Skip to content

Enhancing Semgrep Accuracy with GPT-4: Identifying and Correcting False Positives

Original Post: We put GPT-4 in Semgrep to point out false positives & fix code

Semgrep, a widely-used code search tool for security scanning (SAST), is enhancing its capabilities by integrating GPT-4 into its cloud service. This addition aims to help identify and prioritize significant findings before developers are notified. GPT-4’s reasoning appears effective in internal testing, and it can also suggest often correct fixes for code issues. The private beta for this feature started on April 6th, with sign-ups available.

One key feature of this integration is auto-triaging, where GPT-4 helps distinguish between true and false positives, thus reducing the burden on developers, especially less experienced ones. The AI excels at reasoning why certain findings are safe to ignore or when custom rules might be too broad.

Auto-fixing is another feature, although AI-generated fixes are only directly usable around 40% of the time, serving more often as a good starting point. The goal is to improve these suggestions to be directly committable 90% of the time. Semgrep’s AI features may drive the creation of more custom rules, enhancing productivity similar to code auto-formatters like go fmt.

Semgrep sees a future where AI plays a significant role in defining and reviewing code patterns, but emphasizes the need for transparency and human oversight. The private beta requires users to grant GitHub code access, with promises of no data storage and adherence to OpenAI’s data usage policies.

Go here to read the Original Post

Leave a Reply

Your email address will not be published. Required fields are marked *