A roundup of recent headlines about Semgrep in the past month.
$ grep -rh -A 5 -m 10 “” semgrep-news.html | more
Replit Partners with Semgrep for AI Security Scans
Replit is an AI-powered platform that lets you create and deploy apps from a browser. This is great for dev teams to enable quick product development cycles. For security teams, well… like other LLM tools, this can introduce risks. Replit turned to Semgrep to power its security scanning, directly within the Replit IDE.
Learn more in the blog post about the Replit + Semgrep partnership.
RSAC Industry Leader Interviews
The team had a great show at RSA and BSidesSF this year. We had a chance to turn the camera on and have a chat with some friends:
- Phil Venables, Partner at Ballistic Ventures, shared his insights with Clint Gibler (Semgrep Head of Security Research) about the things he’s learned from senior security research roles at companies like Deutsche Bank, Goldman Sachs, Google, and more. Watch the video interview.
- Cristin Flynn Goodwin, Consultant with Good Harbour, shared her experiences for a legal perspective on cybersecurity with Tanya Janca (Semgrep Developer Advocate). Watch the video interview.
Other interviews include Jason Haddix (Arcanum), Nariman Aga-Tagiyev (SecureHabits.nl), and more.
Shadow AI Scan for Unauthorized Usage
Unaccounted for AI usage can lead to compliance violations, sensitive data exposure (including secret keys!), and many other GenAI security risks when not using a proper approval process. We’ve built a new ruleset to detect unauthorized use of AI and LLM libraries including OpenAI, Anthropic Claude, LangChain, HuggingFace, Grok, Gemini, Deepseek, and more.
See the Semgrep Shadow AI page from RSAC to learn more.
Scaling Security and AI with AWS
Cameron Smith, Sr. Security Solutions Architect at AWS, joined Jack Moxon, Staff Product Manager, to talk about rapid development and cloud-native deployment at speed. Video interview on Youtube.
Semgrep Rulez for Vibe Code
We’ve partnered with Replit to incorporate Semgrep rules directly in a Security Scanner for AI generated code. This puts users of Replit one step ahead so that this doesn’t happen to you:
For everybody else, the Semgrep MCP server provides a path for any technology team to incorporate Semgrep security scans into their LLM generated source-code production workflows. This enables a secure-by-default AI solution. View the README.md for setup instructions usable with tools like Anthropic, OpenAI, Cursor, Windsurf, Lovable, etc.
Rulesets for Customizing Security Checks
Want to improve your security posture by writing custom Semgrep rules for your organization?
Watch the Rule Writing 101 (video) and Rule Writing 201 (video) to learn how step-by-step. The documentation for writing rules goes into more detail on the pattern and rule syntax which you can test interactively in the Playground. The Custom Rules course from Semgrep Academy goes even more in depth.
Visit the semgrep-rules github repository to see examples or if you built rules that you are willing to share like Trail of Bits and Gitlab have contributed.
FinTech and the Role of AI in Security
What is different about security engineering in a FinTech context? Industry security veterans Rinki Sethi (BILL) and Lee Laslo (Alloy) share their perspective.
AppSec for Builders: A Manifesto
Luke O’Malley was interviewed at RSA about his manifesto for builders and the future of artificial intelligence.
“If you want to empower your builder, you need to give them agency… it’s not about control, it’s about empowerment. We want to notify them if they’re doing something risky and provide a guardrail and nudge them back onto the paved road—a safer path that still lets them move fast.”
Watch the video or read the blog post with highlights from the session.
Community Headlines
It is fascinating to see all the ways other community projects are using Semgrep!
- DeepWiki uses AI to generate documentation, including the semgrep/semgrep open-source project. Helpful for those who want to contribute.
- Replit’s perspective on The Safest Place for Vibe Coding.
- Watch the recording of the Fireside Chat with Tanya Janca and Laura Bell Main, founder of SafeStack.
- Meta’s PurpleLlama CyberSecEval project includes tools like CodeShield and Insecure Code Detector (ICD) to identify insecure coding practices such as LLM output and has built some custom rules as part of the project.
- Anthropic Case Study: How Semgrep delivers AI-powered code security with Claude in Amazon Bedrock
Have a Semgrep story? Share it with us!
How to Get Started with Semgrep
If you’ve only just learned about Semgrep, here’s some ways to get started:
- The Semgrep Community Edition is free open-source software that powers many teams with basic functionality.
- The Semgrep AppSec Platform capabilities are available to test on any project with fewer than ten (10) contributors for free. Just hop over to semgrep.dev, sign up, and follow the Quick Start.
If you have any questions or feedback, hop onto the Community Slack and let’s chat (I’m @j12y)! If you want to talk to us virtually or see us in-person, check out the events page to see where we’ll be.
