Cutting through the noise

Glasswall is a leading cybersecurity company providing zero-trust file protection through advanced Content Disarm and Reconstruction (CDR) technology. For them, application security isn’t a compliance checkbox, its core to the mission. Serving government agencies and security-first enterprises, the company neutralizes file-based threats with surgical precision.

With a team of developers coding primarily in C++, C#, and Python, and a lean security team supporting them, the need for scalable, high-confidence security tooling was urgent. Their current static application (SAST) setup no longer aligned with the demands of faster moving development cycles, where the need for transparency and customization was ever growing.

“Confidence in our findings was slipping. We were concerned about the increased false positives.  We needed to understand what was being scanned and what was being covered.”
- Gurunatha Reddy, Senior DevSecOps Engineer

The challenge: Signal lost in the noise

Their legacy scanning tools were difficult to manage, producing inconsistent results and lacking transparency in how rules were written or applied. The disjointed experience between Web UI and CLI interfaces further eroded confidence. Over time, the signal from these tools degraded, turning insights into a stream of distractions, unfit for modern software development and unable to scale or adapt to Glasswall’s evolving needs. The security team had to manually triage issues and when findings were valid, remediation advice lacked clear context.

In a company serving government clients, that kind of ambiguity simply doesn’t fly. The cost of not acting was high:

• Time lost triaging noisy results

• Frustrated developers, increasingly tuning out security

• Manual work item creation

• Risk of missed vulnerabilities

At the same time, Glasswall’s focus was shifting to an embedded DevSecOps model designed to support rapid, secure development. As Glasswall wanted to step up their DevSecOps program, they began evaluating new solutions, setting out to find a modern alternative that aligned with their evolving AppSec needs.

The turning point: A new approach with Semgrep

Glasswall’s proof of value with Semgrep revealed that modern SAST isn’t just about scanning for issues, it’s about surfacing the right findings, reducing friction, and restoring confidence in secure development.

Semgrep’s standout features mapped almost one-to-one with Glasswall’s core requirements:

• Cleaner signal-to-noise ratio with contextual results

• Custom rules written like code, easy to understand and modify

• Data flow tracking to prioritize what actually mattered

• AI-powered remediation suggestions, delivered directly in the PR

• Transparent rule configuration to ensure comprehensive coverage across codebases

The impact was noticeable right away. The results were precise, context-rich, and actionable. Automation took over the tedious parts, and developers could finally focus on fixing real issues instead of sorting through noise.

“The guidance wasn’t just accurate, it was built into our workflow, right where developers needed it. That made all the difference.” 
- Chris Holman, DevSecOps Engineer

Implementation highlights: How Semgrep addressed Glasswall’s needs

To support Glasswall’s fast-paced development environment, Semgrep integrated seamlessly into their CI/CD workflows, enabling the team to:

• Deliver broad SAST coverage across commonly used languages: C++, C#, and Python

• Tag components intelligently to support streamlined triage and resolution workflows

• Support both CLI and Web UI interactions, based on team preferences

• Reduce DevSecOps maintenance overhead through managed scans

The team primarily interacts with Semgrep via PRs and pipelines, keeping security close to the developer workflow. Monthly product security meetings and real-time feedback loops via Slack and comments in PRs, keep priorities aligned across teams.Glasswall is also exploring how integrations with other  third-party platforms  could further enhance this unified pipeline.

Semgrep platform advantages

• Built-in contextual analysis that significantly reduces false positives

• Intelligent component tagging to support more effective prioritization

• Developer-friendly rule customization; no deep security expertise required

• Trusted by leading security-conscious and compliance-driven organizations

• Responsive support, with feature requests actively reviewed and prioritized

Outcomes: Confidence restored

Adopting Semgrep levelled up Glasswall’s AppSec program, and it increased confidence with teams engaging with security. With the ability to customize and create rulesets themselves, Semgrep offers the flexibility to truly build a developer-first experience, which is built on clarity and trust. 

Since deploying Semgrep, the shift has been clear:

• False positives dropped helping teams focus on what truly matters

• Remediation cycles shortened thanks to contextual, in-flow advice that meets engineers where they work

• DevSecOps reclaimed valuable time through automation and centrally managed scanning
  

“Success for us means fewer open issues, especially false positives and faster remediation. Both developers and security engineers now have greater confidence in our shared process.”

- Chris Holman, DevSecOpsEngineer

What’s next for Glasswall?

With a solid SAST foundation in place, Glasswall is now looking to:

• Continue refining rules and ownership tagging for better triage

• Align on upcoming integrations and roadmap capabilities
  

“Glasswall would like to consolidate into a single tool for SAST, covering first-party code, third-party code, and Semgrep is the optimal solution for this. Semgrep isn’t just solving today’s problems, it’s positioned for where we’re going.”
- Gurunatha Reddy, Senior DevSecOps Engineer

Conclusion

Glasswall’s transformation wasn’t just about replacing one tool with another. It was about maturing their AppSec program from reactive to streamlined, developer-first, and future-ready.

By adopting Semgrep, they didn’t just reduce false positives. They saved time, and enabled developers to move fast without sacrificing safety. In an industry where confidence and clarity are non-negotiable, Semgrep has become a critical partner in Glasswall’s mission to build secure, dependable software.

“We used to spend too much time sorting through noise. Now we focus on what matters and fix issues faster. Semgrep’s AI assistant reduces false positives by distinguishing benign data from actionable risks, giving us the clarity to prioritize with confidence.”
- Gurunatha Reddy, Senior DevSecOps Engineer

This strengthened security foundation not only accelerates internal development, it directly supports Glasswall’s core mission: delivering proactive, resilient solutions to customers who operate in some of the world’s most security-sensitive environments. With better tooling, greater alignment, and a trusted partner in Semgrep, Glasswall is better equipped to protect its customers from emerging threats while continuing to innovate with confidence.