Semgrep
Primary category: software-supply-chain. Formerly r2c.
One-liner — Fast, customizable static analysis (SAST) with a popular open-source engine, extended into a commercial platform covering dependencies (SCA) and secrets — known for low-noise, rule-driven scanning that developers actually run.
What it does
Semgrep (“semantic grep”) matches code patterns with lightweight, human-readable rules across 30+ languages. The platform has three commercial pillars:
- Semgrep Code (SAST) — first-party code analysis with custom rules and AI-assisted false-positive triage.
- Semgrep Supply Chain (SCA) — third-party dependency vulnerability scanning with reachability analysis to suppress unreachable-CVE noise.
- Semgrep Secrets — API key / credential leak detection. The Semgrep OSS engine (released end of 2020) is free and widely used; it drives bottom-up developer adoption.
Where it sits in the stack
software-supply-chain, foundation layer. Relevance to AI-generated code: LLM-authored code is effectively untrusted input — Semgrep’s custom rules can encode org-specific guardrails (banned APIs, insecure patterns, missing authz checks) that catch the kinds of mistakes AI assistants reproduce at scale, and its SCA leg flags vulnerable dependencies the model may pull in. Reachability helps keep the AI-amplified volume of findings actionable.
Deployment & architecture
Open-source CLI engine (run locally or in CI). Commercial SaaS platform (self-hosted option available) with Git integrations (GitHub/GitLab/Bitbucket), PR/MR comments, CI/CD plugins, IDE feedback, and an API. Pricing is per-contributor/month (~$40 Code & Supply Chain, ~$20 Secrets) with a free tier under ~10 contributors — a notably developer- and SMB-friendly model.
Positioning & differentiators
Best known for customizable, low-false-positive SAST and its open-source engine — the easiest of the software-supply-chain tools to tailor with your own rules. Versus snyk: narrower than Snyk’s full suite (less container/IaC depth) but lighter, cheaper, and more transparent/hackable; strong where teams want to write their own policy-as-code checks. Versus socket: Semgrep SCA is CVE/known-vuln + reachability oriented, whereas Socket targets malicious packages — complementary. Versus endor-labs: both emphasize reachability/SCA, but Semgrep leads with SAST and OSS adoption while Endor leads with dependency/reachability depth. Versus aikido-security: Aikido bundles many scanners for SMBs; Semgrep is more of a best-of-breed SAST engine.
Ownership, funding & M&A
Independent, private, venture-backed. Founded 2017 as r2c by Isaac Evans (CEO), Drew Dennison (CTO), and Luke O’Malley (CPO); HQ San Francisco. Total funding ~$193M; most recent round a $100M Series D in February 2025 led by Menlo Ventures, with existing investors Felicis, Harpoon, Lightspeed, Redpoint, and Sequoia participating. No acquisitions or M&A of note; no IPO. (ownership_confidence: high.)
CTO / hedge-fund lens
Day-2 baseline, Day-1 if your devs ship AI-generated code. Semgrep is a strong fit for a fund’s engineering team that wants policy-as-code: encode your own rules (no eval of untrusted data, required authz, banned crypto) and run them in CI against both human- and AI-written code. The free OSS engine plus per-contributor pricing makes it cost-effective for small teams (sub-50 eng), and self-hosting suits regulated/air-gapped environments. Often paired with socket for malicious-package coverage. Model-risk relevance is light/indirect — it governs code quality/security, not model behavior or SR 11-7 model risk.
Competitors / alternatives
snyk, socket, endor-labs, aikido-security; GitHub Advanced Security / CodeQL (not yet a page).
Open questions / to verify
- Current ARR / customer count (not established here).
- Depth of container/IaC coverage relative to snyk (Semgrep is primarily code + dependencies + secrets).
Sources
- Semgrep Business Breakdown & Founding Story — Contrary Research — fetched 2026-06-28 — supports: founded 2017 (r2c), founders, SF HQ, ~$193M total, Series D $100M Feb 2025 (Menlo), product modules, per-contributor pricing; confidence: high
- Semgrep / r2c — Crunchbase + search synthesis — fetched 2026-06-28 — supports: r2c→Semgrep rename, Series D $100M Feb 2025 led by Menlo Ventures, OSS engine released end 2020; confidence: med
History
- [2026-06-28] Stub created from seed registry.
- [2026-06-28] Researched; established independent/private VC-backed, founded 2017 as r2c (SF HQ), ~$193M raised, Series D $100M Feb 2025 (Menlo Ventures); SAST+SCA+Secrets with open-source engine; ownership_confidence high. hedge_fund_fit medium (Day-1 if shipping AI-generated code).