RSA Plans, Vibe Coding, AppSec Survey, Anthropic and a CVE for vLLM

Greetings! This is another installment from me on the top ten things happening at Semgrep that I think you’ll want to know about.

Let Them Build

Luke O’Malley, one of the founders of Semgrep shared his vision for how secure software starts with the builders who write it. Read the AppSec for Builders Manifesto and share where you agree and where you don’t. Post on social media and tag us with #LetThemBuild.

Reduce the Risks of Vibe Coding

Vibe coding has moved from a meme to the reality many security teams face when reducing risk from AI-generated source code. We’ve built an MCP server to help integrate security guardrails into the development workflow. Visit the semgrep/mcp repository for instructions and source code. See how it works with this video demo of a Cursor integration.

RSA and BSides SF

If you are coming to San Francisco please visit and find out about the latest AI advancements at Semgrep. Visit our RSA event page to learn where we’ll be and when. We’re hosting an exclusive Pre-BSides SF + RSA Party, an Alice & Bob Learn Secure Coding book signing with Tanya Janca, special dinners, and more. 

• Review the schedule
• Getting Ready for RSA 2025 Webinar
• Schedule an on-site demo and get a custom hat

I’m looking forward to seeing you all at BSides SF and RSA in-person.

Take the Free AppSec Survey and Course

Want to get some advice on your application security program? Take this interactive survey that will give you some tips & tricks to level-up your AppSec program.

From a review on the Application Security Foundations Course:

“What I love about this course is that it gave me a refresher of foundations of appsec, goals, and tools that I can recommend to incorporate” –Recent Reviewer

Share the free security course with your team.

CVE-2025-29783 for vLLM

We’ve added a CVE to our trophy case. Recently, CVE-2025-29783 was created by an AI Security Researcher at Nvidia who uncovered the AI attack surface while using Semgrep. 

The python.lang.security.deserialization.pickle.avoid-pickle rule was the clue.

One Typo Away from a Really Bad No Good Day

A software library as a dependency can quickly become a trojan horse to more malicious intentions. A developer is one typo away from a malicious dependency entering the code base. An approach to malicious dependency detection relies on Supply Chain SCA and reachability analysis.

"Modern AppSec programs, like Figma's, rely on a paved road with secure guardrails for fast and safe development." 

- Devdatta Akhawe, Head of Security, Figma

Check out the docs on malicious dependencies to learn more about the 30,000 new rules and supported ecosystems.

Click Into Dashboard Metrics

False positives are a problem and they get in the way of addressing true vulnerabilities while eroding trust. The Fix rate, number of findings fixed in development relative to the number identified, can be a helpful north star metric for AppSec teams to evaluate triage and remediation when using Semgrep.

New in private beta, we’re providing a preview of clickable charts that allow for deeper reviews into metrics like backlog totals, guardrail activities, etc. so that you can review AI Assistant findings more quickly to understand why, share wins, and demonstrate progress.

Book a demo to chat more about these upcoming dashboard improvements.

Community Headlines

We love hearing about some of the novel things the community is doing with Semgrep. Have you done something that is helping you secure your development team’s workflow? Let us know. Reply to this email or DM me on Semgrep Community Slack so we can highlight and share what you’ve learned.

• Trail of Bits shares updates to their community rules which can be found in the Semgrep Registry
• GuardDog is an OpenSSF project which recently shared how they use Semgrep rules to uncover complex behavior patterns in supply chain security  
• Semgrep is featured in an Anthropic case study about AI Assistant capabilities

Mastering Security Headers

Scott Helme, founder of Security Headers and Tanya Janca will be diving deep into mastering security headers in a webinar on April 22. Join live to ask questions and get additional insights. You should also consider sharing the free security headers course with your team.

There are also other recent webinars including Scaling Security for FinTech when dealing with regulatory compliance. Elliot Colquhoun, VP of Information Security and IT at Airwallex will join to share perspectives.

 How to Get Started with Semgrep

If you've only just learned about Semgrep, here's some ways to get started:

• The Semgrep Community Edition is free open-source software that powers many teams with basic functionality.

• The Semgrep AppSec Platform capabilities are available to test on any project with fewer than ten (10) contributors for free. Just hop over to semgrep.dev, sign up, and follow the Quick Start. 

If you have any questions or feedback, hop onto the Community Slack and let’s chat! If you want to talk to us virtually or see us in-person, check out the events page to see where we’ll be.

Jayson