Customizable policies, CI/CD control, and AI-powered triage help Cribl's security team improve application security without slowing down developers.

• Semgrep's granular policy controls and custom rules engine give Cribl precise control over which findings reach developers, significantly reducing low-signal noise.

• Semgrep Multimodal (Assistant) adds an AI-powered false positive filtering layer, preventing unnecessary PR comments and keeping developers focused.

• Customizable CI/CD configurations let Cribl scan on their terms, with hourly release branch scans and PR scans integrated directly into Bitbucket.

About Cribl

Cribl, the Data Engine for IT and Security, empowers organizations to transform their data strategy. Enterprises use Cribl's suite of products to collect, process, route, and analyze IT and security data at scale. Cribl's platform handles massive volumes of telemetry, log, and observability data for customers across industries.

The challenge: cost, control, and too much noise

Cribl's security team needed a code security platform that matched the way they worked. Their legacy SAST tools had two core challenges: cost and customizability.

Prior tools would flag issues on pull requests that the team did not want, generating low-signal alerts with little control over reducing those rules from triggering comments. Every unnecessary alert carries a hidden cost: developer time spent investigating non-issues and security team time spent triaging irrelevant findings. The controls and customizations available were insufficient. The team could not adequately understand and control alerting, rules, or CI/CD integration.

Evaluating alternatives

When evaluating the market, Cribl benchmarked solutions against three specific criteria where Semgrep stood out and clearly differentiated:

• Custom rules engine: The ability to write rules tailored to Cribl's domain-specific patterns and architecture.

• CI/CD control: The flexibility to scan when needed, rather than being forced into a rigid scanning schedule.

• Web interface for management and triage: A centralized platform to manage rules, policies, and findings without jumping between tools.
  

Semgrep Multimodal: AI-powered confidence filtering

Cribl found that Semgrep Multimodal (Assistant) provided a meaningful differentiator for their SAST program. Semgrep adds an additional layer of confidence and false positive filtering on top of the static analysis engine.

When Semgrep determines a finding is likely a false positive, it suppresses the PR comment. The security team can still review these findings during backlog refinement, but developers are not interrupted by findings that would waste their time. This matters because codebases often include sanitization logic that a traditional analysis engine cannot fully understand, but an LLM can.

CI/CD integration built around developer velocity

Semgrep fits into Cribl's CI/CD pipeline through hourly release branch scans and PR scans. Rather than hard-blocking pull requests, Cribl uses a soft-block approach: Semgrep Cloud creates a Bitbucket PR comment with a task, signaling the issue to the developer without halting the build.

The tool has been stable in production. Over the past two years, Cribl has experienced only a couple of minor regressions, managed by pinning the Semgrep version and upgrading on a roughly six-month cadence.

Custom rules and granular policies

Cribl uses custom Semgrep rules and granular policy controls to improve their security posture in complementary ways.

Many of Cribl's custom rules detect whether known bad patterns are being reintroduced into the codebase. This automates regression prevention in areas where issues have been identified before. Meanwhile, customizable policies further reduce developer load for issues that are not commonly exploitable within Cribl's systems. Previous SAST tools did not have this level of policy control as easy to configure as Semgrep's.

Developer engagement and adoption

PR comment engagement significantly improved since adopting Semgrep. Because Cribl's policies ensure that only relevant, high-signal findings generate PR comments, developers find more value in the feedback they receive.

The result: exploitable vulnerabilities are being mitigated with minimal interaction from the security team, thanks to PR comments.

Impact

The most valuable outcome for Cribl has been high-signal PR comments combined with easy policy and triage workflows. This has saved time for both security engineers and developers.

“Semgrep lets us treat security and code quality as first-class priorities. The combination of customizable CI/CD configurations, custom rules, and finding policies gives us a SAST program that actually fits our codebase."

— Zach Rayburn, Staff Product Security Engineer, Cribl