How Sola Security Scaled Up Engineering Velocity with Semgrep

Sola Security is an AI platform that allows security teams to rapidly and effectively build and deploy tools across their stack using natural language prompts. As their own security organization matured, they made a deliberate decision to raise the bar on secure coding practices without slowing down developers. They sought to implement high-quality, scalable security automation that would fit naturally into developer workflows rather than simply adding another tool to the stack.

The Challenge: Scaling security without adding friction

Sola Security required a solution that could scale with engineering velocity without relying on manual review or tribal knowledge. Their primary evaluation criteria focused on performance and stability:

• Speed: The ability to scan fast-growing codebases without slowing down CI pipelines.

• Stability: Consistent execution suitable for running on every pull request (PR).

• Depth: Advanced capabilities to understand dataflow analysis between sources and sinks, including cross-file context.

The team needed a tool that provided high-fidelity findings to ensure that security controls would not introduce ongoing friction for developers.

The Solution: High-signal automation with Semgrep

After a hands-on evaluation of multiple AppSec tools, Sola Security selected Semgrep Code, Semgrep Supply Chain, and Semgrep Secrets. Semgrep stood out as the most valuable solution for automating day-to-day security analysis directly within developer workflows.

Key factors in the decision included:

• High signal-to-noise ratio: The rule-based approach allowed the team to encode security expertise into checks that developers see early, avoiding the need to "push left" solely through documentation.

• Deep analysis: Semgrep Code’s Pro engine provided interfile analysis, offering source-to-sink visibility that is critical for understanding complex vulnerabilities that span multiple files.

• Operational ease: The platform was easy to operationalize across teams without heavy administrative overhead.

"The goal was not to ‘add another tool,’ but to implement high-quality, scalable security automation that fits naturally into how developers work."

— Yoni Weintrob, Chief Information Security Officer at Sola Security

Results

Superior accuracy with cross-file analysis

Sola Security evaluated open-source static analysis options but found them limited by their reliance on single-file analysis. The team determined that effective security automation required the ability to track data flow across file boundaries. Semgrep Code’s Pro engine differentiated itself from open-source alternatives by providing this interfile analysis, delivering the high-fidelity results necessary to trust the tool in a production CI/CD environment where open-source engines lacked sufficient context.

A controlled path to developer adoption

Sola Security successfully validated Semgrep’s stability by running it in the background without impacting engineering workflows. This approach enabled a controlled, low-friction path to a future full rollout. The evaluation proved that Semgrep is suitable for integration into the PR workflow, providing clear, technically detailed findings that the security team can trust.

Future-proofing with customization

While currently leveraging Semgrep’s out-of-the-box rules as a strong baseline today, Sola Security plans to introduce custom rule development as the next phase of their rollout. The platform’s flexibility allows them to prioritize validating coverage and signal quality now while retaining the ability to tune rules for specific logic over time.

Semgrep helped Sola Security scale high-signal security checks in PRs, so developers ship faster with confidence, and security keeps pace without adding friction.