![[The AI Show Episode 144]: ChatGPT’s New Memory, Shopify CEO’s Leaked “AI First” Memo, Google Cloud Next Releases, o3 and o4-mini Coming Soon & Llama 4’s Rocky Launch](https://www.marketingaiinstitute.com/hubfs/ep%20144%20cover.png)
![BPMN-procesmodellering [closed]](https://i.sstatic.net/l7l8q49F.png)
-All-will-be-revealed-00-35-05.png?width=1920&height=1920&fit=bounds&quality=70&format=jpg&auto=webp#)
-All-will-be-revealed-00-17-36.png?width=1920&height=1920&fit=bounds&quality=70&format=jpg&auto=webp#)
![What iPhone 17 model are you most excited to see? [Poll]](https://9to5mac.com/wp-content/uploads/sites/6/2025/04/iphone-17-pro-sky-blue.jpg?quality=82&strip=all&w=290&h=145&crop=1)
![Hands-On With 'iPhone 17 Air' Dummy Reveals 'Scary Thin' Design [Video]](https://www.iclarified.com/images/news/97100/97100/97100-640.jpg)
![Mike Rockwell is Overhauling Siri's Leadership Team [Report]](https://www.iclarified.com/images/news/97096/97096/97096-640.jpg)
![Instagram Releases 'Edits' Video Creation App [Download]](https://www.iclarified.com/images/news/97097/97097/97097-640.jpg)
![Inside Netflix's Rebuild of the Amsterdam Apple Store for 'iHostage' [Video]](https://www.iclarified.com/images/news/97095/97095/97095-640.jpg)
RSA Plans, Vibe Coding, AppSec Industry Survey, Anthropic and a CVE for vLLM
This is another installment of the top ten things happening at Semgrep recently that I think you will want to know about. Let Them Build Luke O’Malley, one of the founders of Semgrep shared his vision for how secure software starts with the builders who write it. Read the AppSec for Builders Manifesto and share where you agree and where you don’t. Post on social media and tag us with #LetThemBuild. Reduce the Risks of Vibe Coding Vibe coding has moved from a meme to the reality many security teams face when reducing risk from AI-generated source code. We’ve built an MCP server to help integrate security guardrails into the development workflow. Visit the semgrep/mcp repository for instructions and source code. See how it works with this video demo of a Cursor integration. RSA and BSides SF If you are coming to San Francisco please visit and find out about the latest AI advancements at Semgrep. Visit our RSA event page to learn where we’ll be and when. We’re hosting an exclusive Pre-BSides SF + RSA Party, an Alice & Bob Learn Secure Coding book signing with Tanya Janca, special dinners, and more. Review the schedule Getting Ready for RSA 2025 Webinar Schedule an on-site demo and get a custom hat I’m looking forward to seeing you all at BSides SF and RSA in-person. Take the Free AppSec Survey and Course Want to get some advice on your application security program? Take this interactive survey that will give you some tips & tricks to level-up your AppSec program. From a review on the Application Security Foundations Course: “What I love about this course is that it gave me a refresher of foundations of appsec, goals, and tools that I can recommend to incorporate” –Recent Reviewer Share the free security course with your team. CVE-2025-29783 for vLLM We’ve added a CVE to our trophy case. Recently, CVE-2025-29783 was created with credit going to an AI Security Researcher at Nvidia who uncovered the AI attack surface while using Semgrep. The python.lang.security.deserialization.pickle.avoid-pickle rule was the clue. One Typo Away from Catastrophe A software library as a dependency can quickly become a trojan horse to more malicious intentions. A developer is one typo away from a malicious dependency entering the code base. An approach to malicious dependency detection relies on Supply Chain SCA and reachability analysis. "Modern AppSec programs, like Figma's, rely on a paved road with secure guardrails for fast and safe development." -- Devdatta Akhawe, Head of Security, Figma Check out the docs on malicious dependencies to learn more about the 30,000 new rules and supported ecosystems. Click Into Dashboard Metrics False positives are a problem and they get in the way of addressing true vulnerabilities while eroding trust. The Fix Rate, number of findings fixed in development relative to the number identified, can be a helpful north star metric for AppSec teams to evaluate triage and remediation when using Semgrep. New in private beta, we’re providing a preview of clickable charts that allow for deeper reviews into metrics like backlog totals, guardrail activities, etc. so that you can review AI Assistant findings more quickly to understand why, share wins, and demonstrate progress. Book a demo to chat more about these upcoming dashboard improvements. Community Edition Headlines We love hearing about some of the novel things the community is doing with Semgrep. Have you done something that is helping you secure your development team’s workflow? Let us know. Reply to this email or DM me on Semgrep Community Slack so we can highlight and share what you’ve learned. Trail of Bits shares updates to their community rules which can be found in the Semgrep Registry. GuardDog is an OpenSSF project which recently shared how they use Semgrep rules to uncover complex behavior patterns in supply chain security Semgrep is featured in an Anthropic case study about AI Assistant capabilities Mastering Security Headers Scott Helme, founder of Security Headers and Tanya Janca will be diving deep into mastering security headers in a webinar on April 22. Join live to ask questions and get additional insights. You should also consider sharing the free security headers course with your team. There are also other upcoming webinars including Scaling Security for FinTech when dealing with regulatory compliance. Elliot Colquhoun, VP of Information Security and IT at Airwallex will join to share perspectives. How to Get Started with Semgrep If you've only just learned about Semgrep, here's some ways to get started: The Semgrep Community Edition is free open-source software that powers many teams with basic functionality. The Semgrep AppSec Platform capabilities are available to test on any project with fewer than ten (10) contributors for free. Just hop over to se
This is another installment of the top ten things happening at Semgrep recently that I think you will want to know about.
Let Them Build
Luke O’Malley, one of the founders of Semgrep shared his vision for how secure software starts with the builders who write it. Read the AppSec for Builders Manifesto and share where you agree and where you don’t. Post on social media and tag us with #LetThemBuild.
Reduce the Risks of Vibe Coding
Vibe coding has moved from a meme to the reality many security teams face when reducing risk from AI-generated source code. We’ve built an MCP server to help integrate security guardrails into the development workflow. Visit the semgrep/mcp repository for instructions and source code. See how it works with this video demo of a Cursor integration.
RSA and BSides SF
If you are coming to San Francisco please visit and find out about the latest AI advancements at Semgrep. Visit our RSA event page to learn where we’ll be and when. We’re hosting an exclusive Pre-BSides SF + RSA Party, an Alice & Bob Learn Secure Coding book signing with Tanya Janca, special dinners, and more.
- Review the schedule
- Getting Ready for RSA 2025 Webinar
- Schedule an on-site demo and get a custom hat
I’m looking forward to seeing you all at BSides SF and RSA in-person.
Take the Free AppSec Survey and Course
Want to get some advice on your application security program? Take this interactive survey that will give you some tips & tricks to level-up your AppSec program.
From a review on the Application Security Foundations Course:
“What I love about this course is that it gave me a refresher of foundations of appsec, goals, and tools that I can recommend to incorporate” –Recent Reviewer
Share the free security course with your team.
CVE-2025-29783 for vLLM
We’ve added a CVE to our trophy case. Recently, CVE-2025-29783 was created with credit going to an AI Security Researcher at Nvidia who uncovered the AI attack surface while using Semgrep.
The python.lang.security.deserialization.pickle.avoid-pickle rule was the clue.
One Typo Away from Catastrophe
A software library as a dependency can quickly become a trojan horse to more malicious intentions. A developer is one typo away from a malicious dependency entering the code base. An approach to malicious dependency detection relies on Supply Chain SCA and reachability analysis.
"Modern AppSec programs, like Figma's, rely on a paved road with secure guardrails for fast and safe development."
-- Devdatta Akhawe, Head of Security, Figma
Check out the docs on malicious dependencies to learn more about the 30,000 new rules and supported ecosystems.
Click Into Dashboard Metrics
False positives are a problem and they get in the way of addressing true vulnerabilities while eroding trust. The Fix Rate, number of findings fixed in development relative to the number identified, can be a helpful north star metric for AppSec teams to evaluate triage and remediation when using Semgrep.
New in private beta, we’re providing a preview of clickable charts that allow for deeper reviews into metrics like backlog totals, guardrail activities, etc. so that you can review AI Assistant findings more quickly to understand why, share wins, and demonstrate progress.
Book a demo to chat more about these upcoming dashboard improvements.
Community Edition Headlines
We love hearing about some of the novel things the community is doing with Semgrep. Have you done something that is helping you secure your development team’s workflow? Let us know. Reply to this email or DM me on Semgrep Community Slack so we can highlight and share what you’ve learned.
- Trail of Bits shares updates to their community rules which can be found in the Semgrep Registry.
- GuardDog is an OpenSSF project which recently shared how they use Semgrep rules to uncover complex behavior patterns in supply chain security
- Semgrep is featured in an Anthropic case study about AI Assistant capabilities
Mastering Security Headers
Scott Helme, founder of Security Headers and Tanya Janca will be diving deep into mastering security headers in a webinar on April 22. Join live to ask questions and get additional insights. You should also consider sharing the free security headers course with your team.
There are also other upcoming webinars including Scaling Security for FinTech when dealing with regulatory compliance. Elliot Colquhoun, VP of Information Security and IT at Airwallex will join to share perspectives.
How to Get Started with Semgrep
If you've only just learned about Semgrep, here's some ways to get started:
The Semgrep Community Edition is free open-source software that powers many teams with basic functionality.
The Semgrep AppSec Platform capabilities are available to test on any project with fewer than ten (10) contributors for free. Just hop over to semgrep.dev, sign up, and follow the Quick Start.
If you have any questions or feedback, hop onto the Community Slack and let’s chat!
