A Security Practitioner’s Journey to Streamlined AppSec with Semgrep

At a Glance

Name: Adrian Puente Zubiaur
Role: Principal Security Engineer at a Fintech company.
Location: Seattle, WA
Languages: Python, Go, Java, JavaScript
Semgrep Products: Semgrep Code, Semgrep Supply Chain, Semgrep Secrets
Key Features Used: Assistant, Memories, Pro Rules
Integrations: CI/CD pipelines, internal tooling Semgrep API (automated reporting and remediation)

Results:

1. Blocked critical and high-severity vulnerabilities at the pull request stage, preventing issues from reaching production

2. Reduced alert noise with clearer, more actionable findings, improving remediation efficiency

3. Increased developer trust and adoption by embedding security directly into existing workflows

For Adrian Puente, application security has always been about balance: protecting customer trust while enabling developers to to build securely by default, move quickly and confidently. As a Principal Security Engineer leading application security initiatives at a Seattle-based fintech company. He brings years of hands-on experience with Semgrep, spanning both open source and enterprise editions. His focus is advancing AppSec maturity while aligning security initiatives with broader business objectives.

In his current role, Adrian guides the AppSec team with a clear mission: safeguard customer trust while empowering developers to build securely without hindering creativity. Success is measured through faster remediation times, fewer vulnerabilities, and stronger adoption of secure coding practices. To achieve those outcomes with a small team, Adrian championed Semgrep, which enabled engineers to build securely by design, to increase developer engagement, reduce false positives, and scale a developer-first security program across the organization.

Challenge: Security Without Friction

The AppSec team’s biggest challenge was developer adoption. Developers wanted to move fast, deliver value, and focus on building features. When security tools interrupted that flow or introduced friction into the software development lifecycle, adoption dropped and frustration rose.

“Striking the right balance between speed and risk management requires more than just better tooling.
It demands ongoing communication, empathy, and a culture where security is seen as an enabler rather than a blocker.”

As the organization scaled, the challenge intensified. Security reviews had to cover a growing number of projects under tight resource constraints. Certain vulnerability classes, such as business logic flaws and complex authorization issues, remained difficult to automate.

False positives fueled the chaos. Developers battled constant slowdowns from noisy alerts, while the security team chased coverage over real impact. Their mission was clear: slash noise without compromising protection, forging seamless security that empowered developer workflows.

Solution: A Developer-First Approach to AppSec

Adrian first encountered Semgrep through peers in the security community and had used the open source version for more than a decade.

“What drew me in early on was Semgrep's simplicity, transparency, and power, plus the sense that this was a company that truly cared, backed by a passionate community, compared to traditional security tools that often felt like black boxes.”

After a thorough review of four solutions, including a Gartner Magic Quadrant leader, Semgrep stood out for its superior coverage, flexibility, and customer engagement, making it the clear best fit for our company. The team then adopted Semgrep Code and Semgrep Secrets to boost developer adoption and enable customizable, transparent rules, with the platform's flexibility allowing us to tune rules precisely to our codebase and development culture. This was swiftly followed by Semgrep Supply Chain, extending that same lightweight, developer-friendly approach to dependency risks.

The environment included Python, Go, Java, and JavaScript with frameworks such as Spring and React. The team relied on Semgrep’s broad language coverage and seamless integration into internal tooling. This made it possible to embed scanning into CI/CD pipelines and reinforce a culture of security by default.

“Onboarding Semgrep was straightforward, with quick integration into our pipelines. A pleasant surprise was the low barrier to writing custom rules, which gave the team early wins and built confidence in the program.”

Results: From Noise to Confidence

The transition to Semgrep led to immediate and measurable improvements in both developer engagement and operational efficiency.

False positives that previously consumed valuable time were significantly reduced, and findings became easier to understand and act on.

“With Semgrep, that experience changed dramatically. The introduction of features like Assistant, which combines auto-triage noise filtering with clear remediation recommendations, has made findings far more actionable.”

Semgrep Assistant delivered suggested fixes directly in developer workflows, shortening remediation cycles. Memories ensured triage decisions were retained, preventing the same issues from resurfacing. The adoption of Pro Rules, curated by professional researchers, provided higher-confidence results and improved signal quality, and strengthened developer trust.

In parallel, the team introduced Vibe Security Patching, an internal practice where security engineers submit pull requests with actionable patches instead of assigning remediation tickets. This closed the gap between developers and security by delivering functional remediations that minimized context switching for engineers and eliminated confusion from security jargon. The approach accelerated fixes and reinforced true collaboration between AppSec and engineering.

“We’ve seen measurable improvements in remediation time because findings are clearer, more actionable, and easier to prioritize. Developers now view the tool as part of their natural workflow rather than an external gate.”

From a business perspective, Semgrep drove measurable efficiency gains across the organization. By slashing noise and boosting accuracy, the company reclaimed valuable engineering and security hours for strategic priorities. Executives gained clear visibility into risk reduction and critical system coverage, while developers gained low false-positive rates, rapid feedback loops, and actionable guidance.

Looking Ahead

Semgrep continues to strengthen collaboration between security and development teams by delivering clear, actionable, and minimally disruptive findings that integrate seamlessly into developer workflows. Rule customization has proven especially valuable, identifying vulnerabilities that overlap with previously reported issues in the codebase, which reduces rework and lowers both bug bounty and penetration testing program costs. In parallel, custom infrastructure-as-code (IaC) rules help maintain consistent configurations that lead to more stable and predictable system execution.

As the program matures, leadership is seeking organization-wide metrics across the GitHub portfolio to connect code, collaborators, and repositories to measurable business outcomes. With trust now firmly established between security and engineering, Semgrep’s role as a unifying bridge sets the stage for the next phase: full automation. By embedding Semgrep-powered automation into everyday workflows, secure development becomes second nature, amplifying AppSec’s reach and accelerating the organization’s security maturity.