Semgrep

Heading to #AWSSummit LA? We want to see you there 👋 Stop by Booth #241 to meet the Semgrep team, catch live demos, grab some swag, and talk all things AppSec and cloud security. Then after the summit, join Semgrep and ArmorCode for our Sunset Social at Golden Hour LA  We’re bringing together the security community for rooftop views, craft cocktails, light bites, and great conversation above Downtown LA after a full day at AWS Summit. 📍 Golden Hour LA 📅Tuesday, June 10 🕕 6:00 PM Spots are limited. Register here to save your seat👉 semgrep.dev/events/sunset-…

Most AppSec teams are stuck choosing between deterministic scanners (precise but noisy) and AI-only tools (fast but unauditable). Semgrep combines both. 🌀 Join us May 28th to see how multimodal detection surfaces IDOR, broken auth, and workflow abuse that neither approach catches alone. Free. Live. Save your seat here👇 semgrep.dev/events/finding…

Read the complete blog to learn more and prepare your team👇 semgrep.dev/blog/2026/gett…

3️⃣Automate remediation: Enable Autofix to automatically generate fix PRs for SAST and SCA findings. 4️⃣Accelerate your scans: Run your next codebase scan with up to 50% faster execution speeds out of the box.

With more code being written by AI agents than by humans, and an attacker landscape that is moving faster than traditional security tooling was designed to handle, AppSec teams are facing an unprecedented challenge There are four steps that you can take to prepare for a world of Mythos👇

The volume of AI-generated code has already outpaced what PR scans were designed to handle. By the time a vulnerability surfaces at review, it's already in your codebase history. Today, we're launching Semgrep Guardian to fix that.  Install it directly into Claude Code, Cursor, Codex, Replit, and more to scan every file at the moment it's written, before it ever reaches a pull request. Your security policies are enforced at the point of code generation, automatically. Five minutes to set up and secure forever. Learn more now👇 semgrep.dev/blog/2026/gett…

Supply chain rules deployed for the latest wave of Mini Shai-Hulud that resurfaced in maintainer’s @​antv, timeago, and size-sensor npm packages. We will extend the advisory to new packages as the worm continues to spread to other maintainers.

Scanners catch known vulnerability classes. But business-logic flaws, org-specific patterns, and context-dependent issues don't fit predefined rules. Teams are reaching for LLMs to close the gap, but LLMs alone are unreliable for code security. Semgrep Workflows combines deterministic code analysis with AI in pipelines your team controls. Define steps in Python, call any tool in the Semgrep library (or your own), and deploy at scale. See how it works here👇

Should AppSec engineers still learn how to code in the age of AI? 👀 And how do leaders mentor junior engineers when AI can already write large portions of code? In this Security Rulez session, Dr. Katie Paxton-Fear (@InsiderPhd) and Lyft Tech Lead Anshuman Bhartiya share practical insights and strong opinions on how AppSec teams should adapt. 📆 May 20 | 8:00 AM PT / 4:00 PM UTC Register now👉 semgrep.dev/events/securit… #CyberSecurity #AppSec #AI #EngineeringLeadership

Malicious node-ipc package. If your applications use client/server messaging, inter-process communication between mobile/desktop and web services, or orchestrate messaging and workflows you should verify your CI/CD builds haven't pulled down the package today. This package is wikipedia infamous from peacenotwar dependency in 2022 that attacked any IP addresses originating from Belarus and Russia. To check your projects at scale and additional remediation steps: semgrep.dev/blog/2026/not-…

How much time does your security team waste re-explaining the same context to your security scanner every single week? 👀 Yeah, we know...   We analyzed thousands of user-managed memories to understand what context teams are encoding. When we clustered the full set of platform memories by goal, two categories represent nearly half (47.5%) of all the context security teams are adding to their SAST scanners: 🔵 Non-production environments (25.6%): Letting the scanner know that findings in test scripts or local dev tools aren't production risks. 🔵 Framework protections (21.9%): Accounting for security controls that your middleware or ORM already handles. With Semgrep Memories, instead of manually dismissing the same patterns over and over during triage, you encode the logic once and let the AI apply that context at scale. Imagine all the time you can save in all future scans. Dive deeper👇 semgrep.dev/blog/2026/insi…

Semgrep CLI and editor plugins surface issues while you're writing code. In this example, Semgrep immediately flagged this vulnerability in the developer's IDE You don't need to wait for a scan at the end of the pipeline to catch issues like this. Try writing and testing your own rules in the Semgrep Playground 👇 semgrep.dev/playground/

A Mini Shai-Hulud-style supply chain attack is hitting TanStack Router and dozens of npm packages. Semgrep researchers found encrypted credential exfiltration, persistence mechanisms, and a dead man’s switch: IfYouRevokeThisTokenItWillWipeTheComputerOfTheOwner. Details as new information is learned about how it works: semgrep.dev/blog/2026/tans…

Why do most agent skills fail? Most skills fail for the same reason: they’re written like documentation rather than decision support. After building and testing hundreds of them, we’ve identified several tips that consistently separate the skills agents apply reliably from the ones they ignore or misapply: 1. Keep the scope tight 2. Provide concrete examples 3. Encode decision logic 4. Reference specific frameworks and languages 5. Explain what to do, not what to avoid 6. Learn from existing collections like github.com/semgrep/skills Check out the full guide to learn how to write skills that make your AI-generated code more secure. 👇 semgrep.dev/blog/2026/secu…

This single Semgrep rule caught a command injection issue in a Node.js snippet. Now scale that across: - thousands of community rules - Pro rules maintained by security researchers - your own custom rules tailored to your codebase Semgrep supports 35+ languages and fits directly into your dev workflow to catch known vulnerable patterns early. You can also write and test your own rules in minutes using the Semgrep Playground 👇 semgrep.dev/playground/

Where does your security or code program actually stand?  If you aren't tracking these metrics, you might be flying blind. Here is what your team should be taking into consideration 👇

AI is already scanning code, reviewing pull requests, and generating fixes. So where does that leave AppSec engineers? 👀 In our next Security Rulez session, Dr. Katie Paxton-Fear (@InsiderPhD) sits down with Lyft Tech Lead Anshuman Bhartiya to explore how the role of AppSec is evolving in an AI-driven world and what engineers should focus on next. 📆 May 20 🕛 8:00 AM PT / 4:00 PM UTC Register now to join the conversation:👉  semgrep.dev/events/securit… #AppSec #CyberSecurity #AI #DevSecOps

London gave us a clear signal last week.🇬🇧 Across our EMEA Customer Advisory Board (CAB) and AWS Summit London, one theme kept coming up: How do we make security seamless in the SDLC without slowing developers down? At our EMEA CAB, we had candid conversations with customer champions across EMEA around product direction, AI, developer workflows, and what modern AppSec teams need next. At the AWS Summit London, the conversations reinforced the same points. ✅ Teams want speed. ✅ They want security integrated where developers already work. ✅ They need to secure AI-generated code. ✅ And they are done dealing with noisy tools.  The opportunity is clear: build security that developers trust, AppSec teams can rely on, and modern software teams can move fast with. Read the complete blog for all the insights👉semgrep.dev/blog/2026/apps…

How should AppSec teams think about Mythos? AppSec teams should know that attackers will use models like Mythos to find 0-days as quickly as possible. But if your team is already drowning in vulnerability noise, simply adding a new AI "bug finder" isn't helpful, it just pads the backlog. You need a way to prioritize and fix, not just detect. Fixing bugs is only half the battle. The future of AppSec isn't just about remediation, it’s about writing secure code from the start. That’s what we are building Check out the full article to see how we're closing the gap with Mythos 👇 semgrep.dev/blog/2026/myth…