Case Study: Lyft reduces supply chain noise and finds code issues faster with Semgrep

How Lyft finds security issues that matter with Semgrep

The ridesharing company Lyft needed a scalable way to shift security left in its development process. Its security team required a static application security testing (SAST) solution to efficiently write and test custom rules for finding issues specific to its code, as previous tools were too time-consuming. Lyft also sought to reduce the overwhelming noise from its existing software composition analysis (SCA) tool.

By implementing Semgrep, Lyft's security team gained an easy-to-use syntax for writing and maintaining custom security rules, saving significant time. Furthermore, Semgrep Supply Chain's reachability analysis reduced SCA noise by 95% by only flagging vulnerable dependencies that were actually used in code. This allowed the team to provide developers with actionable findings, enabling them to immediately remediate critical vulnerabilities like Log4Shell and prioritize the updates that mattered most.

Lyft

Khanh Le-Do

Security Software Engineer