Introducing Semgrep Secrets, a Product for Preventing Sensitive Credentials from Leaking

News provided by

Oct 24, 2023, 09:00 ET

Company rounds out its application security platform enabling engineers to fix the issues that matter before production

SAN FRANCISCO, Oct. 24, 2023 /PRNewswire/ -- Semgrep, a code security solution designed for engineering-centric security programs, today announced its public beta of Semgrep Secrets, a product for detecting and securing sensitive credentials during the software development process. Semgrep is designed for engineers - software and security alike - who need to maintain a fast cadence of software development and solve the root causes of security issues.

Secrets refer to sensitive data, such as hardcoded passwords, API keys, encryption keys (SSH, PGP, etc.), certificates (SSL, TSL, etc.), and authentication tokens. During the software development process, it's common to insert sensitive data and credentials - or secrets - into code, configuration files, and containers that are unique to the developer or organization. This can quickly become a security issue if the data is unintentionally leaked or accessed by unauthorized users. Semgrep Secrets detects and keeps secrets safe throughout the development process.

Key benefits of Semgrep Secrets include:

Detect and fix secrets with high precision:
- Detect secrets and how they are used using Semgrep's semantic analysis.
- Reduce false positives by prioritizing fixing of valid credentials.
- Detect secrets that are specific to your internal services.
Fix secrets without developer friction:
- Minimize developer alert fatigue from false positives.
- Get secrets-related findings directly in the developer workflow.
- Prevent secrets from being committed to your code repository.
Leveraging a single pane-of-glass for application security:
- Find and remediate security issues in your code, software supply chain, and secrets using one platform.

"Semgrep Secrets is launching with features that immediately make it a best-in-class tool for secrets detection, and some that we believe are completely novel, like leveraging semantic analysis for hard-coded credentials. The impact is that only relevant issues are flagged to developers without them having to leave their workflow. We launched this product to beta in 107 days and I'm super excited for what the team behind it will ship next!" said Isaac Evans, CEO and co-founder at Semgrep.

Pricing and implementation

Semgrep Secrets costs $30 per developer, per month. Bundled pricing is available when purchased with other Semgrep products.

For additional information on this announcement, please see this blog post or visit the Semgrep Secrets landing page.

Additional Semgrep Products

Semgrep Secrets is the third product to be added to the company's portfolio. The company offers Semgrep Code, a fast, customizable, and developer-oriented static application security testing (SAST) solution. Semgrep Code enables security teams to leverage Semgrep Pro Engine and Pro rules to surface highly actionable vulnerabilities directly to developers.

Semgrep also offers Semgrep Supply Chain, a static code analysis that detects vulnerabilities in third-party code. Semgrep Supply Chain filters out over 98 percent of alerts, leaving users with a manageable list of vulnerabilities to prioritize.

About Semgrep

Semgrep is an application security platform for scanning code for security, reliability, & other issues. Semgrep's mission is to profoundly improve software security and reliability by bringing world-class security tools to engineers—software and security alike. It's Semgrep's conviction that the security process must enable rapid software development, instead of hindering it. Semgrep is funded by Felicis Ventures, Lightspeed Venture Partners, Redpoint Ventures, and Sequoia Capital, and has become an essential safeguard for code at customers like Snowflake, Dropbox, and more.

SOURCE Semgrep