Semgrep Launches Multimodal AI‑Driven Code Security Platform Boosting True Positives 8×
What Happened — Semgrep introduced Semgrep Multimodal, a hybrid engine that fuses deterministic rule‑based analysis with large‑language‑model reasoning. The new system claims up to eight‑fold more true‑positive detections while halving noise versus LLM‑only scans, and has already uncovered dozens of zero‑day issues in customer codebases.
Why It Matters for TPRM —
- Enhances the security posture of any third‑party software supplier that relies on automated code review.
- Reduces false‑positive fatigue, allowing security teams to focus on genuine high‑risk defects.
- Provides a scalable, managed workflow that can be embedded into vendor‑managed CI/CD pipelines.
Who Is Affected — Technology SaaS vendors, cloud‑native development platforms, and any organization that outsources software development or relies on third‑party code libraries.
Recommended Actions —
- Assess whether your current code‑security tooling supports AI‑augmented analysis.
- Pilot Semgrep Multimodal in a low‑risk repository to gauge true‑positive uplift.
- Update third‑party risk questionnaires to capture AI‑assisted security capabilities.
Technical Notes — The solution combines Semgrep’s static analysis engine (pattern matching for OWASP Top 10, secrets, etc.) with LLM reasoning to surface business‑logic flaws such as IDORs and broken authorisation. It runs on Semgrep’s managed infrastructure, offering pre‑built or custom Workflows that can be triggered automatically in CI pipelines. Source: Help Net Security