Inside the AI Memories Security Teams Are Writing

Security scanners like Semgrep are effective at identifying common vulnerabilities but often require customization to achieve accuracy specific to an organization's codebase. This customization can be achieved through 'memories'—custom rules that encode detection logic relevant to specific environments and frameworks. In an analysis of these memories, two categories—non-production environments and framework protection—account for nearly half of all memories, addressing frequent false positives by recognizing test-only code and internal security controls that generic scanners might miss. Non-production memories inform the scanner about code paths that are irrelevant to production, while framework protection memories capture existing security measures like authentication decorators and query builders. Memories are created either proactively by security teams or generated from developer triage decisions, transforming individual judgments into scalable institutional knowledge. To minimize false positives, organizations should prioritize encoding non-production environments and framework protections, as these represent the largest sources of repeated noise. The detailed findings and best practices for implementing memories are further explored in the Remediation at Scale report, which includes comprehensive data and recommendations for improving Static Application Security Testing (SAST) effectiveness.