Highlights:
- Semgrep offers more than 900 prebuilt detection scripts, known as Semgrep Pro rules, eliminating the need for developers to create a rule library from scratch.
- Beyond scanning an application’s own code, Semgrep identifies vulnerabilities in external components like open-source libraries and flags potential licensing issues.
A startup, Semgrep Inc. raised USD 100 million in funding to promote the adoption of its code security platform, that assists developers in spotting software vulnerabilities.
The Series D round was led by Menlo Ventures, with participation from Felicis Ventures, Harpoon Ventures, Lightspeed Venture Partners, Redpoint Ventures, and Sequoia Capital. This latest investment brings Semgrep’s total external funding to USD 204 million.
At the core of Semgrep’s platform is a static application security testing (SAST) engine, which allows developers to create scripts that automatically scan codebases for vulnerabilities. For instance, teams can write scripts to detect open-source components with known security risks.
Semgrep offers more than 900 prebuilt detection scripts, known as Semgrep Pro rules, eliminating the need for developers to create a rule library from scratch. Additionally, teams can write custom detection scripts in YAML, a user-friendly syntax commonly used for system configurations.
Since traditional SAST tools may overlook key contextual information—such as developer comments clarifying that seemingly insecure code is actually safe—Semgrep enhances its platform with large language models (LLMs). These LLMs analyze developer comments and other context to minimize false positives.
Semgrep also automates security tasks like detecting hardcoded secrets, such as stored login credentials. To reduce false alarms, the platform verifies whether detected credentials are functional before issuing an alert.
Beyond scanning an application’s own code, Semgrep identifies vulnerabilities in external components like open-source libraries and flags potential licensing issues. For example, it can warn developers if a library’s license restricts commercial use.
The platform features a dashboard that presents statistics on detected code issues. Semgrep monitors the number of vulnerabilities identified, their severity, and the percentage of flaws successfully resolved by developers.
“We want using Semgrep to be like hiring an AppSec engineer to do the boring work,” Co-founder and Chief Executive Officer Isaac Evans stated. “Our vision is autonomous (but still transparent and deterministic) security decision-making at scale.”
Semgrep revealed that its platform has been adopted by hundreds of organizations since its launch, including major tech firms like Snowflake Inc. and Dropbox Inc.
With the new funding, Semgrep plans to expand its go-to-market team to drive customer growth. Additionally, the company will hire AI and cybersecurity experts to accelerate product development, with a strong focus on enhancing the platform’s usability.