Start your security review
View & download sensitive information
Ask for information
Search items
ControlK

We follow a rigorous information security program, vendor risk assessment program and an incident response plan. Semgrep is founded on the principle of bringing the power and security of SDLC to the rest of the developer community. Every single member of the team is trained and fully committed to SDLC policy. We have a dedicated security team with 4 engineers and a security and compliance officer.

Core tenets of our security program include:

-Security awareness training -Defined security requirements -Defined metrics for acceptable risk -Threat modeling -Use of modern crypto libraries -Securing 3rd party dependencies -CI/CD pipeline with code review from a peer for every PR -Static analysis on every PR -Unit/integration tests

GitLab-company-logoGitLab
Slack-company-logoSlack
Dropbox-company-logoDropbox
Shopify-company-logoShopify
Chegg-company-logoChegg
Snowflake-company-logoSnowflake

Documents

REPORTSNetwork Diagram
Trust Portal Updates

Semgrep's response to the Polyfill.io compromise

Vulnerabilities
Copy link

On June 25, 2024, Sansec Threat Research publicized that the popular polyfill.js dependency had been taken over by malicious actors who were using it to inject malware into popular websites. Semgrep does not use Polyfill.js across any of our properties.

Semgrep's Security Research team has written a rule to help our customers identify the use of Polyfill.js. We've released this for free for use with our Open-Source client. Our Polyfill rule can automatically generate a patch that will switch to the safe version of Polyfill. If you haven’t run Semgrep before, you can run this rule locally (e.g. semgrep --config=r/3qUkGp2/semgrep.polyfill-compromise) or sign up here to take advantage of our managed scanning service.

Published at N/A*

Semgrep publishes our latest SOC 2 Type 2 audit

Compliance
Copy link

Semgrep Inc. is proud to publish our latest SOC 2 Type II attestation report, covering December 1, 2022 - November 30, 2023. Maintaining our SOC 2 certification underpins our continued commitment to protecting our customer's data.

This report represents our first SOC2 Type II assessment covering 12 months. It includes Semgrep Code, Supply Chain, and, for the first time, our Semgrep Secrets offering, which we launched in October 2023.

As usual, all of our security and compliance updates and documentation are available via the Semgrep Trust Portal (https://trust.semgrep.dev).

Published at N/A

r2c completes SOC 2 Type 2 audit

Compliance
Copy link

r2c is proud to announce that we've completed our first SOC 2 Type 2 audit. Achieving SOC 2 Type II compliance is one of the primary ways we demonstrate our company's privacy and security practices. Maintaining SOC 2 compliance underpins our continued commitment to protecting our customer's data.

What is SOC 2 Type 2?

The Service Organization Control (SOC) 2 Type 2 audit is the best-known information security certification in the industry and a common request from our customers. A SOC 2 Type 2 certification includes third-party security and control testing against standards set by the American Institute of CPAs (AICPA). 'Type 2' audits signify that we both had appropriate procedures and controls in place; and that they were followed and achieved their goals across the audit period.

What does this mean for our customers?

SOC 2 compliance is independent confirmation that we are following the security, privacy, and reliability practices you'd expected of a modern software company. Moreover, it's a standard our enterprise customers hold themselves to and typically expect of their vendors in return.

However, SOC 2 is only one of a basket of practices and processes we follow to ensure our products and services are secure. We continue to build upon proactive and detective security practices, including a program of secure software design and active security assessments.

Semgrep SAST and Semgrep Supply Chain are both a core part of our secure development practices – ask to see a demo of how we use our products across our engineering efforts.

What’s next?

Achieving SOC 2 Type 2 compliance is not a one-time event but a baseline of security and privacy practices that must be maintained and audited annually. We look forward to using SOC 2 to demonstrate and build upon our commitment to privacy and security across our current and future products and features.

Published at N/A

r2c's response to the ongoing CircleCI breach

Incidents
Copy link

On the evening of January 4, 2023, CircleCI notified customers of a breach and recommended teams rotate "all secrets stored in CircleCI" and review systems for unauthorized access between December 21, 2022, and January 4, 2023.

r2c uses CircleCI for a limited amount of continuous integration workflows that do not involve production infrastructure or user data. Our security and engineering teams have reviewed these workflows and either disabled or rotated all credentials in use.

No unauthorized access to r2c systems or services has been identified. CircleCI’s investigations continue. r2c’s security team continues to monitor updates from the vendor and review access from the affected period.

Published at N/A*

r2c is not affected by the OpenSSL vulnerabilities CVE-2022-3602 and CVE-2022-3786

Incidents
Copy link

Yesterday, November 1, 2022, OpenSSL released version 3.0.7 to patch CVE-2022-3602 and CVE-2022-3786, two HIGH-risk vulnerabilities in the OpenSSL 3.0.x cryptographic library.

R2C is not vulnerable to these issues as our services and products do not rely on the vulnerable version of OpenSSL. Nor do we use the functionality causing these vulnerabilities.

If you want supply chain risk analysis that goes beyond simple version tracking, check out our recently launched Semgrep Supply Chain product. Semgrep Supply Chain allows you to interrogate your use of dependencies and whether you are exposed to specific vulnerabilities or not.

For more information on these vulnerabilities, see the great write-up by Datadog Security Labs.

Published at N/A*
Powered bySafeBase Logo