Semgrep announced Semgrep Multimodal, a system that combines AI reasoning with rule-based analysis for detection, triage, and remediation.
Its detection finds up to 8x more true positives while cutting noise by 50% compared to foundation models alone, and has already discovered dozens of zero-days at customers.
Multimodal is built on Semgrep Workflows, a framework for autonomous code security – using deterministic tools and AI so security teams can encode their processes once and scale them reliably across teams, repos, and the organization.
Workflows can be run as-is from a pre-built library, customized for a team’s specific environment, or built from scratch. Semgrep’s managed infrastructure handles the production deployment, so teams can focus on defining their security logic, not maintaining the stack.
The problem: AI code volume has outpaced security
AI-generated code is outpacing the security practices built for human-speed development. Security teams fielding hundreds of pull requests a day know the math is unforgiving: a 95% fix rate still means hundreds of unresolved critical issues compounding across hundreds of repositories.
Most are already reaching for LLMs to close the gap and hitting the same walls: demos that fall apart in production, outputs that vary between repositories, token costs that spiral, and hallucinations that erode trust. The jump from proof of concept to running reliably across the organization is where most efforts stall.
Meanwhile, many of the largest and most costly breaches aren’t caused by the vulnerabilities traditional SAST scanners catch. Instead they’re caused by logic errors that escaped notice entirely.
Semgrep Multimodal: Better than either approach alone
Traditional rule-based SAST excels at catching known vulnerability patterns: SQL injection, SSRF, and secrets exposure. But it has always struggled with business logic flaws: IDORs, broken authorization, and authentication bypasses that require understanding context and developer intent. LLMs can reason about logic, but used alone they produce unacceptably high false positive rates and inconsistent results at scale.
Semgrep Multimodal closes that gap. By pairing the Semgrep Pro engine’s precise program analysis with LLM reasoning, it covers both dimensions of vulnerability detection. And as underlying models improve, so does Semgrep Multimodal’s performance automatically.
Semgrep Workflows: The framework underneath
Semgrep Multimodal is built on Semgrep Workflows, which is now available to builders who want to go further than out-of-the-box AppSec. Workflows enables teams to encode their own security policies into automated pipelines covering detection, triage, remediation, compliance, and other AppSec work.
Pre-built workflows cover common cases for the OWASP Top 10 and business logic vulnerabilities. Custom workflows are written in plain Python, can be easily extended with new tools, and are deployed at scale without building or maintaining infrastructure.
Semgrep learns as teams build, incorporating feedback from security engineers and developers to improve accuracy over time. The result: customers are starting to report something the industry has long promised but rarely delivered.
“Semgrep’s rule-based engine became the most widely deployed code scanner in the world by giving teams a way to encode their own security knowledge into precise, customizable rules. Semgrep Multimodal and Workflows are the next chapter of that same bet – that the teams closest to the code are best positioned to define what security means for their organization, and that our job is to give them the engine to automate it,” said Isaac Evans, CEO at Semgrep.
Semgrep Multimodal is available now. Custom Workflows are available via private beta. Teams can join the waitlist.
