Qilin Incident Update
Semgrep Logo

Trust Portal

Start your security review
View & download sensitive information
Ask for information
ControlK

Trust Portal Updates

Qilin Incident Update

Copy link
Incidents

Semgrep is aware of a release of Semgrep data by Qilin, a known threat actor. The data consists of Semgrep scan results of Semgrep source code. It's our understanding that the threat actor obtained the data via a Semgrep API token used to access a Semgrep sandbox environment.

The sandbox environment is used by Semgrep for internal testing and held assessments of our first-party code and open source repositories. While we consider the compromise of any operational security to be unacceptable, we don't consider the exposed data to be highly sensitive as we often provide access to this data to auditors, pentesters, and even customers.

As part of our investigation, we have no reason to believe customer data and supply chains are at risk.

  1. There is no indication that any customer data, findings, or source code were accessed by the threat actor.
  2. We see no risk to our customer's supply chain. There is no indication that the integrity of Semgrep's source code or releases was compromised.

The exposed tokens were immediately revoked and the investigation is ongoing. We are committed to full transparency as part of our incident response process and we will produce a detailed incident summary, including details of the data exposed, incident actions, and post-incident hardening commitments.

An update to the Semgrep Assistant model providers

Copy link
General

Semgrep Assistant will now use Amazon Web Services Bedrock as an additional model provider so that we can serve the best possible model for each feature. AWS is one of Semgrep's existing sub-processors, and its usage is covered under our existing DPA.

Each customer has the ability to set model preferences or opt out of specific models individually.
To opt-out, go to Semgrep> Settings > Assistant > AI Provider and unselect the AWS Bedrock option.

Please note that all existing Security & Privacy guarantees, as detailed in our documentation, remain in effect.

Please contact Semgrep Support (support@semgrep.com) if you would like guidance or have any questions.

Semgrep latest SOC2 Type II Report (Dec 1, 2023 - Nov 30, 2024)

Copy link
Compliance

Semgrep Inc. is thrilled to announce our latest SOC 2 Type II report (covering December 1, 2023 - November 30, 2024) and our latest full-scope, whitebox penetration test (performed by Include Security). Both reports cover our Semgrep AppSec Platform and include the Semgrep Code, Supply Chain, and Semgrep Secrets products.

These independent reports form part of continual efforts to improve, monitor, and assess our security program.

As usual, all of our security and compliance updates and documentation are available via the Semgrep Trust Portal. The direct links are listed below:

Semgrep's response to the Polyfill.io compromise

Copy link
Vulnerabilities

On June 25, 2024, Sansec Threat Research publicized that the popular polyfill.js dependency had been taken over by malicious actors who were using it to inject malware into popular websites. Semgrep does not use Polyfill.js across any of our properties.

Semgrep's Security Research team has written a rule to help our customers identify the use of Polyfill.js. We've released this for free for use with our Open-Source client. Our Polyfill rule can automatically generate a patch that will switch to the safe version of Polyfill. If you haven’t run Semgrep before, you can run this rule locally (e.g. semgrep --config=r/3qUkGp2/semgrep.polyfill-compromise) or sign up here to take advantage of our managed scanning service.

Overview

We follow a rigorous information security program, vendor risk assessment program and an incident response plan. Semgrep is founded on the principle of bringing the power and security of SDLC to the rest of the developer community. Every single member of the team is trained and fully committed to SDLC policy. We have a dedicated security team with 4 engineers and a security and compliance officer.

Core tenets of our security program include:

-Security awareness training
-Defined security requirements
-Defined metrics for acceptable risk
-Threat modeling
-Use of modern crypto libraries
-Securing 3rd party dependencies
-CI/CD pipeline with code review from a peer for every PR
-Static analysis on every PR
-Unit/integration tests

Compliance

GDPR Logo
GDPR
SOC 2 Logo
SOC 2

Semgrep is reviewed and trusted by

Dropbox-company-logoDropbox
Figma-company-logoFigma
GitLab-company-logoGitLab
HashiCorp-company-logoHashiCorp
Lyft-company-logoLyft
Slack-company-logoSlack
Snowflake-company-logoSnowflake

Documents

DOCUMENTSData Transfer Impact Assessment
REPORTSNetwork Diagram
REPORTSThird-party Annual Pentest
COMPLIANCESOC 2
SELF-ASSESSMENTSCAIQ Lite
LEGALCyber Insurance
LEGALData Processing Agreement
LEGALMaster Services Agreement
LEGALOpenAI DPA
POLICIESAccess Control Policy
POLICIESAsset Management Policy
POLICIESBusiness Continuity/Disaster Recovery (BC/DR) Policy

Risk Profile

Product Security

Reports

Self-Assessments

Data Security

App Security

Legal

Access Control

Infrastructure

Endpoint Security

Network Security

Corporate Security

Policies

Built onSafeBase by Drata Logo