Policygenius:Shifting left with Semgrep

  • With Semgrep, Policygenius has nearly zero false positives per scan.
  • Semgrep scans their entire repository in seconds.
  • Policygenius’ security team appreciates easy-to-create rulesets.


Products Used

Semgrep App

Company Size

1,000+ Employees

Security requirements

The software security team at Policygenius is responsible for making sure that their software is as secure as possible without unnecessarily slowing down software developers.

The Policygenius technology stack consists of:

    • Languages: Ruby, Java, Golang, Python, Terraform
    • SCM: Github

As in just about all technology companies, there were more developers than security engineers, which posed the challenge of how to create a not only scalable and effective but also efficient and developer-friendly secure SDLC. Due to this, Jessica Grider, Senior DevSecOps Engineer, wanted to make sure that the security shifts left and the security infrastructure is automated as much as possible. Shifting left is crucial because it detects vulnerabilities before they reach production, thus allowing developers and security teams to be proactive rather than reactive.

With this in mind, Jessica was looking for a security solution that was fast, reliable, and had very few false positives.

Semgrep to the rescue

Jessica came across Semgrep at Defcon 2021 when Erin Browning and Tim Faraci from Slack talked about how they ran Semgrep at lightning speed (3 minutes, to be precise) in their CI/CD pipeline. What stood out for Jessica was the ability to choose rulesets and create rules based on different use cases. For example, with Semgrep, XSS detection rules can be tweaked based on Policygenius’ codebase. The ability to run custom rules helps reduce the number of false positives. Jessica decided to try Semgrep.

Policygenius and Semgrep

Policygenius runs Semgrep from a docker image on a diff scan. Language-specific rulesets are run to find issues in the code. Semgrep alerts the security team through email and Slack integration if there is an issue.

The team at r2c has been making Semgrep blazing fast so that the security engineers do not have to wait for hours to get results. Semgrep met Policygenius’ speed expectations by running 600+ rules in a couple of minutes!

Reliability is high on Policygenius’ priority list. Since adopting Semgrep back in November, it has had more than 99% uptime. With Semgrep, Policygenius has been able to shift left by detecting issues before hitting production. The rule-based nature of Semgrep has enabled developers to learn about secure coding practices.

As mentioned before, Jessica was looking for a solution with a low number of false positives. With Semgrep, she found out that the false positive rate was less than 1%. Due to this low number, the team at Policygenius could focus on fixing actual security issues.


The developers don’t even know it is running!

- Jessica Grider, Sr. DevSecOps Engineer, Policygenius

The Semgrep App makes policy enforcement easy. Policygenius has been able to add specific rulesets for specific repositories, add new rules, and change rules easily with the Rule Board.

Looking forward

Jessica is looking forward to involving the developers more in the security process, thus helping Policygenius shift left. r2c introduced Developer Feedback and the Editor in February 2022. Policygenius is looking forward to integrating these features soon. With Developer Feedback, the developers can also help weed out the false positives. The Editor gives a single pane of glass to security and developer teams to collaborate on adding, deploying, and enforcing rules.



Jessica and her team are highly appreciative of the support from r2c to help boost their security posture. Policygenius is excited to utilize the power of Semgrep fully.

Get Semgrep for your organization today