Trust Portal

Start your security review
View & download sensitive information
Ask for information
Search items

Overview

We follow a rigorous information security program, vendor risk assessment program and an incident response plan. Semgrep is founded on the principle of bringing the power and security of SDLC to the rest of the developer community. Every single member of the team is trained and fully committed to SDLC policy. We have a dedicated security team with 4 engineers and a security and compliance officer.

Core tenets of our security program include:

-Security awareness training -Defined security requirements -Defined metrics for acceptable risk -Threat modeling -Use of modern crypto libraries -Securing 3rd party dependencies -CI/CD pipeline with code review from a peer for every PR -Static analysis on every PR -Unit/integration tests

Compliance

SOC 2 Logo
SOC 2
GDPR Logo
GDPR
Start your security review
View & download sensitive information
Ask for information

Semgrep is reviewed and trusted by

GitLab-company-logoGitLab
Slack-company-logoSlack
Dropbox-company-logoDropbox
Shopify-company-logoShopify
Chegg-company-logoChegg
Snowflake-company-logoSnowflake

Documents

Network Diagram
SOC 2 Report
Third-party Annual Pentest
SOC 2
CAIQ Lite
Cyber Insurance
Data Processing Agreement
Access Control Policy
Asset Management Policy
Business Continuity Policy
Data Security Policy
Encryption Policy
General Incident Response Policy
Information Security Policy
Other Policies
Physical Security
Risk Management Policy
Software Development Lifecycle

Risk Profile

Data Access Level
Impact Level
Critical Dependence
View more

Product Security

Audit Logging
Data Security
Integrations
View more

Reports

Network Diagram
SOC 2 Report
Third-party Annual Pentest

Self-Assessments

CAIQ Lite

Data Security

Access Monitoring
Backups Enabled
Data Erasure
View more

App Security

Responsible Disclosure
Code Analysis
Credential Management
View more

Access Control

Data Access
Logging
Password Security

Infrastructure

Status Monitoring
Amazon Web Services
BC/DR
View more

Endpoint Security

Disk Encryption
Endpoint Detection & Response
Mobile Device Management
View more

Network Security

Firewall
IDS/IPS
Security Information and Event Management
View more

Corporate Security

Email Protection
Employee Training
HR Security
View more

Policies

Access Control Policy
Asset Management Policy
Business Continuity Policy
View more

Trust Center Updates

Semgrep publishes our latest SOC 2 Type 2 audit

ComplianceCopy link

Semgrep Inc. is proud to publish our latest SOC 2 Type II attestation report, covering December 1, 2022 - November 30, 2023. Maintaining our SOC 2 certification underpins our continued commitment to protecting our customer's data.

This report represents our first SOC2 Type II assessment covering 12 months. It includes Semgrep Code, Supply Chain, and, for the first time, our Semgrep Secrets offering, which we launched in October 2023.

As usual, all of our security and compliance updates and documentation are available via the Semgrep Trust Portal (https://trust.semgrep.dev).

Published at N/A

r2c completes SOC 2 Type 2 audit

ComplianceCopy link

r2c is proud to announce that we've completed our first SOC 2 Type 2 audit. Achieving SOC 2 Type II compliance is one of the primary ways we demonstrate our company's privacy and security practices. Maintaining SOC 2 compliance underpins our continued commitment to protecting our customer's data.

What is SOC 2 Type 2?

The Service Organization Control (SOC) 2 Type 2 audit is the best-known information security certification in the industry and a common request from our customers. A SOC 2 Type 2 certification includes third-party security and control testing against standards set by the American Institute of CPAs (AICPA). 'Type 2' audits signify that we both had appropriate procedures and controls in place; and that they were followed and achieved their goals across the audit period.

What does this mean for our customers?

SOC 2 compliance is independent confirmation that we are following the security, privacy, and reliability practices you'd expected of a modern software company. Moreover, it's a standard our enterprise customers hold themselves to and typically expect of their vendors in return.

However, SOC 2 is only one of a basket of practices and processes we follow to ensure our products and services are secure. We continue to build upon proactive and detective security practices, including a program of secure software design and active security assessments.

Semgrep SAST and Semgrep Supply Chain are both a core part of our secure development practices – ask to see a demo of how we use our products across our engineering efforts.

What’s next?

Achieving SOC 2 Type 2 compliance is not a one-time event but a baseline of security and privacy practices that must be maintained and audited annually. We look forward to using SOC 2 to demonstrate and build upon our commitment to privacy and security across our current and future products and features.

Published at N/A

r2c's response to the ongoing CircleCI breach

IncidentsCopy link

On the evening of January 4, 2023, CircleCI notified customers of a breach and recommended teams rotate "all secrets stored in CircleCI" and review systems for unauthorized access between December 21, 2022, and January 4, 2023.

r2c uses CircleCI for a limited amount of continuous integration workflows that do not involve production infrastructure or user data. Our security and engineering teams have reviewed these workflows and either disabled or rotated all credentials in use.

No unauthorized access to r2c systems or services has been identified. CircleCI’s investigations continue. r2c’s security team continues to monitor updates from the vendor and review access from the affected period.

Published at N/A*

r2c is not affected by the OpenSSL vulnerabilities CVE-2022-3602 and CVE-2022-3786

IncidentsCopy link

Yesterday, November 1, 2022, OpenSSL released version 3.0.7 to patch CVE-2022-3602 and CVE-2022-3786, two HIGH-risk vulnerabilities in the OpenSSL 3.0.x cryptographic library.

R2C is not vulnerable to these issues as our services and products do not rely on the vulnerable version of OpenSSL. Nor do we use the functionality causing these vulnerabilities.

If you want supply chain risk analysis that goes beyond simple version tracking, check out our recently launched Semgrep Supply Chain product. Semgrep Supply Chain allows you to interrogate your use of dependencies and whether you are exposed to specific vulnerabilities or not.

For more information on these vulnerabilities, see the great write-up by Datadog Security Labs.

Published at N/A*
Powered bySafeBase Logo