Semgrep

We're giving away a Bambu Lab A1 Mini 3D Printer at our Summer '26 Release Webinar on June 18th. All you have to do is show up. While you're there, you'll get a 60-minute live demo of how detection, triage, and remediation work as one system, including 96% autotriage agreement rates, 98% SCA noise reduction, and multi-file code autofix for complex auth issues. Plus a roadmap preview and open Q&A. 📆June 18 at 8am PT Register here👉https://t.co/inEa8qumYt

At a conference last year someone asked Austin Theriault for performance advice: "what about continuous profiling for OCaml?" and the answer was "it just doesn't exist." It does now. We've open sourced, Pyro Caml, a continuous profiler for OCaml that runs in production, can visualize in flame graphs with Pyroscope/Grafana, and with minimal overhead. It's already helped Semgrep find real bottlenecks that never would have been caught otherwise. https://t.co/BfwU2pPbld

We analyzed anonymized remediation patterns across 50,000 active repositories over the course of a year, and the insights are clear: When a SAST finding surfaces in a pull request, teams resolve it in 4.8 days. When they're caught in a full scan after the sprint closes and code ships, it takes 43 days. That 9x difference is due to the difficulties of context switching. When the code is still fresh in the developer’s mind, the issue can be resolved immediately. With capabilities like Semgrep Autofix providing automated remediation suggestions, fixing the issue on the spot becomes frictionless.

⚽The CRA is about to kick-off a new era of software regulation in Europe. The question is: is your team on the pitch? If you ship desktop apps, SDKs, agents, firmware, or downloadable components, you may be in scope. Join Dr.  Katie Paxton-Fear  (InsiderPhd) on June 1 to get the game plan before the 2026 and 2027 deadlines. Register now👇  https://t.co/8DkeNrlHIU

We're heading to Gartner Security & Risk Summit, North America, June 1–3! Stop by Booth #1022 to see Semgrep Multimodal in action and learn how the top AppSec teams are finding and fixing real vulnerabilities at scale. 📷 Catch our Expo Stage Theater session: "How the Top 15% of AppSec Teams Out-Fix the Field by 3x" — drawing on analysis of 127 million SAST and SCA findings across thousands of enterprise repos, we'll reveal what separates teams that actually fix vulnerabilities from those that don't. Spoiler: it's not tooling. It's operational. 📷 Join us for the Post Gartner Happy Hour with our friends at Tevora — reserve your spot now! https://t.co/1qzYSuQdR1 Come meet the team onsite — hope to see you there! 📷 https://t.co/TniwZjNCXT

Frontier AI models like Mythos are shifting the balance toward attackers. So we built Semgrep Summer '26 around three ideas to shift it back. 🌀Join us June 18th at 8am PT for a 60-minute live demo of how detection, triage, and remediation finally work as one system, including: - Multimodal AI Detection: 8x more true positives, 50% fewer false positives than AI alone - Semgrep Guardian: Stop malware before it ever reaches your codebase Autofix PRs with breaking change guidance so devs stay in control - Plus a roadmap preview, open Q&A, and one lucky attendee wins a Bambu Lab A1 Mini 3D Printer. Register here👉 https://t.co/inEa8qumYt

Semgrep's AI Agent rules detect malicious patterns in AI agent skill files across Claude Code, Cursor, Windsurf, Codex, and Continue. It covers credential access, command execution, persistence mechanisms, and data exfiltration, which are specific techniques used in campaigns like ClawHavoc targeting AI coding assistants. A total of 122 Pro rules, ready for you to test.  The skill-go-exec-bash-pipe* detects execution of bash/sh with the -c flag and pipe operations. This helps to check for OS Command Injection points and adopt proper access controls. *This is a Pro rule and only visible to registered users.

AI is enabling teams to build faster than ever. But AI coding agents introduce a new class of threats that most security tools aren't built for handling. Packages that don't exist, code that pass review but fail under attack, and human reviewers just can keep pace. We've shipped 4 new rulesets to help: 1. AI security rules  2. Agent Skills Rules  3. Shadow AI Rules  4. OWASP LLM Top 10 rules What are we missing? What threats are you seeing in AI generated code? What do you want to see a rule for next?