Startup Semgrep Inc. has raised $100 million in funding to grow the adoption of its code security platform, which helps developers find vulnerabilities in their software.

Menlo Ventures led the Series D investment. Semgrep detailed in its announcement of the raise today that Felicis Ventures, Harpoon Ventures, Lightspeed Venture Partners, Redpoint Ventures and Sequoia Capital participated as well. The company’s total outside funding now stands at $204 million.

The core component of Semgrep’s platform is a static application security testing engine. SAST tools enable developers to create scripts that automatically scan an application’s code base for vulnerabilities. For example, a software team could write a script that detects the presence of open-source components with known cybersecurity issues.

Semgrep’s platform includes more than 900 prepackaged detection scripts, which the company refers to as Semgrep Pro rules. They remove the need for developers to build a rule library from scratch. Software teams can optionally write their own vulnerability detection scripts in YAML, a relatively simple syntax typically used for system configuration tasks.

SAST detection scripts overlook certain types of technical information. For example, they might not notice when a seemingly insecure code snippet includes a developer comment explaining that it’s not in fact vulnerable. To address this limitation, Semgrep has equipped its platform with large language models. The LLMs can take into account developer comments and other contextual information typically overlooked by SAST scripts. 

Semgrep says its platform’s use of LLMs reduces false positives, or secure code snippets that are incorrectly flagged as vulnerable. The software also includes other features designed to reduce such mistakes.

One of the security tasks that Semgrep automates is the process of detecting hardcoded secrets. Those are sensitive pieces of data, such as login credentials, that are stored by an application in an insecure manner. To avoid false positives, Semgrep checks whether the login credentials that it finds work and only generates an alert if they’re usable. 

The platform also detects vulnerabilities in external application components such as open-source libraries. Moreover, it spots any licensing issues that those components might cause. Semgrep can, for example, point out if an open-source library’s license prohibits developers from using it in commercial software projects. 

The platform includes a dashboard that displays statistics about the code issues it finds. Semgrep tracks how many vulnerabilities it spots, their severity and the percentage of flaws that are successfully fixed by developers.

“We want using Semgrep to be like hiring an AppSec engineer to do the boring work,” co-founder and Chief Executive Officer Isaac Evans wrote in a blog post. “Our vision is autonomous (but still transparent and deterministic) security decision-making at scale.”

Semgrep also disclosed that its platform has been adopted by hundreds of organizations since launch. Those customers include Snowflake Inc., Dropbox Inc. and  other major tech firms.

Using the new funding, Semgrep will hire more go-to-market professionals to further grow its customer base. The company will also recruit artificial intelligence and cybersecurity experts to accelerate product development. The engineering push is set to place particular emphasis on making Semgrep’s platform easier to use. 

Image: Unsplash