Semgrep Blog - Plushcap

Blog URL

semgrep.dev/blog

Posts YTD

32 ↑ vs 19 last year

Avg Posts/Month

3.3 since 2022

Monthly Post Volume

Start year:

Post Details

Search:

Title	Author	Published	Words	HN Pts
Catching IDORs, Broken Authorization, and Other Logic Issues with Semgrep AI-Powered Detection	Jack Moxon	2025-11-11	871	--
Respond to Malware Incidents Faster with Advisory Impact Analysis in Semgrep Supply …	Nick Hakmiller, Nabeel Saeed	2025-12-19	590	--
Fix What Matters, Faster: How Semgrep and Sysdig Are Unifying Security from …	--	2025-07-29	535	--
New React2Shell Offspring Patched: React Server Components (DoS) and Source Code Exposure	Jayson DeLancey, Lewis Ardern, Kurt Boberg, Katie Paxton-Fear	2025-12-12	619	--
A Security Engineer's Guide to the A2A Protocol	Kurt Boberg	2025-12-17	1,658	--
From Gatekeepers to Guardrails: Automating Your PCI DSS v4.0.1 Strategy	Braden Riggs	2025-12-16	1,978	--
Semgrep Community Edition Fall Release 2025	Jaweed Metz, Milan Williams	2025-11-06	535	--
From idea to (secure) app: Semgrep + Replit	Chushi Li	2025-05-15	479	--
Semgrep × Cursor Hooks: Making Security Reliable for Agents	Chushi Li, Milan Williams	2025-12-22	461	--
10x your AppSec program with Semgrep Assistant	Chushi Li	2024-03-20	920	--
Rapidly deploy code scans across your organization with Semgrep managed scanning	Pablo Estrada	2024-05-21	594	--
Announcing an AI AppSec engineer that users agree with 95% of the …	Chushi Li	2025-01-22	1,497	--
Security Alert \| NX Compromised to Steal Wallets and Credentials	Romain Gaucher, Jayson DeLancey, Lewis Ardern	2025-08-27	1,750	--
What You Should Know About Dependency Reachability in SCA	Nabeel Saeed	2025-12-15	1,143	--
Finding vulnerabilities in modern web apps using Claude Code and OpenAI Codex	Romain Gaucher, Vasilii Ermilov, Clint Gibler	2025-09-02	3,610	--
AppSec guides, not gates: Introducing secure guardrails with Semgrep	Isaac Evans	2024-07-31	1,243	--
Remote Code Execution Security Bug in React Server Components Patched	Jayson DeLancey, Diptendu Kar, Katie Paxton-Fear	2025-12-03	629	--
How we built an AppSec AI that security researchers agree with 96% …	Jack Moxon, Seth Jaksik	2025-01-22	1,916	--
Protect Against Open Source Malware Attacks with Semgrep Supply Chain	Nabeel Saeed	2025-12-02	1,709	--
Can LLMs Detect IDORs? Understanding the Boundaries of AI Reasoning	Vasilii Ermilov	2025-11-03	3,426	--
How Semgrep & StackHawk Help AppSec Teams Prioritize Real Risks	Jaweed Metz	2025-10-22	548	--
Less effort, more insight: Introducing Dependency Graph for Supply Chain	Cullen Harwood, Aaron Acosta, Leif Dreizler	2024-12-12	1,012	--
Overrated and underperforming: transitive reachability analysis	Kyle Kelly	2024-05-16	991	--
Take control of sensitive code without developer frustration	Jaweed Metz, Katie Kent	2025-03-06	770	--
Building security champions	Tanya Janca	2024-07-01	437	--
🚨 Popular GitHub Action tj-actions/changed-files is compromised	Isaac Evans, Lewis Ardern, Kurt Boberg, Bence Nagy	2025-03-14	931	--
Redefining security coverage for Python with framework-native analysis	Chushi Li	2024-09-05	1,026	--
Announcing Semgrep Code: SAST designed and built for engineers	Raghav Jain	2023-02-14	781	--
Choosing a static analysis tool	Tanya Janca	2024-09-18	843	--
Choosing API Security Tools	Tanya Janca	2023-09-01	723	--
AppSec for Builders: A Manifesto for the Future of Secure Code Development	Jaweed Metz	2025-05-12	841	--
Security scanning with Semgrep in CI	Holden Mcgovern	2022-07-20	683	--
A Security Engineer's Guide to MCP	Kurt Boberg	2025-09-29	2,560	--
Not just another Jira integration	Chushi Li	2024-07-11	479	--
Securing CodeQL queries with Semgrep	Brandon Wu	2024-04-01	1,302	--
Need for speed: static analysis version	Brandon Wu	2022-11-29	2,140	--
Demystifying Taint Mode	Emily Fortuna	2022-09-01	814	--
How we resolved the ‘HTTP request failed: timeout’ issue in OCaml	Hannes Mehnert	2023-07-05	1,859	--
Announcing Semgrep's general availability support of PHP	Pablo Estrada	2022-06-22	215	--
MCP: Model, Context… Propaganda? What security teams need to know about the …	Katie Paxton-Fear	2025-09-08	1,111	--
Benchmarking Semgrep Community Edition Performance Improvements	Jayson DeLancey, Ben Kettle	2025-06-05	661	--
Shoulda, Woulda...Coulda	Lewis Ardern	2022-08-16	454	--
A deep dive into Semgrep Supply Chain	Kurt Boberg	2022-10-13	1,683	--
AI & Cybersecurity: Learnings from three months of Semgrep Assistant	Bence Nagy	2023-07-18	1,599	--
My Very, Very, VERY HONEST Internship Experience @ Semgrep	Charissa Kim	2023-10-12	1,143	--
Testing autofix behavior of SAST rules	Pieter De Cremer	2022-08-03	1,410	--
Much ado about cURL	Kurt Boberg	2023-10-11	873	--
You do not need to do DAST in a pipeline to do …	Tanya Janca	2023-12-07	2,042	--
The best free, open-source supply-chain security tool? The lockfile	Isaac Evans	2022-01-20	1,531	--
Announcing Kotlin Reachability: Expanding the reach of Semgrep’s reachability	Kyle Kelly	2024-10-28	552	--
Engage your champions	Tanya Janca	2024-08-09	454	--
What it takes to make shift left work	Isaac Evans	2024-04-16	610	--
Secrets Story: The Prefixed Secrets That Tried%20to%2BGet\nAway	Lewis Ardern	2025-11-19	2,502	--
Bringing Semgrep Managed Scanning to GitLab: automated code scanning at scale	Andy Huang	2024-11-18	485	--
Code to cloud noise reduction - Prioritizing code security with Semgrep & …	Vivek Khimani, Andy Huang, Jaweed Metz	2025-03-03	620	--
Announcing custom rules for Semgrep Secrets	Leif Dreizler, Lewis Ardern	2024-04-23	623	--
Sha1-Hulud: The Second Coming of the NPM Worm is Digging For Secrets	Katie Paxton-Fear, Pieter De Cremer	2025-11-24	4,113	--
The Difference Between SCA and Supply Chain Security	Tanya Janca	2023-08-22	1,026	--
Beyond vulnerabilities: Detect malicious dependencies in your supply chain	Misha Kuenstner, Pablo Estrada	2025-04-09	667	--
Semgrep’s VS Code extension: powerful SAST as fast as linting	Austin Theriault	2023-06-08	931	--
Releasing Semgrep 1.0	Yoann Padioleau	2022-12-01	1,180	--
Security Regulations: From Scary Stories to Strategic Advantage	Katie Paxton-Fear	2025-11-18	1,400	--
Cross-compiling OCaml to JS and Wasm: How we made the Semgrep Playground …	Tom Petr	2023-06-06	1,449	--
Semgrep's May 2022 updates	Chinmay Gaikwad	2022-05-11	878	--
Imagine zero false positive SAST	Chushi Li	2025-06-12	851	--
Fix today’s vulnerabilities and prevent tomorrow’s with secure guardrails	Pablo Estrada	2024-07-31	1,323	--
Developer-focused results and improved coverage with Semgrep Pro rules	Claudio Merloni	2023-02-24	1,253	--
Announcing Semgrep's experimental support of Swift	Nat Mote	2022-09-06	280	--
Announcing Semgrep’s support for Go in Pro Engine	Milan Williams	2023-05-26	284	--
Beyond Benchmarks: How Semgrep Redefines Javascript Security	Milan Williams	2025-02-25	589	--
It's time to ignore 98% of dependency alerts. Introducing Semgrep Supply Chain.	Adam Berman	2022-10-04	876	--
Continuous learning	Tanya Janca	2024-01-04	1,400	--
Help us rename Semgrep OSS!	Luke O'Malley	2024-11-01	414	--
Should security engineers care about transitive supply chain vulnerabilities?	Kyle Kelly	2023-09-07	1,578	--
Conclusion: Security Champions	Tanya Janca	2024-09-11	404	--
My experience interning at r2c	Vivek Khimani	2022-06-30	1,127	--
Powerfully autofixing code with Semgrep's new AST-based approach	Nat Mote	2022-11-03	1,128	--
London calling: Highlights from the 2025 cloud & cyber security expo	Jaweed Metz	2025-03-18	1,626	--
Upgrading Semgrep from OCaml 4 to OCaml 5	Nat Mote	2025-03-12	2,495	--
Semgrep Spring 2022 meetup recap	Emily Fortuna	2022-04-06	1,530	--
Announcing Semgrep Supply Chain’s beta support for C#	Chinmay Gaikwad	2023-09-29	259	--
Security Advisory \| NPM Packages Using Secret Scanning Tools to Steal Credentials	Jayson DeLancey	2025-09-15	1,111	--
Why AI-Powered Memories are the Future of SAST	Isaac Evans	2025-01-22	825	--
Semgrep recognized in the 2025 Gartner® Magic Quadrant™ for Application Security Testing	Pablo Estrada	2025-10-14	949	--
Boosting Security Scan Performance for Monorepos with Multicore Parallel Processing	Jayson DeLancey	2025-11-11	1,114	--
Teaching security champions	Tanya Janca	2024-08-13	379	--
Fully loaded: testing vulnerable PyYAML versions	Grayson Hardaway	2022-10-06	947	--
Recognizing and rewarding security champions	Tanya Janca	2024-07-14	783	--
Go beyond regex: introducing Semgrep Secrets	Raghav Jain	2023-10-24	978	--
Semgrep Fall '23 Launch: improved coverage + enterprise fit	Chushi Li	2023-11-14	703	--
HackerOne partners with Semgrep to combine expert code review with powerful automation	Isaac Evans, Alex Rice	2024-01-11	336	--
The CVE program’s new rules: will they affect your vulnerability management?	Kyle Kelly	2024-06-27	1,181	--
Announcing AI-assisted remediation guidance on every PR	Chushi Li, Jack Moxon	2024-09-05	1,224	--
A Technical Deep Dive into Semgrep’s JavaScript Vulnerability Detection	Vasilii Ermilov	2025-03-05	1,361	--
Automating Security Workflows with the Semgrep Policy Management API	Jaweed Metz	2025-01-15	557	--
Recruiting security champions	Tanya Janca	2024-08-01	281	--
Maturing Your Application Security Program Survey	Tanya Janca	2025-03-28	254	--
The journey of a language from experimental to GA in Semgrep	Brandon Wu, Enno Liu	2023-06-06	1,029	--
Tips and tricks for writing fixes	Pieter De Cremer	2022-04-18	834	--
Semgrep's February 2022 Updates	Chinmay Gaikwad	2022-02-10	962	--
Introducing Semgrep’s Community-Oriented Twitter Account	Amanda McCarvill	2024-06-13	343	--
Enhancing developer happiness: The impact of identifying code-specific issues	Pieter De Cremer	2024-01-29	1,714	--
Taming the elephant: Introducing reachability analysis for PHP	Pablo Estrada	2025-06-24	427	--
Expanding Semgrep Supply Chain into Dependency Intelligence and License Compliance	Bence Nagy, Andy Huang	2023-06-07	773	--
Announcing Semgrep Code Search (public beta)	Leif Dreizler	2024-05-07	751	--
Three key learnings for AppSec teams from the XZ backdoor	Jonathan Werrett	2024-04-05	1,350	--
Enterprise Scale Code Scanning: Semgrep Managed Scans Crossed 1 MILLION Weekly Scans	Braden Riggs	2025-10-01	907	--
Preventing secrets in code	Tanya Janca	2023-09-11	1,396	--
The tech behind Semgrep Assistant’s triage and remediation guidance	Chushi Li, Rohit Jayaram	2024-08-21	1,355	--
Driving enterprise adoption of AI code security with Semgrep Assistant	Chushi Li, Jack Moxon	2024-10-24	717	--
5 Ways SAST and SCA help fintech companies innovate securely	Cullen Harwood	2025-02-13	1,159	--
The indomitable maintainer spirit versus the indifferent cruelty of JavaScript	Max Vonblankenburg	2023-07-26	1,298	--
Series D announcement	Isaac Evans	2025-02-05	920	--
What a Hackathon Reveals About AI Agent Trends to Expect in 2026	Jayson DeLancey, Braden Riggs	2025-11-25	1,340	--
Easily create custom SAST guardrails with human language and Semgrep Assistant (AI)	Nitin Nayar	2024-10-09	933	--
Efficient Dependency Management: Leveraging Manifest Files, Lockfiles, and SemVer Specifications	Kyle Kelly	2023-11-29	1,033	--
The OWASP API Security Top Ten: API1:2019 Broken Object Level Authorization	Tanya Janca	2022-01-28	838	--
New insight into backlogs, developer engagement, and security posture	Pablo Estrada	2024-09-19	592	--
Bringing more Semgrep capabilities to BitBucket and Azure DevOps	Vivek Khimani, Andy Huang	2024-08-16	458	--
Comparing Semgrep Community Edition and Semgrep Code for Static Analysis Sensitivity	Jayson DeLancey	2025-06-26	881	--
DevSecOps worst practices – the series	Tanya Janca	2023-09-22	686	--
Does your LLM thing work? (& how we use promptfoo)	Bence Nagy	2024-09-06	2,619	--
Giving AppSec a Seat at the Vibe Coding Table	Chushi Li	2025-04-02	579	--
Semgrep Supply Chain announces dataflow reachability support for 10 languages	Misha Kuenstner, Cullen Harwood	2024-12-03	877	--
Semgrep Code brings modern static analysis to C/C++	Chushi Li	2024-02-27	1,815	--
Why We Hack Purple and I are joining Semgrep	Tanya Janca	2023-08-04	691	--
Our AI Assistant is handling 60% of incoming triage work for customers	Chushi Li, Rohit Jayaram	2025-09-10	1,071	--
CocoaPods vulnerabilities highlight risks in dependency managers	Kyle Kelly	2024-07-09	553	--
Introducing Semgrep Academy: the door to cyber security for everyone	Tanya Janca	2024-05-01	400	--
Five Considerations When Building Cross-Platform Tools for Windows and macOS	Jayson DeLancey, Nat Mote	2025-11-07	1,059	--
Sense and (path) sensitivity: My experience adding a new feature as a …	Katrina Liu	2024-07-26	1,836	--
XML Security in Java	Pieter De Cremer	2023-01-17	2,263	--
The Future of SaaS Security: AI-Driven, Fast, and Secure	Jaweed Metz	2025-03-07	950	--
Security scanning at ludicrous speed	Emma Jin	2023-12-12	545	--
Introducing DeepSemgrep	Isaac Evans	2022-05-24	1,082	--
Semgrep Quarterly Launch: scaling your AppSec impact just got easier	Chushi Li	2024-05-21	824	--
Security Champions: Metrics & Data	Tanya Janca	2024-09-06	670	--
The birth of Semgrep Pro Engine	Colleen Dai, Emma Jin	2023-04-10	3,124	--
Why SAST tools need to be customizable to be useful	Edwin Amador Artiles	2024-02-07	1,541	--
So the first malicious MCP server has been found on npm, what …	Katie Paxton-Fear	2025-10-02	1,509	--
Write custom rules with the new Playground	Milan Williams	2022-06-14	449	--
Comparing Reachability Analysis methods: Semgrep's distinct approach	Kyle Kelly	2024-01-17	1,049	--
Guardrails for PromQL using Semgrep	Michael Hoffmann	2023-08-08	868	--
Through a Scanner Falsely: When AI-reported Critical Vulnerabilities Aren’t	Jonathan Werrett	2025-11-04	818	--
Building an enterprise-ready, scalable security program using Semgrep	Jason Lim, Chinmay Gaikwad	2022-11-18	925	--
Semgrep, a code & supply chain security search engine, raises Series C	Isaac Evans	2023-04-18	949	--
Keep your rules simple with symbolic propagation	Iago Abal	2022-02-07	490	--
Unlocking advanced security for all: Semgrep’s latest update	Luke O'Malley	2023-06-06	917	--
Announcing Semgrep’s beta support for Rust	Matt Schwager	2023-03-01	329	--
Security headers for ASP.Net and .Net CORE	Tanya Janca	2024-01-24	483	--
Protect your code from the Polyfill supply chain attack	Pablo Estrada, Kyle Kelly	2024-06-26	567	--
Software supply chain security is hard	Andy Huang	2022-09-28	992	--
Exploit exploitability: prioritize supply chain findings with EPSS	Kyle Kelly, Ben Kettle	2024-09-07	691	--
Announcing Semgrep’s experimental support for Julia	Brandon Wu	2023-05-03	378	--
Semgrep now supports Cairo 1.0	Romain Jufer	2023-05-30	485	--
A day in the life: Supply Chain Security Researcher	Misha Kuenstner	2024-08-19	1,190	--
We put GPT-4 in Semgrep to point out false positives & fix …	Bence Nagy	2023-04-04	1,635	--
Structure Mode: Never write an invalid Semgrep rule again	Brandon Wu	2024-04-30	2,012	--
(Over)Communication with your security champions	Tanya Janca	2024-07-17	1,041	--
LSP.js: Using Wasm and JavaScript to support OCaml on Windows	Austin Theriault	2024-05-02	2,845	--
Important updates to Semgrep OSS	Luke O'Malley	2024-12-13	629	--
Using AI to write secure code with Semgrep	Raja Rao Dv	2023-04-04	657	--
Security Alert \| chalk, debug and color on npm compromised in new …	Katie Paxton-Fear	2025-09-08	655	--
Finding More Zero Days Through Variant Analysis	Eugene Lim	2025-07-10	4,494	--
Scaling Semgrep rule coverage by spidering language documentation	Kurt Boberg	2022-03-10	1,003	--
7 Things We Learned from the EU’s Cybersecurity Threat Landscape 2050 Report	Katie Paxton-Fear	2025-10-29	896	--
Choosing AI AppSec Tools: 9 Deciding Factors	Jayson DeLancey	2026-01-09	1,546	--
Your Window of Exposure is the Attacker's Window of Opportunity	Diptendu Kar, Derian Stenglein	2026-01-12	1,232	--
AI Can Do More Than Build Web Apps: What Hardware Hacking Teaches …	Katie Paxton-Fear	2026-01-20	1,236	--
New Sandbox Escape Affecting Popular nodejs Sandbox library vm2	Katie Paxton-Fear, Kurt Boberg	2026-01-27	948	--
Security Like It's 1977: Capabilities for the Modern Agentic Web	Kurt Boberg	2026-01-28	2,057	--
OWASP Top 10 2025: What's New	Milan Williams	2026-02-04	428	--
OpenClaw Security Engineer's Cheat Sheet	Kurt Boberg	2026-02-10	2,383	--
Open Source Security: Chaos, Collaboration, and the Cost of “Free”	Katie Paxton-Fear	2026-02-12	1,193	--
Semgrep x Cursor: Introducing Cursor Plugins	Milan Williams	2026-03-11	490	--
Accelerate and Automate Remediation with Semgrep Autofix	Nabeel Saeed, Braden Riggs	2026-03-16	662	--
Introducing Semgrep Custom Workflows	Vivek Khimani, Braden Riggs	2026-03-18	1,265	--
Will there be more security engineers in the future, or fewer?	Isaac Evans	2026-03-19	974	--
Attackers Can't Have All the Advantage: Introducing Semgrep Multimodal	Pablo Estrada	2026-03-19	659	--
Hackers Supply Chain Attack Moves From npm to PyPI as Trivy Breach …	Katie Paxton-Fear	2026-03-24	2,543	--
Security Companies Under Attack: Defense in the Agentic Era	Kurt Boberg	2026-03-26	744	--
Client SDKs Like The Telnyx Python Package Are a Supply Chain Blind …	Jayson DeLancey	2026-03-27	975	--
The best free, open-source supply-chain security tool? The lockfile (updated 2026)	Isaac Evans	2026-03-31	1,743	--
Axios Supply Chain Incident: Indicators of Compromise	Lewis Ardern, Pieter De Cremer, Jayson DeLancey	2026-03-31	893	--
Preventing Vulnerable Code From Merging Without Blocking Developers	Braden Riggs	2026-04-02	998	--
Codebase-Aware Reachability Analysis Coverage for Rust	Max Vonblankenburg, Katie Kent	2026-04-03	1,264	--
Security Should Be the Path of Least Resistance	Cris Thomas (Space Rogue)	2026-04-13	1,137	--
Needles and haystacks: Can open-source & flagship models do what Mythos did?	Kurt Boberg	2026-04-17	1,602	--
Mythos & Semgrep	Isaac Evans	2026-04-17	745	--
Semgrep chosen to be part of OpenAI’s Trusted Access for Cyber Program	Pablo Estrada	2026-04-17	420	--
Mythos: Bad Takes, Facts, and Fear	Isaac Evans	2026-04-20	1,868	--
Security Advisory: $foo compromised on $packagemanager	Jayson DeLancey, Cris Thomas (Space Rogue)	2026-04-22	703	--
Attackers Are Still Coming for Security Companies. Here's Where We Stand.	Katie Paxton-Fear	2026-04-23	1,529	--
How-to Write Skills That Make Your AI-Generated Code More Secure	Jayson DeLancey	2026-04-28	2,204	--
SAP Cloud Build Tool Packaged A Mini Shai-Hulud Malicious Dependency That Uses …	--	2026-04-29	411	--
NIST No Longer Enriching CVEs, Signaling Industry-Wide Shift Away from NVD.	Nabeel Saeed	2026-04-29	616	--
Malicious Intercom PHP Package Spreads Mini Shai-Hulud Attack to Packagist via Composer …	--	2026-04-30	723	--
Shai-Hulud Themed Malware Found in the PyTorch Lightning AI Training Library	--	2026-04-30	1,127	--

Plushcap, by Matt Makai. 2021-2026.