Semgrep Quarterly Launch: scaling your AppSec impact just got easier

This quarter we've shipped a variety of features that make the Semgrep AppSec Platform easier to manage and scale across an organization - even for an AppSec team of one. Features include managed scanning (scan in our cloud), project-level access controls (RBAC), and a UI refresh for Semgrep Supply Chain.

Chushi Li
May 21st, 2024
Share

What we shipped this quarter (and why it matters)

At Semgrep, being developer-loved on a per-team basis is only half of the battle. Our goal is to make all of the software that exists in the world harder to exploit, and to eventually help every individual or organization ship code that is secure by default.

To achieve this goal, our best-in-class code analysis engine and the remediation capabilities that come with it (like AI autofix in PR comments) need to be easy to orchestrate and scale across every repository in an organization - with no configuration, ongoing management, or organizational red-tape for AppSec teams to navigate. 

This is why we’ve been hard at work shipping features like managed scanning, project-level access controls, a brand new UI for Semgrep Supply Chain, and more. These features (and many more not mentioned here) make Semgrep easier to administer, orchestrate, and scale across ten or ten thousand repositories.

Semgrep managed scanning

Engineers trust findings from Semgrep, and our core competency in scan accuracy paired with easy to manage policies led to many situations where customers wanted to scale Semgrep across more repos, but didn’t have the bandwidth, time, or resourcing to do so. 

Enter Semgrep managed scanning, which lets teams onboard anywhere from ten to ten thousand repos with the click of a button: no more configuration files, pestering platform teams, or actively managing infrastructure - we do it all for you, securely in our cloud.

Managed scanning optionIt can take other code security solutions months to get to a point where findings are accurate enough to be deployed across an organization with minimal friction - many AppSec teams struggle to reach this point at all. Once this requirement is met (and frequently before), teams will attempt to roll out their security tooling more broadly, which is another process that can also take months.

With managed scanning, teams can get Semgrep implemented and scanning thousands of repositories in a single day. Developer-oriented rules and policies make it possible to start remediating real vulnerabilities on day 2, without opening the floodgates and inundating developers with false positives.

Clickup quote
Semgrep managed scanning is available in public beta right now for users on GitHub-hosted projects. For a deeper dive into Semgrep managed scanning, read the dedicated blog post.

Project-level RBAC (role based access controls)

Shipping RBAC that works at the repository level was a priority for us this year, and we’re excited to announce that project-level RBAC is now in public-beta!

For organizations with thousands of developers and repositories, the importance of role based access controls goes beyond compliance - security engineers only want to see findings for the repositories and microservices they are responsible for, and access controls that work at the repository level make this possible.

Project-level RBAC
Note: Semgrep brings findings and tailored remediation advice directly to developers via PR comments or Jira tickets, so they don't need to be provisioned access to the platform (findings visibility will naturally inherit the access controls you've set in your SCM/Jira)

A new look for Semgrep Supply Chain

We've done a lot this quarter to streamline the Supply Chain UI! These changes greatly improve the ease of orchestration of our SCA solution and platform overall.

All three of our products are powered by the same core analysis engine, and as we continue to unify and consolidate things on the front-end it should be much easier for anyone familiar with other parts of the Semgrep AppSec Platform to quickly get their bearings with our best-in-breed supply chain tool.

SSC New UI
Semgrep Supply Chain's shiny new interface

The new interface brings many of the core SAST capabilities and workflows that our users love to Semgrep Supply Chain:

  • Group vulnerabilities by rule

  • Bulk triage of findings

  • More comprehensive filtering

  • One unified API for findings across Semgrep Code and Semgrep Supply Chain

Improved monorepo support

Semgrep now supports the scanning of larger monorepos in parts to improve performance and reduce CI run times. This capability also allows organizations with larger monorepos to logically split their codebase and simplify the management of security findings.

If you want to learn more, check out our documentation for monorepo support!

Wrapping up

There were far more features released last quarter than we can cover in this blog - we unified policies between Semgrep Secrets and Semgrep Code, greatly improved performance when scanning large monorepos, and made cross-function analysis so performant that it now runs on every scan.

We also shipped Code search, custom rules for secrets, and structure mode within a span of 30 days! If you're having trouble keeping up with our releases, remember that you can always check out our product updates page to see all of the changes we make to the Semgrep AppSec Platform, big and small.

If you're interested in seeing how quickly you can find and remediate actionable security findings with Semgrep, you can sign up for free and run your first scan in under 10 minutes.

About

Semgrep lets security teams partner with developers and shift left organically, without introducing friction. Semgrep gives security teams confidence that they are only surfacing true, actionable issues to developers, and makes it easy for developers to fix these issues in their existing environments.