We’re excited to announce revamped reporting capabilities in Semgrep, which bring increased levels of clarity to your production backlog, developer engagement levels, and overall security posture. Along with recently released views of secure guardrails adoption, these new capabilities give AppSec teams more visibility than ever before into the security metrics that matter for their teams. Here’s what’s new:
Secure guardrails
Earlier this summer, we introduced a different approach to security: secure guardrails. Rather than a security “gate” that halts progress for inspection, secure guardrails nudge high-speed developers back towards the “paved road,” a path that is secure by default. Modern security teams see secure guardrails as an essential element of fast-moving and secure software development.
Building on that introduction, this view shows how secure guardrails in code review (PR or MR) comments are used by your organization. Other guardrail interfaces, such as the IDE or pre-commit, are not counted in this section. From this view, teams can understand how many vulnerabilities are prevented from entering production over time, and the effectiveness of secure guardrails in the developer workflow.
Findings shown to devs
Viewing the number of findings shown to developers in PR or MR comments—as a proportion to the total findings count—helps teams understand the effectiveness of secure guardrails they’ve deployed with Semgrep. An upward trend indicates more findings are being shown to developers early in code review.
Findings fixed before backlog
Once findings are presented to developers, it’s important to track how many of those were fixed before they reach a default branch or the production backlog. This chart displays a breakdown of the status of findings shown to developers; whether they were ignored, fixed, or remained open. This is in contrast to the backlog graph, which shows the breakdown of all fixed and remaining open findings, not just findings shown to developers.
Production backlog
This display shows the number of findings detected in your primary or default branch, typically indicating the number of security issues that have made it to production environments. The chart helps teams understand the growth or decline in the security backlog, and how security posture is evolving over time.
Backlog activity
In addition to understanding the evolution of the open backlog over time, teams can also understand details about new, fixed, and ignored findings—and the resulting net change. This brings detailed understanding about the underlying composition of the backlog evolution.
Most findings by project
A handy way to identify hot spot projects, this view lists projects sorted by the most open findings to least, grouped by product or severity. This view helps teams understand which projects have the most findings for a given severity, or which projects have the most findings for a particular type of scan (SAST, SCA, or secrets).
Median open age
This graph shows the middle age of all open findings and is grouped by product or severity. As the median measurement, half of the open findings are older than this age, and half are newer. The median value is chosen because it's less affected by outliers and skewed data than the mean (average) value.
Summary
Semgrep’s revamped reporting capabilities help AppSec teams understand what’s working and what’s not when it comes to their backlog, developer engagement, and security posture at the project-level. Brand new views into secure guardrails make it easy to prove the effectiveness and progress of “shift left” initiatives, so security teams can demonstrate that they are trending in the right direction. We’d love for you to check out these capabilities and let us know what you think!
