Semgrep Launches Multimodal AI for Detection and Remediation

Semgrep, a leading code security company, today announced Semgrep Multimodal, a system that combines AI reasoning with rule-based analysis for detection, triage, and remediation. Its detection finds up to 8x more true positives while cutting noise by 50% compared to foundation models alone and has already discovered dozens of zero-days at customers. Multimodal is built on Semgrep Workflows, a framework for autonomous code security – using deterministic tools and AI so security teams can encode their processes once and scale them reliably across teams, repos, and the organization.

Catch more IT Insights: RAG vs Domain-Specific Language Models: Which Is Better for Enterprises?

Workflows can be run as-is from a pre-built library, customized for a team’s specific environment, or built from scratch. Semgrep’s managed infrastructure handles the production deployment, so teams can focus on defining their security logic, not maintaining the stack.

The Problem: AI Code Volume Has Outpaced Security

AI-generated code is outpacing the security practices built for human-speed development. Security teams fielding hundreds of pull requests a day know the math is unforgiving: a 95% fix rate still means hundreds of unresolved critical issues compounding across hundreds of repositories. Most are already reaching for LLMs to close the gap and hitting the same walls: demos that fall apart in production, outputs that vary between repositories, token costs that spiral, and hallucinations that erode trust. The jump from proof of concept to running reliably across the organization is where most efforts stall.

Meanwhile, many of the largest and most costly breaches aren’t caused by the vulnerabilities traditional SAST scanners catch. Instead they’re caused by logic errors that escaped notice entirely.

Semgrep Multimodal: Better Than Either Approach Alone

Traditional rule-based SAST excels at catching known vulnerability patterns: SQL injection, SSRF, and secrets exposure. But it has always struggled with business logic flaws: IDORs, broken authorization, and authentication bypasses that require understanding context and developer intent. LLMs can reason about logic, but used alone they produce unacceptably high false positive rates and inconsistent results at scale.

Semgrep Multimodal closes that gap. By pairing the Semgrep Pro engine’s precise program analysis with LLM reasoning, it covers both dimensions of vulnerability detection. And as underlying models improve, so does Semgrep Multimodal’s performance automatically.

Catch more IT Insights: Why Retail and E-commerce Leaders Are Investing in Domain-Specific Language Models

Semgrep Workflows: The Framework Underneath

Semgrep Multimodal is built on Semgrep Workflows, which is now available to builders who want to go further than out-of-the-box AppSec. Workflows enables teams to encode their own security policies into automated pipelines covering detection, triage, remediation, compliance, and other AppSec work. Pre-built workflows cover common cases for the OWASP Top 10 and business logic vulnerabilities. Custom workflows are written in plain Python, can be easily extended with new tools, and are deployed at scale without building or maintaining infrastructure.

Semgrep learns as teams build, incorporating feedback from security engineers and developers to improve accuracy over time. The result: customers are starting to report something the industry has long promised but rarely delivered.

“Semgrep’s rule-based engine became the most widely deployed code scanner in the world by giving teams a way to encode their own security knowledge into precise, customizable rules. Semgrep Multimodal and Workflows are the next chapter of that same bet – that the teams closest to the code are best positioned to define what security means for their organization, and that our job is to give them the engine to automate it,” said Isaac Evans, CEO and Co-Founder at Semgrep.

Write to us [⁠wasim.a@demandmediaagency.com] to learn more about our exclusive editorial packages and programmes.