Hello friends, we’ve rounded up some news and updates from the Semgrep ecosystem to help ship features, not vulnerabilities.
Security Engineer’s Guide to MCP
MCP has rapidly become the API standard for AI coding agents. If you are generating code and want security scanning as part of your workflow we have an MCP server you can run directly from the command line and use in your Claude Code, Cursor, Windsurf, and other MCP compatible IDEs.
Follow the installation instructions for your IDE and then you’ll be able to run the MCP server with:
semgrep mcp
But what if you are building an agent? Our security research team compiled a security engineer's guide into how MCP agents can be vulnerable and what you should know about using and building them with an MCP Security Checklist. Check it out to learn more about line jumping, tool shadowing, and rug pulling.
2025 Gartner® Magic Quadrant™ for Application Security Testing
We’re thrilled to announce that for the first time, Semgrep has been recognized in the 2025 Gartner Magic Quadrant for Application Security Testing.
We’re honored to be named in the Gartner Magic Quadrant for Application Security Testing, but even more grateful for the partnerships with the community and customers that make Semgrep better every day. Read more and claim a complimentary copy of the report.
Yes We Scan Monorepos
Teams who follow a trunk-based development methodology consolidate a lot of code into a single monorepos. This typically presents scaling challenges for static analysis because it isn’t as easy to do horizontal scaling by chunking separate repo jobs to separate servers.
We’ve recently introduced a memory efficient model with multicore enabling parallel processing on a single device to better utilize cloud resources and see a 2x speed up in job completion time. It isn’t that we’re running faster, it's that we’ve added several more lanes and can get more throughput.
Run it now with:
semgrep config=auto --x-eio
This will be enabled by default next month, so keep an eye on our open source blog and release notes.
1 MILLION Weekly Scans
Actually, that’s old news and we’ve quickly scaled beyond that. During our beta program we worked closely with fast-growing startups to Fortune 500 enterprises to secure their code.
By our calculations using managed scanning can save over $25k in the first year with an annualized savings of $18k each year by using managed scanning. We share the math and a demo video for when you are ready to offload some of the headaches you may have of managing your own infrastructure for security testing.
Open Source Community Edition 30:300:3000
Semgrep Community Edition is the free open source static analysis engine with support for 30+ languages, 300+ releases to date, and over 3000+ community rules.
Some of the recent releases over the past few months include many beneficial improvements to the CLI (both commercial and open source):
- Cross-platform for mac, linux, and windows environments
- Parallel processing with shared memory to be able to quickly handle large monorepos without slowing down dev teams
- MCP server integrated into AI-assisted coding workflows
There are many small incremental improvements that may have helped your team as well from recognizing Containerfiles, metavariable-comparisons, and performance improvements to rule parsing.
Palo Alto Networks Cortex Cloud
Read about How Cortex Cloud and Semgrep are Redefining AI-Driven Application Security, combining static analysis with cloud insights.
LLM-Driven SAST-Genius
Independent research from Vaibhav Agrawal and Kiarash Ahi demonstrate a hybrid pipeline that combines Semgrep with a fine-tuned LLM for triage, exploit validation, and remediation.
Impressive results:
- False positive reduction from 225 to 20 (11x improvement)
- 91% reduction in average triage time
Review the full research article: https://www.arxiv.org/pdf/2509.15433
Secure AI-generated Code Workshop In-Person and Virtual
We’re hosting a hands-on keyboard interactive workshop at OWASP Global AppSec to learn how to secure AI-generated code with Palo Alto Networks Cortex Cloud and Semgrep. This is open to the public even if you don’t have an event badge.
Save your seat in Washington DC Nov 5th
We’ll be hosting a follow-up virtual version of this workshop on Nov 20th. Register for the virtual session
IDOR
“Wait master, it might be dangerous… you go first.” –Igor in Young Frankenstein
Insecure Direct Object Reference (IDOR) is a security vulnerability that is an access control failure where a program exposes internal resources using identifiers that users can guess or manipulate to gain unauthorized access. If the system doesn’t check, it opens the door to abuse.
Learn more about IDOR and other common vulnerabilities like Code Injection, Command Injection, Cross-site Scripting, Insecure Deserialization and more in our new Learning Guides.
Happy Halloween and Security Awareness Month!
Getting Started with Semgrep
Are you new here? If so, we’ve lined up some helpful resources you can use to learn about Semgrep.
- Semgrep AppSec Platform is the quickest way to create an account and scan in minutes.
- Semgrep Community Edition has a new Getting Started Guide to run your first scan.
If you have questions, feedback, or stories about your success with Semgrep you want to share, hop onto the community slack and let’s chat or add questions in the comments for me here.
Top comments (1)
Have a story about how you are using Semgrep? If you are using Semgrep in a novel way or have custom rules and are willing to share them let me know and we'll feature and link to your research in future newsletters.