Semgrep Assistant

Assistant helps AppSec engineers and developers make the correct decisions faster, with less cognitive load. This means users only spend their time and analysis bandwidth on issues that warrant the attention.

Book a demo Try for free

Auto-triage findings

Semgrep Assistant uses GPT-4's understanding of code, alongside prompts specific to Semgrep rules, to determine when security findings are false positives.

Recommendations include context and reasoning that allow developers to quickly and easily verify the correctness of suggestions/fixes.

Auto-fix code

When Semgrep Assistant identifies a true positive, it recommends an autofix for remediation. Hallucinations are mitigated by secondary prompts that review a diff for various failure modes.

Generated fixes are easy to verify, and helpful for engineers even when they need additional input.

Generate custom rules with natural language

Assistant can write custom rules to find patterns or vulnerabilities specific to your codebase - all you need to provide is one example of “bad code”, one example of “good code”, and a prompt describing what you want the rule to do in human language.

Drive awareness of secure coding principles

In addition to reducing the time developers spend sourcing information, the context and explainability Semgrep provides ensures that developers still learn and build their understanding of secure coding practices over time.

Developers shouldn't need Stack Overflow and ChatGPT to fix basic security issues

Code review, on-demand

Semgrep Assistant doesn't just generate fixes - it gives developers the information and context needed to understand and verify what's generated, as if they were working alongside a seasoned security engineer.

Less information gathering and context-switching

Semgrep Assistant recommendations are surfaced to developers via PR comments, so they don't have to keep context-switching in order to fix or triage a finding.

Assistant greatly reduces the amount of information retrieval required in order to understand and fix a security issue.

Drive continuous improvement

A highly customized instance of Semgrep is easily the best code security solution available on the market, and Assistant recommendations make it easy for any team to start creating custom rules, adjusting policies, establishing guardrails, and more.

Frequently Asked Questions

No - OpenAI will not use any of the data we provide them for the purpose of improving their services (see Section 3(c) of their Terms of Use).

Your source code is only accessed by Semgrep or OpenAI to the limited extent necessary to provide the Semgrep Assistant service to you.

Once Semgrep Assistant's output is generated, Semgrep deletes the code snippets that were shared.

OpenAI retains copies of the content sent to them for a maximum of 30 days for purposes of monitoring abuse, as indicated in their API Data Usage Policies.

  • Code snippets that are shared with OpenAI are anonymized, and don't identify customer or repository names.

  • Semgrep only shares the minimum amount of code necessary for GPT-4 and our prompts to produce accurate results.

  • Semgrep only accesses source code repositories on a per-file basis; we do not need or request org-level access to your codebase.

Since Semgrep Assistant needs temporary access to snippets of your source code in order to function, this expands the scope of the data to which you grant us a limited license to (see Section 5.1 of our Subscriber Agreement).

Semgrep Assistant only submits the part of the file with the finding to OpenAI for processing. OpenAI is not permitted to use the submitted code for any purposes.

Hallucinations on code auto-fixes are mitigated by secondary prompts that review a diff for various failure modes. Any information identifying a person or organization (excluding information embedded in your code) is never used in prompts, and thus cannot be leaked.

System instructions are included in Assistant prompts with higher authority and no placeholders for user input.

Each prompt only contains code snippets from a specific project and customer; therefore, prompt injection could never expose information across customers and organizations.

Auto-triage considers prior human triage decisions and reasoning left in triage notes. Auto-fix and auto-triage both follow any custom instructions contained within Semgrep rule messages.

Featured posts from the Semgrep blog, written by our engineering team

July 31, 2024
AppSec guides, not gates: Introducing secure guardrails with Semgrep
Isaac Evans
May 21, 2024
Rapidly deploy code scans across your organization with Semgrep managed scanning
Pablo Estrada
May 16, 2024
Overrated and underperforming: transitive reachability analysis
Kyle Kelly

Shift left without the developer productivity tax

"Figmates get actionable security feedback in their PRs, while rule analytics give security teams feedback on rule effectiveness. The simple [rule] syntax let's us extend Semgrep to catch new patterns, going from idea to live in an hour."

Dev Akhawe Head of Security, Figma