Semgrep

The way we build code is changing fast. Whether your team is pair programming with AI, shipping from the browser with platforms like Replit, or using tools like Cursor, the development experience has never felt more fluid. AI-assisted coding moves at light speed. Without guardrails baked into your workflow, vulnerabilities slip through. Obvious mistakes like hardcoded secrets and insecure patterns, outdated dependencies. That's where Semgrep Plugins help. Connect MCP with your favorite AI coding assistant like Cursor, Claude, VS Code, Windsurf and find vulnerabilities as you code with over 5000 semgrep rules. Try it now 👇 github.com/semgrep/semgre…

Last chance to register for our live SAST vs. DAST debate! 🚨 Sign up now 👉 semgrep.dev/events/securit… In April’s Security Rulez episode, Dr. Katie Paxton-Fear (@InsiderPhD) and Alexandra Charikova will face off over modern pipelines, faster development cycles, and AI-driven change – and how they’re reshaping the role of security testing. Join us for a candid discussion on what still matters, what is changing, and where AppSec may be heading next…

The TeamPCP supply chain campaign that began with Trivy in March has now reached Checkmarx's Docker images, VS Code extensions, and Bitwarden CLI.  Attackers Are Still Coming for Security Companies. Here's Where We Stand. Our latest post explains what happened, what we do ourselves, and what you should do to protect yourself. semgrep.dev/blog/2026/atta…

Are you using Angular's bypassSecurityTrust* methods? If untrusted user input flows into bypassSecurityTrustHtml(), bypassSecurityTrustUrl(), or similar functions, you've got a critical XSS vulnerability waiting to happen. Scan your codebase for this pattern using semgrep rules `semgrep scan --config angular-domsanitizer.yaml src/` 👉github.com/semgrep/semgre…

What if upgrading and securing your codebase could happen automatically? In this hands-on workshop, we’ll walk through how Semgrep uses deep code understanding and AI to: 🟢 Identify upgrade opportunities 🟢 Recommend targeted fixes 🟢 Automatically remediate issues at scale Join us live on April 29. 📅 8AM PT / 4PM UTC Register here 👉semgrep.dev/events/hands-o…

Give your AppSec team some time back. Semgrep Multimodal combines AI reasoning with rule-based analysis for detection, triage, and remediation.  See how we make this possible for your team👇 semgrep.dev/products/semgr…

A few NPM packages used in agentic AI workflows were compromised to run malicious payloads with a postinstall hook. * pgserve is used to embed a PostgreSQL server which can be used for integration testing, local development, and with pgvector built-in also used for AI applications that need AI Agent memory or RAG * @automagik/genie is used to dispatch parallel agents with a shared context and compose workflows Find a new rule added from Semgrep Advisories to check whether or not you have used these packages in your codebase: semgrep.dev/login?return_p…

One of the biggest takeaways from our latest workshop, 'Responding to Emergent Supply Chain Threats with Semgrep,' presented by Mehdi Mhamedi: Your CI isn't just a pipeline. It’s part of your attack surface. We need to start treating it with the same level of security as a production environment because it’s becoming a massive threat vector. Check out his tips here 👇

Excited to see that the @Replit Security Agent, powered by Semgrep, is now available. Replit's Security Agent is a great example of what's possible when you pair the contextual reasoning of LLMs with the determinism and program analysis capabilities of Semgrep. We're excited to see this combination in the hands of the builder community.

Are you tired of sorting through SCA alerts for dependencies your code doesn't even use?  Rust is great for memory safety, but SCA noise is still a massive headache. We finally rolled out reachability coverage for Rust. That means you only get an alert if your code is actually hitting the vulnerable part of a dependency. If you’re tired of triaging CVEs that aren't even exploitable, this is for you.👇  semgrep.dev/blog/2026/semg…

We’re excited to be heading to Singapore for #BlackHatAsia! Come visit us at Booth #522 to see how Semgrep is redefining code security for builders. We’re excited to show you how engineering organizations rely on Semgrep to embed security directly into the development lifecycle—without slowing down development speed or scale. 🟢Use our code “Semgrep” for a discounted Briefings Pass or a free Business Pass. 👉 blackhat.com/asia-26/

Developers often use `http://` for quick API testing, legacy endpoints persist, or HTTPS configs get overlooked while coding. Catch insecure requests at code review time with rules. Run `semgrep scan --config react-insecure-request.yaml` Rule: github.com/semgrep/semgre…

Modernizing your codebase doesn’t have to slow you down 🌀 Join us on April 29 for a hands-on workshop on how to upgrade, remediate, and ship faster with Semgrep. You’ll learn how to identify outdated patterns, apply safe auto-fixes, and scale remediation across your codebase. 📆 April 29 🕛 8AM PT / 4PM UTC Save your spot👉 semgrep.dev/events/hands-o…

What’s so “magical” about Semgrep Multimodal? ✨ Just ask the team at Vanta. We aren't just finding vulnerabilities; we’re giving time back to the teams that build and protect your software. Book a Free Demo and see the magic in action👇 semgrep.dev/products/semgr…

Failing to set HttpOnly on cookies in your Kotlin codebase can let client-side scripts read them, risking session theft and complete account compromise. It's the kind of bug that takes seconds to fix, if you know it exists. Scan your codebase for this weakness with Semgrep rules: semgrep scan --config cookie-missing-httponly.yaml Rule source: github.com/semgrep/semgre…

We’re excited to be at AWS Summit London at ExCel London on Wednesday 22nd April! 🇬🇧 Stop by Stand B5 to see Semgrep in action, with live demos from the Amazon Bedrock team, showing you how to secure your code from commit to cloud. 🎤Our Security Advocate, Dr Katie Pacton-Fear  (@InsiderPhD) will be speaking on AI & AppSec in “No Security, Just Vibes: Fixing Vibe-Coded Apps Without Security Knowledge”. 🪓We’re also hosting an exclusive Axe-Throwing Experience with our friends at @sysdig – swapping the usual post-event drinks for something a little sharper... Find out more & RSVP 👉semgrep.dev/events/aws-sum…

Last chance to register for our Axe Throwing experience in London next Wednesday, 22 April, with Semgrep, Sysdig, and AWS! 🪓 If you’re up for an axe-cellent evening of friendly rivalry and sharp conversation, now’s the time to grab your spot: semgrep.dev/events/axe-thr… Final spaces are going fast! Let’s hit some targets together

SAST vs. DAST has been one of AppSec’s longest-running debates – but which approach actually reduces more real-world risk?  In our next Security Rulez webinar, Dr. Katie Paxton-Fear (@InsiderPhD) and Escape's Alexandra Charikova (@escapetechHQ) go head-to-head on what works in practice, where each approach falls short, and what modern teams should really be prioritising. Join us for a lively discussion on AppSec tradeoffs, tool reality, and what matters most in today’s pipelines. Register now to save your spot 👉 semgrep.dev/events/securit…

The value of being able to customize rules for static analysis cannot be understated. A few of our security researchers were happy to join OWASP Boston at the BASC Conference for Rule Writing 101 so that how to apply them could be understood. Thanks everyone who joined our team for the workshop or dinner to chat more about code security.