Semgrep Assistant

Assistant helps AppSec engineers and developers make the correct decisions faster, with less cognitive load. This means users only spend their time and analysis bandwidth on issues that warrant the attention.

Auto-triage findings

Semgrep Assistant uses GPT-4's understanding of code, alongside prompts specific to Semgrep rules, to determine when security findings are false positives.

Recommendations include context and reasoning that allow developers to quickly and easily verify the correctness of suggestions/fixes.

Auto-fix code

When Semgrep Assistant identifies a true positive, it recommends an autofix for remediation. Hallucinations are mitigated by secondary prompts that review a diff for various failure modes.

Generated fixes are easy to verify, and helpful for engineers even when they need additional input.

Generate custom rules with natural language

Assistant can write custom rules to find patterns or vulnerabilities specific to your codebase - all you need to provide is one example of “bad code”, one example of “good code”, and a prompt describing what you want the rule to do in human language.

Drive awareness of secure coding principles

In addition to reducing the time developers spend sourcing information, the context and explainability Semgrep provides ensures that developers still learn and build their understanding of secure coding practices over time.

Assist developers in 30+ languages

Python Logojava iconGo-logoRuby LogoJS-logoTypescript-logoPHP ThumbnailC#Swift_logoKotlin_Icon

Developers shouldn't need Stack Overflow and ChatGPT to fix basic security issues

Code review, on-demand

Semgrep Assistant doesn't just generate fixes - it gives developers the information and context needed to understand and verify what's generated, as if they were working alongside a seasoned security engineer.

Auto-fix remediation guidance

Less information gathering and context-switching

Semgrep Assistant recommendations are surfaced to developers via PR comments, so they don't have to keep context-switching in order to fix or triage a finding.

Assistant greatly reduces the amount of information retrieval required in order to understand and fix a security issue.

Drive continuous improvement

A highly customized instance of Semgrep is easily the best code security solution available on the market, and Assistant recommendations make it easy for any team to start creating custom rules, adjusting policies, establishing guardrails, and more.

Vanta quote

Data Privacy and Processing

Frequently Asked Questions

No - OpenAI will not use any of the data we provide them for the purpose of improving their services (see Section 3(c) of their Terms of Use).

  • Code snippets that are shared with OpenAI are anonymized, and don't identify customer or repository names.

  • Semgrep only shares the amount of code necessary for GPT-4 and our prompts to produce accurate results (10 lines of code surrounding the finding).

  • Semgrep only accesses source code repositories on a per-file basis; we do not need or request org-level access to your codebase.

Since Semgrep Assistant needs temporary access to snippets of your source code in order to function, this expands the scope of the data to which you grant us a limited license to (see Section 5.1 of our Subscriber Agreement).

Semgrep Assistant submits the part of the file with the finding, plus 10 lines of surrounding code as context, to OpenAI for processing. OpenAI is not permitted to use the submitted code for any purposes.

Your source code is only accessed by Semgrep or OpenAI to the limited extent necessary to provide the Semgrep Assistant service to you.

Once Semgrep Assistant's output is generated, Semgrep deletes the code snippets that were shared.

OpenAI retains copies of the content sent to them for a maximum of 30 days for purposes of monitoring abuse, as indicated in their API Data Usage Policies.

Hallucinations on code auto-fixes are mitigated by secondary prompts that review a diff for various failure modes. Any information identifying a person or organization (excluding information embedded in your code) is never used in prompts, and thus cannot be leaked.

System instructions are included in Assistant prompts with higher authority and no placeholders for user input.

Each prompt only contains code snippets from a specific project and customer; therefore, prompt injection could never expose information across customers and organizations.

Auto-triage considers prior human triage decisions and reasoning left in triage notes. Auto-fix and auto-triage both follow any custom instructions contained within Semgrep rule messages.

Code analysis at ludicrous speed

Shift left without the developer productivity tax.

Dev Akhawe headshot
Dev AkhaweHead of Security, Figma

"Figmates get actionable security feedback in their PRs, while rule analytics give security teams feedback on rule effectiveness. The simple [rule] syntax let's us extend Semgrep to catch new patterns, going from idea to live in an hour"