Semgrep Blog

Can LLMs Detect IDORs? Understanding the Boundaries of AI Reasoning

Analyzing accuracy of LLM generated IDOR findings

Vasilii Ermilov

How Semgrep & StackHawk Help AppSec Teams Prioritize Real Risks

SAST + DAST, Finally in Sync

Jaweed Metz

Romain Gaucher Vasilii Ermilov Clint Gibler

Finding vulnerabilities in modern web apps using Claude Code and OpenAI Codex

Our deep dive into AI Coding Agents capabilities for finding vulnerabilities reveals surprising strengths, critical weaknesses, and a serious problem with consistency.

Romain Gaucher Jayson DeLancey Lewis Ardern

Security Alert | NX Compromised to Steal Wallets and Credentials

At least 1.4k people are learning today that keys, wallets, and credentials were compromised from install of the nx build tool.

Fix What Matters, Faster: How Semgrep and Sysdig Are Unifying Security from Code to Runtime

Fix What Matters, Faster: How Semgrep and Sysdig Are Unifying Security from Code to Runtime

From code to production, with context

From idea to (secure) app: Semgrep + Replit

Over 30 million people use Replit to turn natural language into production ready code. Starting today, Replit Agent automatically uses Semgrep Community Edition to find and fix...

Chushi Li

Take control of sensitive code without developer frustration

Fine-grained policy automation for robust security and greater velocity

Jaweed Metz Katie Kent

Announcing an AI AppSec engineer that users agree with 95% of the time

With its transparent engine, fast performance, and LLM-friendly rule syntax, Semgrep is uniquely positioned to leverage AI and tackle AppSec's biggest challenges: false...

Chushi Li

How we built an AppSec AI that security researchers agree with 96% of the time

Getting Semgrep Assistant to triage vulnerabilities with a 96% true positive accuracy was hard, but there were lots of learnings along the way. In this blog, we’ll dive into the...

Jack Moxon Seth Jaksik

Cullen Harwood Aaron Acosta Leif Dreizler

Less effort, more insight: Introducing Dependency Graph for Supply Chain

You cannot secure what you cannot see. Introducing Semgrep’s Dependency Graph: effortless visibility into your software supply chain. Empower AppSec teams to uncover and...

AppSec guides, not gates: Introducing secure guardrails with Semgrep

"Shift left" was popular, but has largely failed to deliver on its promises. For too many teams, it was a way to take the same old security tools and point the firehose of...

Isaac Evans

Rapidly deploy code scans across your organization with Semgrep managed scanning

You can now roll out Semgrep at ludicrous speed without any manual, per-repo CI/CD configuration. Whether you have one repo or thousands of repos, It Just Works.

Pablo Estrada

Overrated and underperforming: transitive reachability analysis

Due to complex dependency layers and static analysis limitations, transitive reachability analysis struggles to deliver actionable insights.

Kyle Kelly

10x your AppSec program with Semgrep Assistant

Assistant helps both AppSec engineers and developers make the correct decisions faster, with far less cognitive load required. This means users only spend their time and...

Chushi Li

Latest posts