Semgrep

What if every security alert hitting your developers' desk was a guaranteed hit?  Ari Kalfus, Senior Manager of Product Security at DigitalOcean, shares how they use custom Semgrep rules to build secure-by-default guardrails. By combining automated migrations with precise policies, they’ve reached the ultimate AppSec goal: delivering only true positives to their engineering teams. #AppSec #SecureCode

ID verification is rapidly shifting from a “nice to have” feature to a regulatory requirement, especially across EMEA. But as platforms rush to comply, new security and privacy risks are emerging. In the next episode of Security Rulez, Dr. Katie Paxton-Fear (@Insiderphd)  is joined by Akira Brand to explore the growing tension between identity verification, compliance, and user privacy. Together, they’ll discuss: 🔵The risks of third-party verification providers 🔵What “privacy by design” actually looks like in practice 🔵How organizations can minimize harm while meeting regulatory demands. 📆 March 31 🕛 8:00 AM PT / 3:00 PM UTC Register now👇 semgrep.dev/events/securit…

AI is shaping how most code gets written. And no human is reviewing most of it. That exposes a brutal truth: legacy AppSec tools were designed for a world where developers wrote and read every line. But when code ships from prompts written in Cursor, Windsurf or Claude Code, the old playbook breaks. Semgrep is addressing this with a Semgrep Multimodal, merging deterministic analysis with LLM reasoning.👇

Today, we are introducing Semgrep Multimodal. We’ve combined rule-based analysis that is fast and consistent at identifying OWASP Top 10 issues like SQLi and XSS with AI reasoning to catch business logic flaws like IDOR, Broken Auth, and more. What our early customer trials observed: - 8x more true positives - 50% fewer false positives Semgrep Multimodal is available on Semgrep accounts to try for yourself. Let us know what you find. semgrep.dev/blog/2026/atta…

To kick off the industry's biggest week, we’re hosting a launch party and sharing a sneak peek of what we’re unveiling at RSA. Good food. Smart people. And a first look at what’s coming. 🚀 We’ll share more on March 23rd. semgrep.dev/events/rsa-kic…

AppSec is behind.  AI has changed how software gets built almost overnight. Security? Still catching up, and that gap is about to get a lot more obvious. At #RSA this year, we’re not just talking about it, we’re showing what the new standard actually looks like.

Semgrep is the leader in code security for builders. During RSA we'll be hosting a series of Lunch & Learn sessions, technical workshops, and sessions with analysts and partners including Palo Alto Networks, ArmorCode, and StackHawk. We'll be serving up fresh espresso drinks from Hedge Coffee Roasters, build your own RSA survival kits and candy bar, and access to the Zero Trust Club for premium show swag. Be sure to drop by for (good) lunch, to recharge from the conference, and to hear perspectives from your security peers. Pre-registration for security is required: semgrep.dev/events/rsa-bui…

We’re excited to sponsor the OWASP Denver Monthly Chapter Meetup tomorrow, March 18th! 🤝 Join us for an evening of food, networking, and a session from Kurt Boberg, “MCP LFI in 60 Minutes (or Your Money Back),” exploring the security implications of the Model Context Protocol and why it’s worth paying attention to now. We’ll also be raffling off an R2-D2 LEGO set to one lucky attendee! If you’re in the area, come spend the evening with the local security community. Learn more 👇 meetup.com/owasp-denver-c…

Most AI-generated code fixes lack the context to be trustworthy. They don't know your codebase, your dependencies, or how a change ripples across your system. Semgrep Autofix takes a different approach. It uses the Semgrep Pro engine to perform static analysis on both your first-party code and the third-party package, then sends that grounded context to an LLM to produce the fix. The AI isn't guessing. It's working from deterministic analysis of what your code actually calls and what actually changed between versions. The result: fix suggestions developers can review with confidence, not rewrite from scratch.

PowerShell runs a lot of Windows infrastructure. How are you checking these deployment scripts, GPO automation, IT tooling, etc? Like most scripts, they can get a little, well to quote a security expert: "sketchy". PowerShell isn’t just automation glue. It’s also a common attacker tool. That’s one reason we’re excited that Semgrep added beta support for PowerShell with parsing and pattern matching. Update to Semgrep v1.155.0 and give it a try. PowerShell is powerFul. That’s why both admins and attackers rely on it. Semgrep can help you secure it.

Is your AppSec team scaling at the speed of AI, or are they still running on human-only hours? 🛡️ The timing is critical for two reasons.👇

Next week, the WOMEN IN SECURITY Documentary directed by Yvette Freeman, premieres at RSAC in San Francisco, and Semgrep is honored to be a sponsor. This powerful film highlights the women redefining leadership, innovation, and impact across the cybersecurity industry. We'd love for you to join us for an evening of storytelling, community, and inspiration. 📆 Tuesday, March 24 & Wednesday, March 25 🕜 4:00 – 6:00 PM 📍 AMC Metreon 16 | San Francisco Register to attend here 👇 linkedin.com/events/7432118…

Security tooling has gotten good at finding vulnerabilities. Fixing them is still the bottleneck. Researching library impacts, understanding breaking changes, identifying the safest upgrade path. That cognitive load is why dependency upgrades stall and security debt accumulates. Semgrep Autofix (now in public beta) tackles this directly. For supply chain findings, Upgrade Guidance analyzes how your code uses a package and what changed between versions, then tells developers which upgrades are safe and which have breaking changes, down to the function level. Less research. Faster patches. Lower risk. semgrep.dev/blog/2026/semg…

Join Rick Harp on March 18 at 8:00 AM PT / 3:00 PM UTC for a hands-on workshop on AI Detection.  This technical session will walk through how Semgrep supports real engineering workflows with: • Detection for complex vulnerability classes • Context-aware prioritization • AI-assisted remediation • Upgrade Guidance for safer dependency updates Demo-driven and practical, with a focus on reducing false positives and accelerating remediation.  Save your seat👉 semgrep.dev/events/hands-o…

From Denver to San Francisco, we have a packed schedule of meetups, tournaments, and launches. Here is where you can find the Semgrep team this week: March 18 | OWASP Denver Monthly Meetup: Join Staff Security Researcher Kurt Boberg in Denver for the local chapter monthly meeting. March 19 | Brews for Builders (Virtual): A virtual coffee tasting experience designed for our EMEA community. March 19 | Fortinet Founders Cup: We’re joining Cloudflare in Menlo Park for this year’s tournament. March 21 | BSidesSF & RSAC 2026: The Semgrep team in San Francisco is ready for one of the biggest weeks in security. View full event details and register to attend here👇 semgrep.dev/events

Security is an engineering problem, not just a compliance checkbox. When you provide developers with context-aware remediation at the PR level, you're doing more than just patching a bug, you're preventing security debt from accumulating. By shifting security into the active development cycle, you move from reactive "firefighting" to a proactive Secure by Design posture: 🔵 Actionable Intelligence: Replace generic vulnerability descriptions with language-specific, parameterized code fixes that developers can apply instantly. 🔵 Optimized MTTR: Surfacing findings directly in the IDE or PR reduces the Mean Time to Remediate (MTTR), ensuring vulnerabilities never reach the main branch. 🔵 Reduced Attack Surface: Integrating deterministic guardrails ensures that common vectors are mitigated from the very first line of code. The result is a resilient product architecture that satisfies both engineering teams and customer trust. Stop treating security as a final hurdle. Start treating it as a developer superpower. See how Semgrep enables secure engineering at scale👇 semgrep.dev/products/semgr…

Open source is the backbone of modern development, but "free" isn’t always without cost. 🛡️ Our blog post explores the tension between chaos and collaboration in the OSS ecosystem and what it really takes to secure the software we all rely on. Read the full story here: 👇 semgrep.dev/blog/2026/open…

Semgrep is now available as a Cursor & Claude Code Plugin! As developers shift toward agentic engineering, the security primitives required to build software safely are changing. Agents now operate with more autonomy, privileged access, and less human supervision than ever before. Without the right guardrails, an explosion of vulnerabilities is inevitable. This is where Semgrep makes a significant impact. By integrating directly into Cursor, we detect and prevent vulnerabilities before code ever leaves a developer's laptop. Everything you need for secure code generation, now in one click. Read more👇 semgrep.dev/solutions/secu…

Lunch & Learns are great for ideas. Technical workshops are where you make them real. During BSidesSF and RSA security week, we’re running workshops a block from Moscone. Bring a laptop and dig in with the Semgrep team as we work through real security problems together, including: • Responding to emergent supply chain threats • Finding logic flaws and broken auth with AI-powered multimodal detection • Vibe coding and the AI security primer, from MCP to mad skills.md These sessions are for builders who want to see the tools work and try them firsthand. Seats are limited. Grab a spot and come build with us. semgrep.dev/events/rsac-20…

Sending developers "vulnerabilities" that aren't even reachable is a fast way to lose their trust. Traditional dependency scanners flag everything in your manifest, forcing developers to waste days patching issues that pose zero actual risk. It causes alert fatigue and destroys AppSec credibility. And that’s not a good look. Semgrep Supply Chain removes this friction using Code-Aware Reachability Analysis. As it scans the manifest, it also traces the data flow to prove if your code actually calls the vulnerable function. If it’s unreachable, it’s filtered out. See how: 👇 semgrep.dev/products/semgr…