Semgrep Assistant boosts AppSec team productivity using AI

Semgrep announced Semgrep Assistant, a tool that uses Artificial Intelligence (AI) to drive efficiencies and uncover insights across all phases of an AppSec program, from rule creation to remediation.

Semgrep is a static code analysis tool that alerts users about security issues and bugs. When Semgrep Assistant launched in beta in May 2023, Semgrep realized that reviewing security findings, identifying false positives, and prioritizing true positives took a considerable amount of human effort – as did remediating the issues since most developers weren’t familiar with security best practices.

Semgrep wanted to determine if an AI tool could be utilized to free up resources and amplify the impact of AppSec engineers and developers addressing security issues. Thus, Semgrep Assistant launched open-beta.

After a year of iteration, Semgrep is confident in the unique value Assistant provides – which is vastly different from how most other SAST vendors leverage AI (i.e. simply augmenting scan results or suggesting fixes automatically). Assistant uses AI to speed up workflows that happen before and after the security scan itself.

While Semgrep Assistant generates auto-fixes, Assistant also helps with triage, false positive identification, custom rule-writing, and rule management (i.e. identifying which rules are working well, and promoting them so they automatically alert developers).

“Semgrep Assistant helped surface valuable context and recommendations to developers, aiding in the quick identification of false positives and remediation of legitimate findings. There were times where Assistant just felt magical,” said Allan Reyes, Staff Security Engineer at Vanta.

Customers using Semgrep Assistant have doubled their fix rate (compared to those without) and users agree with the tool’s auto-triage feedback 96 percent of the time. Primary Semgrep Assistant features and functionality include:

• Auto rule-writing: Semgrep is the superior SAST tool when customized correctly – with Semgrep Assistant now able to write custom rules, resource or knowledge constrained AppSec teams can leverage the power of a solution that is highly customized to their specific codebase.
• Auto-triage findings: Semgrep Assistant uses GPT-4’s understanding of code, alongside prompts specific to Semgrep rules, to determine when security findings are false positives.
• Auto-fix code: When Semgrep Assistant identifies a true positive, it recommends an autofix for remediation. Semgrep Assistant doesn’t just generate fixes:, it offers developers the information and context needed to understand and verify what’s generated, as if they were working alongside a seasoned security engineer.

“Semgrep Assistant’s unique approach using AI to optimize existing workflows has led to extremely impressive feedback and results during the beta period – we’re confident that Assistant is a huge value add to AppSec teams of all sizes, and we feel great about Assistant’s General Availability release,” said Jack Moxon, senior product manager at Semgrep.