How ICE Services, a Global Music Rights Platform, Gained Full Code Visibility and Developer Trust

At a Glance

• Customer: ICE Services (global music rights & royalty processing platform)

• Industry: Media, Entertainment, SaaS

• Challenge: Fragmented tools, poor coverage, lack of visibility, high noise, and no scalable AppSec foundation

• Solution: Semgrep Code, Semgrep Secrets, Semgrep Supply Chain

Impact

• Consolidated 550 repositories → under 300 active repos

• Achieved 98% scanning coverage across engineering codebase

• Enabled transparent, developer-friendly security workflows

• Reduced false positives and audit friction with reachability insights

• Built trust between security and engineering teams through step-wise rollout

ICE Services operates a global platform that processes and manages music rights and royalty data for publishers, creators, and industry partners worldwide. At the core of the business is a complex application responsible for data correlation, financial mapping, and payments at scale.

As the platform and engineering organization grew, ICE recognized the need to intentionally build a dedicated security function, with application security as a foundational capability. maintaining a clear understanding of risk across the codebase became increasingly important.

When Neil joined ICE Services three years ago, he stepped into a company with ambitious growth plans and a rapidly expanding engineering footprint. ICE’s platform powers global music rights and royalty processing, a system relied on by publishers, creators, and industry partners worldwide.

As the engineering organization grew, Neil saw a clear opportunity to build a dedicated security function that could scale with the company, with Application Security at its core. This was not about correcting past decisions. It was about building the foundation the business now needed.

A maturing codebase ready for deeper visibility

ICE’s platform had been shaped by years of iteration. New services were introduced, older ones were maintained or retired, and teams contributed in multiple languages including a substantial amount of Scala.

The engineering organization was strong and evolving quickly. To support this growth, Neil and Greg, the Application Security Lead, aligned on three priorities:

• Achieve visibility across the entire repository landscape

• Focus on real, actionable risk with clear prioritization

• Integrate AppSec directly into developer workflows without slowing delivery

Neil described the philosophy clearly: “Our goal was not to bolt on security. It was to build a foundation that would support ICE for years to come.”

Why Semgrep was the right fit for how ICE builds software

Greg had been following Semgrep’s progress and understood how closely it aligned with ICE’s engineering culture. Semgrep provided:

• Precise, low-noise findings

• Broad language support including native support for Scala

• A developer-first workflow with findings shown directly in pull requests

• A pricing model that made it feasible to scan the entire engineering footprint

It did not feel like another scanner. It felt like a practical way to embed security into everyday development. As Greg said “Semgrep felt practical. It fit how our engineers already worked.”

Visibility first, then action through a measured rollout

ICE introduced Semgrep intentionally. Instead of starting with enforcement, they began in monitor mode across the entire engineering environment. Engineers saw issues appear naturally in their pull requests, but nothing broke. No gates were triggered. No workflows were disrupted.

This early visibility gave ICE the clarity they needed to understand which repositories were active, which were legacy, and which could be retired. This visibility allowed ICE to reduce its repository footprint from more than 550 to under 300 active repositories, significantly lowering overall attack surface.

This was not a cleanup effort. It was strategic alignment that created a more maintainable foundation for both engineering and security.

Neil summarized the impact:  “Semgrep helped us understand our environment in a way we simply could not before.”

Security that developers trust

As the team grew more comfortable with Semgrep, Greg shifted from visibility to collaboration. High-confidence findings began surfacing directly in pull requests with clear context that developers found useful.

Developers did not need to learn a new system or interpret vague alerts. Security became part of the natural code review process.

Greg described the shift: “It felt like having another reviewer on the PRs, not a blocker but a partner.”

Because the rollout was gradual and predictable, trust grew quickly. Security was no longer a separate process. It became part of how ICE built software.

Fast and confident answers when it mattered most

During a period when a compromised NPM package raised concerns across the industry, ICE leadership asked an important question: “Are we exposed?”

Traditionally, answering that question would require hours of manual investigation.

With Semgrep’s supply chain and reachability insights, Greg had the answer in minutes. ICE was not affected.

For Neil, this moment validated the direction of the AppSec program: “Being able to answer leadership quickly with confidence and evidence is exactly the capability we set out to build.”

Better conversations during audits

Semgrep also strengthened ICE’s approach to third-party audits. Auditors continued to flag potential issues, but
with Semgrep’s contextual insights, ICE could immediately determine whether a vulnerability was reachable, relevant, or linked to unused dependencies.

This did not downplay risk. It clarified it. ICE could prioritize correctly and communicate with precision. Greg put it simply: “Semgrep gave us the context we needed to make good decisions.”

A small team with amplified impact

With Semgrep, ICE’s lean AppSec team can now:

• Continuously scan nearly all active repositories

• Surface accurate and actionable findings inside pull requests

• Maintain visibility into third-party and license exposure

• Prepare clean SBOM data for compliance

• Respond to ecosystem vulnerabilities in minutes

Semgrep did not add overhead or complexity. It increased capability.

Looking ahead: Keeping critical issues out of production

ICE is now working toward a Zero Critical Software benchmark. This standard emphasizes awareness, governance, and prevention while keeping developer workflows fast and efficient.

Their roadmap includes:

• Stronger policies for third-party and open-source components

• Smarter gating for high-risk issues

• Expanded reporting for leadership and compliance teams

• Continued partnership between engineering and security
  

The foundation is set. The culture is aligned. The system is working. As Neil reflects on the journey, he captures it best: “Semgrep did not just help us find issues. It helped us build the security program we always intended to have.”