DEV Community

Cover image for AI Code Assistant Memories, PHP Reachability, CVE Policies, and Benchmarking
Jayson DeLancey for Semgrep

Posted on

AI Code Assistant Memories, PHP Reachability, CVE Policies, and Benchmarking

I've rounded up some news and updates about Semgrep to make it easier to ship features, not vulnerabilities.

Some of the stories captured include:

  • Memories as in applied AI that remembers your security decisions, as a way of storing policies for faster resolution time of vulnerabilities.
  • Reachability to help prioritize vulnerable supply chain dependencies that are executed rather than panic over vulnerabilities that are not called.
  • Benchmarking as a way of comparing performance release over release, whether for speed, coverage, accuracy, or other important metrics when choosing a solution.

Continue to learn more...


A Security Tool That Learns

Identify Memories using Semgrep Assistant and the AI model improves. The platform gets smarter about YOUR specific environment and policies. This effect compounds to make development teams more efficient by reducing false positives.

Read more in the blog post Is Zero False Positives a Reality?


PHP Reachability Analysis

Reachability analysis dramatically reduces the noise from SCA alerts, by up to 98%. We’re excited to introduce the industry’s first reachability analysis for PHP, marking the 11th language with this capability.

For additional coverage, see the docs about language support.


Vibe Coding and AI Security with MCP

"There's a viber born every minute."
-- P.T. Barnum (likely)

We can’t always trust the output of code generated by AI. When combined with security scanning, such as using the Semgrep MCP server, we can better manage risk with tools like Cursor – watch the demo.

Replit takes the security of their customers seriously and has integrated Semgrep into their Security Scanner.


Graduating to Semgrep AppSec Platform

We proudly sponsor continued support for Semgrep Community Edition which is why it continues to be a top performing free SAST tool used by:

  • Security researchers
  • Pentesters
  • Consultants
  • Open-source developers
  • Hobbyists

For Application Security Engineers and Development Teams that take security seriously, you may need more. The updated Semgrep Pricing page clarifies where to find the features you need.


Quarterly Release Summary

Our Quarterly Release page pulls together highlights from the past few months of releases to Code (SAST), Supply Chain (SCA), and Secrets (detection).


Use CVE as a Supply Chain Policy

Want to block or comment for a specific set of CVEs crucial to your product? Choose from a list of CVEs generated from findings, or input a known CVE ID -- dependency search is available by CVE ID or rule name.

Semgrep Supply Chain SCA Dependency Search


Benchmarking Source Code Scanning Speed

If source-code scanning and static analysis slows down development, engineering teams won’t adopt it. Is Semgrep fast? Yes it is.

Learn how we think about performance at Semgrep in this blog post: Benchmarking Semgrep Performance Improvements.

Find this update and more open-source improvements in 20+ releases so far this year.


Customizable PR / MR Comments

Many developers review security findings directly as comments left in merge or pull requests. In the Semgrep Platform settings tab, teams can customize these to add company-specific instructions, links to resources, or other helpful notes.

Semgrep Security Scan with PR and MR Comments

See the PR / MR Comments documentation for setting up Azure, GitHub, GitLab, or Bitbucket for examples of custom comments.


SoSafe Case Study

“We treat engineers as partners, not just stakeholders. Semgrep helps us meet them where they are.”
– Mubasher Chaudhary, Application Security Engineer, SoSafe

Learn more about how SoSafe evaluated tools for their security program in the SoSafe Case Study.


How to Get Started with Semgrep

If you've only just learned about Semgrep, here's some ways to get started:

The Semgrep Community Edition is free open-source software that powers many teams with basic functionality.

The Semgrep AppSec Platform capabilities are available to test on any project with fewer than ten (10) contributors for free. Just hop over to semgrep.dev, sign up, and follow the Quick Start.

If you have any questions or feedback, hop onto the Community Slack and let’s chat (I’m @j12y)! If you want to talk to us virtually or see us in-person, check out the events page to see where we’ll be.

Top comments (1)

Some comments may only be visible to logged-in visitors. Sign in to view all comments.