Hello friends, we’ve rounded up some news and updates from the Semgrep ecosystem to help you ship features, not vulnerabilities.
If you need a Semgrep account, sign up for free and get started with the Quick Start on any project with fewer than ten (10) contributors.
Research on Claude Code and OpenAI Codex
Our Security Research team explored AI coding agents which can frequently help find real vulnerabilities – but they can be noisy.
Using 11 real-world Python apps, Claude Code surfaced 46 vulnerabilities (14% true positive rate) strongly identifying IDOR issues. Codex found 21 vulnerabilities (18% TPR) with strength in finding path traversal issues.
Unfortunately, repeated runs were non-deterministic so in the case of one app the agent found 3, then 6, then 11 distinct findings using the same identical prompt.
Dive more into the data, prompts, and methodology from the full write up and data tables: Finding vulnerabilities in modern web apps using Claude Code and OpenAI Codex.
Security Alerts | Nx and NPM
The widely used Nx build tool was compromised recently in a way that allowed malware to steal ssh keys, wallets, api tokens, and other secret credentials.
From the official Nx security advisory the root cause was a workflow that was executing code. Likewise, a maintainer account was compromised
This is the type of pattern Semgrep is designed to help teams scan for and catch. Specifically, this vulnerability is categorized as a run-shell-injection. It implemented a pattern that executes a command in a shell where the attacker can subvert the call and run their own supplied command instead.
Take a look at the Security Research blog posts sharing observations that the post-install script was sending a prompt to locally installed Claude or Gemini CLIs to help gather credentials. You can learn more about it and our response from our blog post.
Quarterly Release Update
We’ve bundled up releases from the past few months into a Quarterly Release page to help share some of the highlights of what’s changed and what’s new.
Watch the Webinar Replay or Download the Release Kit.
Finding Vulnerabilities in the First 30 Days
This story warms our cold, secure heart that Semgrep is trusted and can show results so quickly. Our friends at Trail of Bits Blog shared a story from one of their excellent new hires:
In my first month at Trail of Bits as an AI/ML security engineer, I found two remotely accessible memory corruption bugs in NVIDIA’s Triton Inference Server during a routine onboarding practice.
He shared: “My approach was straightforward: point our standard static analysis tools at the codebase… one of the tools we rely on for this initial reconnaissance is Semgrep.”
A full breakdown of the findings, Semgrep rules and links to CVEs can be found in the blog post Uncovering memory corruption in NVIDIA Triton
Connecting Code Scans to Cloud Consequences
Through an exciting partnership with Sysdig, we’ve connected Sysdig’s runtime insights for what’s exploitable in the cloud to the code, file, and developer behind it to help put build-time context with run-time insight.
Learn more about our shared vision that security should enable speed and not slow down development or teams.
Shipping Value, Not Just AI for AI-Sake
We don’t think that users care that AI is used for features, they care about the impact it makes.
Wealthsimple shared how they are leveraging Semgrep’s LLM-powered memories feature noting:
“A system that learns from our security decisions and applies that knowledge to future scans. The implementation is remarkably simple. All it takes is clicking 'new memory' and adding a description rule of the context or pattern you want the system to recognize.”
They quickly created twelve active memories to analyze 630+ security findings and reduced the backlog by 397 likely false positives (62% improvement). That's the impact we want to see.
Read more from the Wealthsimple Engineering Blog.
Model Context… Propaganda
Dr. Katie Paxton-Fear and Drew Dennison had a conversation about MCP (Model Context Protocol) and integrating tools into your AI-development workflows.
Watch their conversation and learn some tips for how to accelerate your secure development workflows.
It’s always rewarding when we see fans who share their success with Semgrep. Sean Kochel listed Semgrep among the 5 Claude Code MCP Servers You Need To Be Using.
Try Semgrep MCP with Cursor.
Celebrating 1M Code Scans Per Week
Our managed scans crossed a new milestone. If you are managing your own workload, talk to our team about managed scans so we can help keep you covered.
We also have a Managed Scan Quickstart Guide to get you up and running quickly.
How to Get Started with Semgrep
If you've only just learned about Semgrep, here's some ways to get started:
The Semgrep Community Edition is free open-source software that powers many teams with basic functionality.
The Semgrep AppSec Platform helps enterprises who prioritize their security risks. Visit https://semgrep.dev/signup and try the Quick Start for free on any project with fewer than ten (10) contributors.
If you have any questions, feedback, or stories to share about using Semgrep, hop onto the Community Slack and let’s chat (I’m @j12y)! If you want to talk to us virtually or see us in-person, check out the events page to see where we’ll be.
Top comments (0)