Continue the conversation — chat opens pre-seeded with the current signal, caps, and movement.
Semgrep is the leading AI-augmented application security platform, combining deterministic SAST/SCA/Secrets scanning with LLM reasoning via Semgrep Multimodal (March 2026). Uniquely positioned at the intersection of security tooling and AI-assisted development through its MCP server, which enables AI coding agents (Claude Code, Cursor, Windsurf) to invoke security scans as part of their agentic workflows. $204M funded (Sequoia, Menlo, Lightspeed) with $500M-$1B valuation and 18K+ organizations. Competes with Snyk, CodeQL, Checkmarx in SAST and with Opengrep as open-source alternative since the January 2025 fork.
Adoption & Proof Points
- 18K+ organizations; 100M+ lines of code scanned daily. Named customers include Snowflake, Figma, Lyft, Dropbox, GitLab, Slack, Shopify, HashiCorp, Vanta, and Webflow. LinkedIn runs Semgrep as ONE component of a multi-scanner SAST pipeline (GitHub Actions + CodeQL + Semgrep) per InfoQ Feb 2026 — a legitimate enterprise reference, but not LinkedIn's sole SAST. Funding: Series D $100M led by Menlo (Feb 2025); company-reported ~$204M total (Tracxn lists ~$193M); prior Series C at $395M valuation. G2 4.6/55 reviews. PeerSpot 8.0/10 with 61% large-enterprise segment; Gartner Peer Insights presence. SAST mindshare grew from 1.1% to 2.8% YoY (Jan 2026). ~2,000-3,000+ community rules in the Registry (GitHub ~14.3-14.9k stars). Semgrep Secure 2026 virtual keynote (Feb 2026).
Risks & Limitations
- Unverified May 2026 Qilin ransomware/data-exfiltration claim against Semgrep is unresolved (no vendor statement, scope unknown) — the primary near-term risk; if a leak confirms customer source-code or scan-data exposure it would materially impact compliance and trust. Opengrep fork (Jan 2025) backed by 10+ appsec vendors (Aikido, Endor Labs, Jit, Orca, Arnica, Amplify, Kodem, Legit, Mobb, Phoenix) restored cross-function taint after Semgrep's license shift; analysts frame it as market segmentation (free LGPL CLI vs commercial platform) rather than displacement — Codacy is the one named platform that migrated, and the backing vendors mostly embed Opengrep in their own products (189+ contributors, ~2,100 stars vs Semgrep's ~14.3k). IntelliJ/JetBrains extension is beta and Community-Edition-only (no Supply Chain, Secrets, Pro rules, or Pro Engine). Custom Workflows still gated. Enterprise pricing is custom/contact-sales. Headline 8x-TP / 50%-FP Multimodal accuracy figures are vendor-reported with no independent validation. US-only data residency limits EU-headquartered customers. Semgrep is an AppSec platform, not a coding assistant — the AI/agentic layer (Multimodal, MCP, Workflows) is the component relevant to this radar and is still maturing.
Capabilities & Integration
Semgrep Multimodal combines deterministic Pro-Engine taint analysis with LLM reasoning and, per vendor reporting (not independently validated), finds up to 8x more true positives with ~50% fewer false positives than foundation models alone, including business-logic flaws (IDOR, broken auth) traditional SAST cannot detect. Autotriage reportedly reduces backlog ~60% on first use. Multimodal is built on Semgrep Workflows, a framework for autonomous code security. AI 'Memories' learns from triage decisions to suppress repeat noise. MCP Plugin bundles server + Hooks + Skills to scan every file an AI agent generates and prompt regeneration until clean. Cross-file (interfile) taint analysis for 8 languages (C/C++/C#/Go/Java/JS-TS/Kotlin/Python) plus pattern matching across 30+ languages via Pro Engine; v1.158 interfile redesign adds a 20-40% taint perf gain. Reachability analysis sharply reduces SCA false positives.