This content originally appeared on DEV Community and was authored by Jayson DeLancey
We’ve rounded up some news and updates from the Semgrep ecosystem to help ship features, not vulnerabilities.
If you need a Semgrep account, sign up for free and get started with the Quick Start for free on any project with fewer than ten (10) contributors.
Hacker Summer Camp
It’s that time of year when the weather gets hot and we take a break to meet and compare notes with our colleagues from across the security industry. You’ll find us all week at events including The Diana Initiative, BSidesLV, Black Hat, and DEF CON.
We are taking over Omega Mart on 8/5 for an exclusive event for our customers and the security community. Just us, no tourists. If you’ve never been it is a delightful and immersive art experience filled with puzzles, stories and will make for a memorable experience. We are also hosting a LAN tournament on 8/7 at an arcade bar which will be a fun way to unwind from the day.
We’ve got something happening every day so check the event page to learn more about our conference talks, free book signings, and other appearances.
Join us for Hacker Summer Camp 2025
Shared Context for Build and Runtime
Cloud-Native Application Protection Platforms (CNAPP) like Sysdig are a key ingredient to an AppSec strategy. When sharing that runtime context with a build-time tool like Semgrep can be more effective.
- Was this code deployed and if so which environment?
- Prioritize findings that have production relevance and exposure
- Link alerts to specific file, function, and team that introduced a risk
The end result is fewer alerts, faster response, and better collaboration between teams.
Learn more about the Sysdig + Semgrep integration
Evaluating a Security Tool’s Sensitivity
The sensitivity of a tool is determined as the likelihood of over-reporting or under-reporting security findings.
Security Research firm Doyensec evaluated the benefits of graduating from Semgrep Community Edition to the Pro Engine. They saw between a 50% and 71% true positive rate accuracy boost.
What is Variant Analysis?
Securing software requires a comprehensive plan to find, fix, and prevent bugs that matter before build-time. Eugene Lim shared an excerpt from his upcoming book how to take a CVE and write Semgrep rules for finding variations in code implementations that might otherwise be missed.
In a blog post, Eugene walks through an example of a CVE that impacted Expat, a C library used to parse XML files which demonstrates a pattern that can be used for any vulnerability disclosure.
Restoring Confidence in Secure Development
“The guidance wasn’t just accurate, it was built into our workflow, right where developers needed it. That made all the difference… Both developers and security engineers now have greater confidence in our shared process.”
– Chris Holman, DevSecOps Engineer, Glasswall
Read how Glasswall didn’t just replace one tool with another but instead matured their AppSec program from reactive to streamlined, developer-first, and future-ready.
Leverage Static Analysis for Detection
From our friends at Trail of Bits, a senior security engineer discussed how he looked for exploit patterns in Go’s JSON, XML, and YAML parsers.
Additionally, he provided public rules to detect these patterns:
semgrep -c r/trailofbits.go.unmarshal-tag-is-dash
semgrep -c r/trailofbits.go.unmarshal-tag-is-omitempty
Read the post Unexpected security footguns in Go’s parsers to learn more.
PHP Reachability
We now have reachability coverage for PHP for all critical issues since 2017 and high-severity issues since May 2022! These rules are available for all PHP projects and further extends the supply chain reachability coverage from C#, Go, Java, JavaScript, Kotlin, Python, TypeScript, JSX, Ruby, Scala, and Swift.
Read more in the PHP blog post
AI Assistant Memories
If we can’t tell you what to fix, we won’t show it to you. Your time is too valuable. Development teams need clear, step-by-step remediation guidance. (AI Assistant) helps with prioritizing and with remediation guidance.
Semgrep Assistant allows you to customize with Memories so that policy decisions help tune results for higher accuracy over time.
How to Get Started with Semgrep
If you’ve only just learned about Semgrep, here’s some ways to get started:
The Semgrep Community Edition is free open-source software that powers many teams with basic functionality.
The Semgrep AppSec Platform capabilities are available to test on any project with fewer than ten (10) contributors for free. Just hop over to semgrep.dev, sign up, and follow the Quick Start.
If you have any questions or feedback, hop onto the Community Slack and let’s chat (I’m @j12y)! If you want to talk to us virtually or see us in-person, check out the events page to see where we’ll be.
This content originally appeared on DEV Community and was authored by Jayson DeLancey