprise, proprietary language developed by Salesforce.
With these improvements, organizations can now detect vulnerabilities that are often missed by SAST and drive down noise by contextualizing their code.
Pro rules
Semgrep has experienced fantastic growth that would not be possible without our open-source community. Today, we have over 2500 Community rules in the Semgrep Registry available to everyone - many of these rules are contributions by the community!
While Community rules cast a wide net and are great for security auditors, security teams looking to build a SAST program require higher coverage, higher confidence rules that surface findings directly to developers.
Pro rules are authored by the Semgrep Security Research team based on language and vulnerability trends and are intended to be used by organizations looking for the highest quality coverage. This includes clear remediation information for developers, high-confidence findings that won’t spam developers with false positives, and coverage for a wide array of vulnerability categories. Pro rules are only available in Team and Enterprise tiers.
Deploy and scan within minutes
Semgrep plugs into any CI pipeline and with just a few lines of code, teams can scan all of their repositories in just a few minutes (really! Semgrep can scan even the largest codebases in minutes rather than hours).
Monitor vulnerabilities with ease
Completed scans display results in the Semgrep Cloud Platform. Here, results from all projects are visible and users can gather a high-level view of their findings as well as drill down into individual projects and vulnerabilities.
Surface actionable results
This is the bread and butter of Semgrep Code. Our application makes it effortless to triage results regardless of whether you have 10 vulnerabilities or 1,000.
Once teams triage their findings, they can easily take advantage of Semgrep’s easy-to-customize workflow to not only tweak rules that may be producing false positives but also set high-confidence rules to notify developers in PR / MR comments
Semgrep Code is designed with developers in mind. Developers will begin to receive Semgrep findings as they code, so vulnerability remediation happens in real time. Semgrep Code also provides developers with the option to triage results in real-time, providing their security teams and the Semgrep team with data to improve rule quality & configurations.
What’s next
Today’s launch is an exciting milestone as we build the leading all-in-one code security platform. With Semgrep Code, Pro Engine, and Pro rules, we want to not only scan all your code but actually provide highly actionable findings that result in fixed vulnerabilities.
To try Semgrep Code in your environment, book a demo with a product advisor.