This content originally appeared on DEV Community and was authored by Jayson DeLancey
I’ve rounded up some news and updates about Semgrep to make it easier to ship features, not vulnerabilities.
Some of the stories captured include:
- how we provide an AI Code Assistant with security recommendations with MCP, including that we maintain memories for the model of past decisions and policies
- how we analyze software dependencies for vulnerabilities that are used in source code, not simply imported
- benchmarking study for measuring scan performance when looking for security issues
A Security Tool That Learns
Identify Memories using Semgrep Assistant and the AI model improves. The platform gets smarter about YOUR specific environment and policies. This effect compounds to make development teams more efficient by reducing false positives.
Read more in the blog post Is Zero False Positives a Reality?
PHP Reachability Analysis
Reachability analysis dramatically reduces the noise from SCA alerts, by up to 98%. We’re excited to introduce the industry’s first reachability analysis for PHP, marking the 11th language with this capability.
For additional coverage, see the docs about language support.
Vibe Coding and AI Security with MCP
“There’s a viber born every minute.”
— P.T. Barnum (likely)
We can’t always trust the output of code generated by AI. When combined with security scanning, such as using the Semgrep MCP server, we can better manage risk with tools like Cursor – watch the demo.
Replit takes the security of their customers seriously and has integrated Semgrep into their Security Scanner.
Graduating to Semgrep AppSec Platform
We proudly sponsor continued support for Semgrep Community Edition which is why it continues to be a top performing free SAST tool used by:
- Security researchers
- Pentesters
- Consultants
- Open-source developers
- Hobbyists
For Application Security Engineers and Development Teams that take security seriously, you may need more. The updated Semgrep Pricing page clarifies where to find the features you need.
Quarterly Release Summary
Our Quarterly Release page pulls together highlights from the past few months of releases to Code (SAST), Supply Chain (SCA), and Secrets (detection).
Use CVE as a Supply Chain Policy
Want to block or comment for a specific set of CVEs crucial to your product? Choose from a list of CVEs generated from findings, or input a known CVE ID — dependency search is available by CVE ID or rule name.
Benchmarking Source Code Scanning Speed
If source-code scanning and static analysis slows down development, engineering teams won’t adopt it. Is Semgrep fast? Yes it is.
Learn how we think about performance at Semgrep in this blog post: Benchmarking Semgrep Performance Improvements.
Find this update and more open-source improvements in 20+ releases so far this year.
Customizable PR / MR Comments
Many developers review security findings directly as comments left in merge or pull requests. In the Semgrep Platform settings tab, teams can customize these to add company-specific instructions, links to resources, or other helpful notes.
See the PR / MR Comments documentation for setting up Azue, GitHub, GitLab, or Bitbucket for examples of custom comments.
SoSafe Case Study
“We treat engineers as partners, not just stakeholders. Semgrep helps us meet them where they are.”
– Mubasher Chaudhary, Application Security Engineer, SoSafe
Learn more about how SoSafe evaluated tools for their security program in the SoSafe Case Study.
How to Get Started with Semgrep
If you’ve only just learned about Semgrep, here’s some ways to get started:
The Semgrep Community Edition is free open-source software that powers many teams with basic functionality.
The Semgrep AppSec Platform capabilities are available to test on any project with fewer than ten (10) contributors for free. Just hop over to semgrep.dev, sign up, and follow the Quick Start.
If you have any questions or feedback, hop onto the Community Slack and let’s chat (I’m @j12y)! If you want to talk to us virtually or see us in-person, check out the events page to see where we’ll be.
This content originally appeared on DEV Community and was authored by Jayson DeLancey