The security team at Vanta is responsible for all aspects of information security, including application security. Like in most organizations, the security team at Vanta faces bandwidth constraints. The security team's goal is to partner with the development team so that developers are empowered to fix vulnerabilities rather than the security team needing to fix them on their own.
Challenges before using Semgrep
SAST tools generally struggle with a high volume of false positives because they find generic security issues. Customizing rules is essential in SAST because the security team can find issues specific to the organization’s code base. All the SAST tools that Vanta used before Semgrep were not easily customizable or were opaque. These challenges led to such tools not being widely adopted by Vanta because the security team could not trust their results. For detecting open source library issues (SCA), Vanta found that most tools are not tightly integrated with the developer workflow (i.e., developers had to go through multiple steps to notice and fix an issue) or had enormous amounts of false positives. Vanta’s security team was searching for a new security solution to remediate its challenges.
Cutting through the noise with Semgrep
When Semgrep Supply Chain was launched in 2022, Vanta quickly realized the value of reachability analysis. Most SCA tools flag code as vulnerable if the code is using a vulnerable open source library. Semgrep Supply Chain goes a step further and tags a vulnerability as reachable if the application code uses a vulnerable method within a vulnerable open source library. Otherwise, Semgrep Supply Chain tags the vulnerability as unreachable. Reachability analysis helped Vanta filter out the hundreds of noisy, unreachable findings (since only a handful of the vulnerabilities are actually reachable) and instead spend time triaging the reachable vulnerabilities. Vanta found and fixed two reachable vulnerabilities in their code, which would not have been possible without Semgrep Supply Chain.
I became an advocate of Semgrep when we found an open source package where the vulnerability actually affected us in an exploitable way, and we would have otherwise missed it as part of the sea of noise in other tools.
The ease of customization was what caught Vanta’s attention with Semgrep Code. The findings that Semgrep surfaces are transparent and easy to understand. If the security team or developers find a false positive issue, they can easily tweak the corresponding rule and find true positives (i.e., security issues specific to their code). Vanta’s team also uses the Pro Engine’s interfile taint analysis to catch vulnerabilities that have the source and sink in different files. The security team also uses Policies to handle findings from different rules with different workflows. Some very high signal rules might block a pull request, but others just leave a comment, for example.). The result is that the security team surfaces only high-confidence findings to developers.
Semgrep is tightly integrated into Vanta’s developer workflow. Developers can see Semgrep findings as a part of their pull requests, making them aware of security issues and able to implement secure coding practices efficiently. With the VS Code extension now generally available, Vanta is looking to truly shift left with Semgrep.
Semgrep is a fast, open-source, code scanning tool for finding bugs, detecting dependency vulnerabilities, and enforcing code standards.