r2c, a startup building a SaaS service around the Semgrep open-source project, secured $27m in Series B funding, led by Felicis Ventures with participation from previous investors Redpoint Ventures and Sequoia Capital.
A growing number of open-source (OSS) grounded startups raising capital. On the OSS point, r2c works with Semgrep, which the company likens to a “code-aware grep.” Grep is a tool for searching through plain text that has been around for decades. Semgrep is related but focused on finding things inside of written code.
Given the sheer volume of code that is written, there is an ever-rising demand for finding particular bits of text quickly; Semgrep is an evolution of the original project, that was initially built inside of Facebook.
Given the ever-growing number of breaches that the public endures, helping companies leak less data, and suffer fewer intrusions is big business.
With a focus on cybersecurity, the startup sells a monthly, per-developer subscription (SaaS) that packages a broad set of security-focused rules across different coding languages, allowing companies to easily check their own software for possible security issues.
According to r2c CEO Isaac Evans security teams must enable rather than hinder rapid software development. If developers lack tools that are easy to set up and understand—or if a developer has to convince their manager to spend millions on advanced security tools—the future is bleak. He said, “We want to empower developers to fix issues as they’re written by providing visibility and measurement through the entire development lifecycle.”
Since its last funding round, many industry-leading teams adopted Semgrep including Salesforce, Dropbox, Stripe, Netflix, Figma, Snowflake and Chef – both as a scanning tool and language to write new scanning rules. Security consultancies like Trail of Bits, Latacora, and NCC Group have started writing Semgrep rules. They and others form a growing community of brilliant security researchers and developers contributing rules and Semgrep engine improvements.
Evans added, “For the past several months, we’ve been working with the GitLab team on an integration of Semgrep into GitLab SAST for language agnostic scanning and simplified custom rule development. As of the GitLab 14 release, Semgrep is the default SAST analyzer for JavaScript, Python, and TypeScript, replacing Bandit and ESLint as the analyzers for those languages.”
Copyright © 2018 RegTech Analyst