Trust Portal
We follow a rigorous information security program, vendor risk assessment program and an incident response plan. Semgrep is founded on the principle of bringing the power and security of SDLC to the rest of the developer community. Every single member of the team is trained and fully committed to SDLC policy. We have a dedicated security team with 4 engineers and a security and compliance officer.
Core tenets of our security program include:
-Security awareness training -Defined security requirements -Defined metrics for acceptable risk -Threat modeling -Use of modern crypto libraries -Securing 3rd party dependencies -CI/CD pipeline with code review from a peer for every PR -Static analysis on every PR -Unit/integration tests
GitLab
Slack
Dropbox
Shopify
Chegg
SnowflakeDocuments
An update to the Semgrep Assistant model providers
Semgrep Assistant will now use Amazon Web Services Bedrock as an additional model provider so that we can serve the best possible model for each feature. AWS is one of Semgrep's existing sub-processors, and its usage is covered under our existing DPA.
Each customer has the ability to set model preferences or opt out of specific models individually.
To opt-out, go to Semgrep> Settings > Assistant > AI Provider and unselect the AWS Bedrock option.
Please note that all existing Security & Privacy guarantees, as detailed in our documentation, remain in effect.
Please contact Semgrep Support (support@semgrep.com) if you would like guidance or have any questions.
Semgrep latest SOC2 Type II Report (Dec 1, 2023 - Nov 30, 2024)
Semgrep Inc. is thrilled to announce our latest SOC 2 Type II report (covering December 1, 2023 - November 30, 2024) and our latest full-scope, whitebox penetration test (performed by Include Security). Both reports cover our Semgrep AppSec Platform and include the Semgrep Code, Supply Chain, and Semgrep Secrets products.
These independent reports form part of continual efforts to improve, monitor, and assess our security program.
As usual, all of our security and compliance updates and documentation are available via the Semgrep Trust Portal. The direct links are listed below:
- Latest SOC 2 Type II Report - https://trust.semgrep.dev/item/soc-2-report
- Latest Full-scope Penetration Test - https://trust.semgrep.dev/item/third-party-annual-pentest
Semgrep's response to the Polyfill.io compromise
On June 25, 2024, Sansec Threat Research publicized that the popular polyfill.js dependency had been taken over by malicious actors who were using it to inject malware into popular websites. Semgrep does not use Polyfill.js across any of our properties.
Semgrep's Security Research team has written a rule to help our customers identify the use of Polyfill.js. We've released this for free for use with our Open-Source client. Our Polyfill rule can automatically generate a patch that will switch to the safe version of Polyfill. If you haven’t run Semgrep before, you can run this rule locally (e.g. semgrep --config=r/3qUkGp2/semgrep.polyfill-compromise) or sign up here to take advantage of our managed scanning service.