Did Semgrep Just Get A Lot More Interesting?

Source: fly.io Date: 2025-02-12 URL: https://fly.io/blog/semgrep-but-for-real-now/

Summary

Speculative essay arguing that LLM agents make Semgrep dramatically more useful by closing the loop: agents can deploy code, observe failures in production, generate Semgrep rules for the specific bug patterns they encounter, test those rules, and scan the entire codebase — automatically. The traditional bottleneck (manual rule creation) disappears when an agent can do it. The author frames this as a shift from predictive static analysis to reactive, learning-based detection.

Implications

Agentic engineering patterns / security. This is an early articulation of the “agent-writes-its-own-guardrails” pattern that has broader implications: agents that can generate lint rules, test cases, or security policies from bugs they encounter are self-improving in a meaningful operational sense. For the radar, Semgrep specifically is worth watching — it’s code-pattern matching, which is model-native, and the tooling to generate rules from examples is already good enough for LLMs. If this pattern catches on, it changes the economics of static analysis: instead of maintaining a rule library, you run an agent that generates rules from your actual bug history. Cursor’s closed-loop debugging is the immediate precedent.