AI-Native Code Security
As Michael Truell, CEO of Cursor, stated: we are now in the third era of software development.
"Most Cursor users never touch the tab key. In March 2025, we had roughly 2.5x as many Tab users as agent users. Now, that is flipped: we now have 2x as many agent users as Tab users."
In this new era, developers:
Let agents write almost 100% of their code
Spend their time breaking down problems, reviewing outputs, and giving feedback
Run multiple agents simultaneously rather than guiding a single one to completion
With this shift comes a change in the security primitives required to build software safely. Agents now have more autonomy, privileged access, and less human supervision than ever before. Without the right guardrails, an explosion of software vulnerabilities becomes inevitable.
This is where Semgrep can have a significant impact. By integrating directly into Cursor, we detect and prevent more vulnerabilities than ever before, all before code ever leaves a developer's laptop.
We're thrilled to announce that Semgrep is one of the first security companies to join the Cursor Plugin Marketplace.
What's in the Semgrep Cursor Plugin?
The Semgrep plugin comes bundled with an MCP server, multiple Hooks integrations, and Skills. Together, they ensure Semgrep is always available to the agent, at exactly the right moment.
Here's what’s possible on day-one:
Scan everything, automatically. SAST, supply chain, and secrets scanning on every file an agent touches, powered by Semgrep's workflow and Pro engine. The AppSec team sets the policies (e.g. all critical + high severity findings), and once configured, they're automatically enforced across the entire engineering fleet.
Write once, catch it everywhere. If the agent makes a mistake, developers can highlight any line of code, ask Cursor to write a Semgrep rule for it, and immediately publish it to the organization's policy, so no agent ever makes the same mistake again.
Prevent vulnerable code from the start. Prevent vulnerable code from the start. Semgrep injects secure default guidance directly into the Cursor agent, steering it away from generating vulnerable patterns.
We’re continuing to evolve the plugin. Up next: Agents will start every session with threat model context generated directly from your own codebase, designed to reduce false positives and surface novel vulnerabilities. Chat with the team to learn more.
Together, these capabilities bring security into the third era of software development. Semgrep becomes an always-on security layer that developers rarely think about, but security teams can trust never misses a line.
1-Click Rollout
Rolling out security tooling across thousands of developers' machines has always been a nightmare. No more! On Cursor’s Team and Enteprise tiers, admins can deploy the Semgrep plugin to every developer's Cursor instance.
Now, every developer (and their agent!) will run with security guardrails on day one.
Get Started Today
The third era of software development is here. Make sure your security is too. Find Semgrep in the Cursor Plugin Marketplace today. 🚀
