The birth of Semgrep Pro Engine

Semgrep Code, a specialist in Static Application Security Testing (SAST) solutions, faced significant challenges in developing interfile analysis to enhance their developer-focused security tools. The primary goal was to create a security solution that developers could easily understand and improve, leading to the development of the open-source tool, Semgrep, which allows for semantic code pattern searches. Initially, Semgrep was limited to single-file analysis, but recognizing the importance of interfile analysis for securing code, the company embarked on adding this capability. The process involved creating a focused benchmark using Java and SQL injection vulnerabilities and iterating with users to refine the tool. Despite technical difficulties and the need for extensive user engagement, Semgrep successfully launched interfile analysis for Java and JavaScript, significantly improving detection capabilities. The journey highlighted the importance of user feedback and the challenges of balancing technical development with user needs, ultimately resulting in a more robust security product that can identify vulnerabilities across multiple files and support various programming languages.