top of page

Semgrep Puts Real Time Vulnerability Scans in Developers’ Hands

Updated: Jun 20

Discover how our partner r2c is reducing cost, time, and headaches in static testing

The State of Static Application Security Testing (SAST) Until Now

Traditional SAST systems are big, powerful, and for sufficiently scaled enterprise organizations, completely vital. If an org has teams of developers in multiple time zones pumping out code to support internal systems and external products, they need a system to standardize and secure all of it. Each undiscovered vulnerability could cost millions, after all. That’s why such systems are able to justify their price, which is often above a million dollars a year to keep running.


The trouble is that to read all these lines of code and flag their flaws, traditional SAST systems require a massive on-premises footprint and, depending on the repository being scanned, could take days or weeks to work. And at the end of this process, flaws discovered, it’s up to developers and DevSecOps teams to go back to previously committed code to tediously rewrite some or all of it, and put their current projects on the backburner.


But all that goes with the territory. It can’t be helped, right?


The Static Revolution is in Motion

The innovators at r2c disagree, and it’s hard to argue with their results. With their recently-launched tool, Semgrep, they are helping shift static testing further left than ever before. Now developers themselves can use a real-time vulnerability scanning tool right alongside their text editors and check code for errors. They can also include static tests that complete in real-time when code is checked in and create rules that can help standardize best practices across entire organizations.


True Positives and r2c Partner Up

The True Positives team recognized the impact this technology would have, which is why we are proud to be among the first partners for r2c. We’re now offering Semgrep Team Edition to all our customers, which helps teams not only get real time code security enhancements but also allows for unlimited security policies, privately hosted rulesets to help enforce code standardizations, and support from the r2c team. Plus, you get the True Positives targeted value-added services to help midsize and enterprise businesses protect their assets. We’re happy to help your teams implement and integrate Semgrep.


What Does This Change Mean for the Industry

For Developers

Developers get to catch mistakes before they’re committed at the desktop level, saving a ton of headaches on rework and moving tickets back and forth in JIRA. This puts control back in their hands and helps standardize the code between developers across the organization.


For DevSecOps

Product security teams get a much smaller number of issues in their workflow, so they can focus their attention on comprehensive solutions rather than battling every little bug.


For Organizations

Organizations that can’t justify the investment of traditional SAST systems get a fighting chance in the war on security vulnerabilities, protecting their assets the way larger organizations can. Companies who do currently use traditional static testing systems now get to maximize the value of their investment by only bringing the biggest flaws out in more focused scans while benefiting from the agile real-time scans of Semgrep.


What Does the Industry Think So Far?





“These lightweight static analysis methods are really fast and really actionable.”






“Is great because I can create a nice little dictionary of rules and run in my CI-CD pipeline.”






“We have this way to specify an auto fix

- you can reuse those meta variables...

you don’t have to create a bunch of separate documentation.




About r2c

r2c is a security company backed by Redpoint Ventures and Sequoia Capital, helping bring a robust, supported, and standardized version of the open-source project Semgrep to developers everywhere. Originally built by teams at Facebook to help bake code-level security into their products that support over a billion users, Semgrep is now generally available to even modest teams.


Get a Free Trial & Consultation with True Positives

True Positives is an authorized full-service reseller with decades of experience in traditional SAST products, and we were on the ground floor with r2c as well. When you work with us to source these tools, you get:

  • Access to the solution through us to get a thorough trial

  • Enhanced support during the trial

  • Competitive market pricing if and when you decide to buy

  • Help available to implement and integrate the tools


Contact us today to get started.


41 views

AppSec Peace of Mind Starts Here.
What Have You Got to Gain?

PracticalAppSec Forum (1).jpg

Our Monthly Newsletter, PracticalAppSec!

Hone your AppSec SuperPowers with tips and tricks to tighten security and manage your budget, and so much more!

bottom of page