How Copper transformed security and compliance with Semgrep

Overview

Copper.co is a leading provider within the cryptocurrency sector, offering  custodial services for digital assets as well as collateral management and prime services for institutional investors. As cryptocurrency has gained greater institutional adoption , institutional customers have demanded stricter security standards and compliance measures. This shift has driven Copper to continuously  enhance its  security posture.

To meet both internal and client demands, Copper transitioned from a traditional SAST provider to Semgrep– seeking better developer engagement, faster issue resolution, and improved security coverage. In the 12 months since the implementation of Semgrep, Copper has significantly reduced risk, improved compliance tracking, and streamlined developer workflows.

The challenge Copper looked to solve

Balancing security with compliance in an evolving industry

As cryptocurrency markets mature, institutional investors demand enterprise-grade security combined with strict compliance measures. Regional regulatory frameworks like SOC 2 and DORA require Copper to proactively manage  their audit requirements, maintain robust audit trails covering vulnerabilities, timely remediation practices, and internal processes to ensure efficient alert dissemination.

Evolving requirements meant that Copper needed to review their SAST capabilities to ensure they met the latest security and compliance demands.

The Solution

Why Copper chose Semgrep

Copper evaluated alternatives within the SAST space and selected to partner with Semgrep, on-boarding Semgrep Code with a specific focus on speed, flexibility, and seamless integration.

Key benefits for Copper's AppSec team

• Comprehensive security coverage – Semgrep Code integrated easily into GitHub, ensuring full coverage of Copper’s codebase.

• Developer-Friendly Experience – Enabled real-time feedback with GitHub PR comments, reducing friction.

• Custom Security Rules – Copper was able to easily write and test rules in under an hour, ensuring quicker mitigations.

• Faster Issue Resolution – AI-powered suggestions helped reduce remediation by 50% for devs.

Frictionless onboarding with Semgrep

Copper’s selection and adoption of Semgrep was not just about replacing their legacy security tool—it was about finding a solution that fit seamlessly into developer workflows while improving security coverage and efficiency. The first step in this transition was ensuring a smooth onboarding experience.

One of the key aspects that stood out to Copper was the speed and ease of integration during the onboarding stage. Within a short period, Copper was able to successfully integrate Semgrep into their GitHub workflows, gaining  immediate visibility into security issues without disruption to developer velocity​.

For instance, while Copper’s previous security tool required manual intervention, Semgrep’s developer-centric onboarding and execution ensured that flagged vulnerabilities were automatically embedded into pull requests. Developers could now see, and resolve, issues directly within their existing toolset, significantly reducing friction. As a result, Copper saw a noticeable improvement in time-to-remediation, with vulnerabilities being addressed in less than half the time compared to their previous setup​.

Overall, Semgrep’s onboarding experience set the foundation for Copper’s shift-left security approach, enabling their teams to move fast while staying secure. Within just one month, they had already seen significant improvements in security issue resolution, developer engagement, and compliance readiness, reinforcing Semgrep’s value as a core part of their security stack​.

The results

Risk reduction and 50% faster remediation

Within the first month, Copper saw a significant drop in remediation time, due to Semgrep’s real-time GitHub comments and AI-powered code suggestions. Copper saw a significant acceleration in issue resolution, reducing remediation time by half.

Enhanced developer engagement & workflow integration

• Seamless GitHub integration allowed devs to address issues without logging into external tools.

• Custom security rules streamlined vulnerability detection— with a specific example they wrote that detected hardcoded tokens. In this instance, Copper found a critical issue and, with Semgrep, was able to write, test, deploy, and integrate into VS Code within an hour.

Improved compliance & audit readiness

• Audits have become more efficient, as Copper can now track vulnerabilities, remediation times, and compliance efforts in one place.

• Semgrep’s data reporting capabilities allowed easy export to an ancillary Application Security Posture Management  (ASPM) platform, providing valuable dashboards for security teams reporting across the organization.

Shift-left security & a maturing AppSec strategy

• Shift-left adoption accelerated, guiding developers toward secure coding practices early in the process.

• Future plans include more blocking of PRs with vulnerabilities to further enforce security guardrails.

A more secure and efficient future

Since implementing Semgrep, Copper’s security strategy has matured significantly. While the company has not dramatically grown in headcount over the past year, its security maturity and operational efficiency have advanced significantly.

Semgrep has become an essential tool, helping Copper maintain a strong security posture while enabling developers to move fast. As Jakub Kneppo, Application Security Principal, stated:

“Semgrep empowers our developers with real-time security insights, cutting remediation time by 50% while seamlessly integrating into our workflow.”

As Copper continues to scale, Semgrep will remain a key part of its security stack, ensuring faster, smarter, and more efficient security practices in an industry that moves at lightning speed.