Why AI-Powered Memories are the Future of SAST

In 2023, a significant shift in the belief system surrounding traditional static application security testing (SAST) tools occurred, with the integration of large language models (LLMs) anticipated to revolutionize the landscape, rendering many existing tools obsolete, including Semgrep. Initially skeptical about LLMs extending beyond remediation guidance, the realization in 2024 was that LLMs could enhance the findings engine itself, improving the signal-to-noise ratio (SNR), crucial for reducing false positives that lead to engineers disregarding alerts. Semgrep's open-source nature allows leveraging LLMs for writing rules, but domain-specific knowledge remains necessary. A major breakthrough was the introduction of the "Memories" feature, which applies user triage data to refine rules and findings, enabling customization without requiring YAML expertise. The private beta demonstrated the potential of this approach, with users able to significantly reduce their backlog of security findings by encoding organization-specific contexts into the deterministic SAST engine. This development suggests a future where security practitioners can rely on tools that autonomously understand security nuances, reducing the need for "security tool experts" and allowing teams to focus more on strategic tasks.