Semgrep Inc., a startup with a popular code security platform of the same name, today disclosed that it has raised $53 million in funding.

Lightspeed Venture Partners led the Series C investment. Felicis Ventures, Redpoint Ventures and Sequoia Capital contributed as well.

Before developers release new code to production, they scan it for vulnerabilities using so-called tools for SAST, or static application security testing. Semgrep offers one of the most popular SAST platforms on the market. Its platform is used by development teams at Snowflake Inc., Dropbox Inc., Shopify Inc. and other major tech firms. 

Semgrep can determine whether a piece of code contains known vulnerabilities such as those tracked in the CVE cybersecurity database. It’s also capable of checking an application’s susceptibility to common hacking tactics. A developer could, for example, use Semgrep to identify if an application may be vulnerable to SQL injections.

Software teams can extend Semgrep by creating custom detection rules. A detection rule is a script that checks whether a piece of code meets certain technical criteria. Developers can customize Semgrep to detect not only new cybersecurity flaws, but also other issues such as code snippets that don’t adhere to company best practices.

“Unlike most black-box scanners, Semgrep puts engineers in charge: they can transparently view the rules that alerted the vulnerabilities and make sense of them,” founder and Chief Executive Officer Isaac Evans wrote in a blog post. “They can also quickly write a new rule, edit an existing rule or use one of the thousands of community rules and fine-tune Semgrep to match their specific needs.”

The company makes money from the open-source version of its platform with two commercial editions. They’re known as Semgrep Supply Chain and Semgrep Code, respectively.

Enterprise applications include not only code that a company’s developers produce in-house, but also external modules from the open-source ecosystem. Such modules can potentially contain vulnerabilities. Semgrep Supply Chain, the startup’s first commercial product, automatically scans open-source code for security issues.

There are cases when a vulnerable open-source module may not necessarily represent a cybersecurity risk. Typically, such situations emerge when the part of the module that contains a vulnerability is not used by the application in which it’s installed. Such dormant security issues often cause cybersecurity tools to generate false positives. 

Supply Chain can automatically identify if an open-source vulnerability is dormant. It then priorities more urgent software flaws that do pose a cybersecurity risk, helping developers address the most pressing issues first. Semgrep says the tool can reduce false positives by up to 98% in some cases.

Semgrep Code is designed to find vulnerabilities in application code that a company produces in-house, as opposed to components from the open-source ecosystem. It includes prepackaged vulnerability detection rules not available in the open-source version of the startup’s platform. Additionally, it provides more detailed data about the vulnerabilities that it finds. And it can uncover whether malicious input entered into one part of an application may compromise the security of another component.

The company told TechCrunch that its commercial products experienced 750% growth in the past year, but didn’t share absolute numbers. It will use its newly announced funding round to further grow its market presence. To support the effort, Semgrep reportedly intends to hire 50 new employees by the end of the year.

Image: Semgrep