I have used Semgrep more as a testing and a POC tool. So, there is no consistent usage of Semgrep, but I have used the tool multiple times for POC purposes. As a DevSecOps Security Engineer, my main use case for Semgrep when I do use it for POCs or testing is to deal with SAST, secret scanning, and types of testing, white-box testing, AppSec, and those types of activities. Semgrep is a tool for that. Hence, when we perform POCs and try to understand what it is providing for such different types of scanning, Semgrep turns out to be useful in setting benchmarks.
I use Semgrep mainly for its software composition analysis capabilities to identify vulnerabilities in dependencies used in our applications. Every time a new feature is developed or a new version of an application is released, it is run against Semgrep using our CI/CD pipelines to identify any new vulnerabilities.
I have been working with Semgrep for almost a year, approximately six to eight months on and off. In my current organization, I have a strong experience for SAST solution POCs, and I have conducted POCs for Semgrep, Checkmarx, Snyk, and SonarQube to evaluate SAST capabilities. Our primary use case for Semgrep is to identify static code vulnerabilities and SAST vulnerabilities. Every other organization or vendor claims to offer this capability, but Semgrep is built differently compared to all these traditional tools. I have almost a decade of experience using various SAST tools, and Semgrep not only looks at particular code but understands the entire code to get context around whether an issue is real or not through context analysis. One of the primary use case for us is also the shift-left approach, which means improving our developer experience. Our developers do not want to wait until they commit changes to GitHub or build it. They want synchronous feedback directly within their IDE. Semgrep provides an IDE integration and also supports MCP gateway. Additionally, secrets scanning is another important use case for us.
We use Semgrep to check custom user pipelines and test their claims for any vulnerabilities. We process the code by passing it through the testing process for any operability issues before sending feedback to the developers and providing the final product. This is part of the static testing analysis of code analysis.
Semgrep is an advanced static analysis tool designed to identify vulnerabilities and enforce coding standards, catering primarily to professionals with a focus on enhancing code security and quality.Engineered for software development environments, Semgrep delivers efficient security feedback with minimal setup. By offering a rich collection of rule sets, it allows customization and integration into CI/CD pipelines, supporting continuous code examination. Semgrep not only uncovers hidden...
I have used Semgrep more as a testing and a POC tool. So, there is no consistent usage of Semgrep, but I have used the tool multiple times for POC purposes. As a DevSecOps Security Engineer, my main use case for Semgrep when I do use it for POCs or testing is to deal with SAST, secret scanning, and types of testing, white-box testing, AppSec, and those types of activities. Semgrep is a tool for that. Hence, when we perform POCs and try to understand what it is providing for such different types of scanning, Semgrep turns out to be useful in setting benchmarks.
I use Semgrep mainly for its software composition analysis capabilities to identify vulnerabilities in dependencies used in our applications. Every time a new feature is developed or a new version of an application is released, it is run against Semgrep using our CI/CD pipelines to identify any new vulnerabilities.
I have been working with Semgrep for almost a year, approximately six to eight months on and off. In my current organization, I have a strong experience for SAST solution POCs, and I have conducted POCs for Semgrep, Checkmarx, Snyk, and SonarQube to evaluate SAST capabilities. Our primary use case for Semgrep is to identify static code vulnerabilities and SAST vulnerabilities. Every other organization or vendor claims to offer this capability, but Semgrep is built differently compared to all these traditional tools. I have almost a decade of experience using various SAST tools, and Semgrep not only looks at particular code but understands the entire code to get context around whether an issue is real or not through context analysis. One of the primary use case for us is also the shift-left approach, which means improving our developer experience. Our developers do not want to wait until they commit changes to GitHub or build it. They want synchronous feedback directly within their IDE. Semgrep provides an IDE integration and also supports MCP gateway. Additionally, secrets scanning is another important use case for us.
We use Semgrep to check custom user pipelines and test their claims for any vulnerabilities. We process the code by passing it through the testing process for any operability issues before sending feedback to the developers and providing the final product. This is part of the static testing analysis of code analysis.