I'm excited to share that Semgrep (formerly r2c) has raised $53M in a Series C led by Lightspeed Venture Partners with Felicis, Redpoint, and Sequoia.
Semgrep is a code scanning tool designed for both security and software engineers. Unlike most black-box scanners, Semgrep puts engineers in charge: they can transparently view the rules that alerted the vulnerabilities and make sense of them. They can also quickly write a new rule, edit an existing rule, or use one of the thousands of community rules and fine tune Semgrep to match their specific needs.
Our deep investments in program analysis mean our new supply chain product looks at dependency manifests and code–for up to a 98% reduction in false positives compared to tools that ignore the latter.
As opposed to other tools that focus fixing symptoms until the green check box appears, our goal is that Semgrep is used to find and eliminate root causes.
Semgrep is making it more expensive to exploit software
We founded Semgrep to bring world-class security tools to developers because we believe software will run the most exciting parts of the future. In a future where software runs everything from medical equipment to autonomous cars, security can be life or death. Security teams must enable, not hinder, rapid software development. If developers lack tools that are easy to set up and understand—or if a developer has to convince their manager to spend millions on advanced security tools—the future is bleak.
Since our last fundraise we have made real progress on making it more expensive to exploit software, as reported by our customers. We still have a lot of work to do, but comments showing Semgrep working as a bicycle for the mind of the security engineer (to paraphrase Steve Jobs) make our day:
“Overall, getting up and running with Semgrep was a really positive experience and I was able to go from zero to finding bugs in a real target almost no time at all.” - Joe Rozner
“Most of these [bugs] could not be found by any other process in the entire security testing process.” - https://blogs.halodoc.io/streamlining-code-review-with-semgrep/
“Our engineers are excited we’ve got Semgrep Supply Chain..managing vulnerabilities in NPM packages is chaos without any sense of reachability.” - Vanta
“Semgrep's library reachability makes me regret that we went with [competitor] for our dependency and code scanning.” - https://twitter.com/0xdade
”Building a healthy vuln management program is about building trust relationship with engineer. Every false positive, every non actionable alert diminish that trust. Which is why accurate dependency alerts are critical! Great work semgrep team!” - Nico at Lyft
Semgrep is becoming an AppSec platform
We used our prior fundraising to deepen investment in the OSS Engine and launch two commercial products: Semgrep Code (SAST for 1st party code) and Semgrep Supply Chain (SCA for 3rd party code).
Semgrep Code includes a Pro Engine and rules for teams that want an "appsec in a box" experience. The Pro Engine extends the OSS Engine and enables cross-function, cross-file analysis with the same syntax—to find more vulnerabilities and eliminate some false positives through deeper analysis.
Our newest product, Semgrep Supply Chain, reduces false positives from vulnerability scanning by 98% by considering whether a vulnerability is reachable from your code. This incredible result is made possible by the OSS Engine and ease of rule-writing: our team writes a Semgrep rule for almost every CVE published that fires if your code uses the vulnerable functionality. So if Semgrep identifies a dependency vulnerability, it points to the line of your code that uses the vulnerable functionality. Give it a whirl.
Our customers use Semgrep as a platform for analyzing code: writing custom rules, finding unauthenticated routes, or even tracking framework migration over time. We're proud that we're a tool for creatives rather than a checkbox solution; as one of our customers put it: “Semgrep is a platform that can be expanded on by us, while [competitor] is a platform that we would rely upon [competitor] to expand.”
Finally, we're also excited to see what revolutionary tools like GPT4 can offer to security teams. With Semgrep Assistant, launched two weeks ago, we're mixing LLM contextualization with findings. This approach gives us the best of two worlds: Semgrep's engine for making sure we don't miss critical findings, and an LLM that understands an enormous amount of non-code context to help suggest whether or not the finding is important in an extra-code context (is it a test file? README says it's a toy project?).
Semgrep is the tool of choice for security & software engineers
Thanks to the open-source community's contributions to the Semgrep engine and rules, we've reached 30+ languages in the engine and over 40K unique rules written on our online Semgrep editor alone. Many more security rules live in the official registry or in popular repositories for applications we never imagined, like Solidity DeFi exploits or non-security Go bugs.
We’ve built out our taint tracking support and inter-language support. If your Scala code has an embedded Dockerfile with a bash script and you're looking for "curl to bash," Semgrep can do it. What other static analysis tool can say that?
Simultaneously, we're pleased that Semgrep's LGPL-licensed engine has been chosen as the community standard for static analysis: it powers Gitlab's security offering, Datadog's dependency scanning, and is used at world-class security consultancies like NCC Group and Latacora, as well as dozens of other security startups.
The future of engineer-native security tools is bright and we are excited to be investing deeply in technology & product. By the way – we're hiring, we’d love to hear your feedback or ideas for Semgrep in our community Slack.