Senior Full Stack Engineer, Software Composition Analysis

About Semgrep

Semgrep, the leader in code security for builders, empowers invention without friction. Teams catch, flag, and fix real issues before they ship, powered by security that learns as they build. Semgrep secures code as it’s written and provides guardrails that pave the road for developers to move fast and stay secure. Built for builders and trusted by security, Semgrep lives where developers work, delivering fixes without breaking flow, and giving security teams visibility, control, and confidence. Semgrep gets smarter as you build, with AI that learns your context to cut false positives and prioritize reachable vulnerabilities, validated by 95% of security reviewers across 6M+ findings. Semgrep makes zero false positives a reality with AppSec teams triaging 80% fewer false positives across Code and Supply Chain, dramatically shrinking the backlog.

Founded in San Francisco and backed by Menlo Ventures, Felicis Ventures, Lightspeed Venture Partners, Redpoint Ventures, and Sequoia Capital, Semgrep is recognized by Gartner in Application Security Testing and is trusted by leading organizations, including Snowflake, Dropbox, and Figma. Learn more at semgrep.dev.

About the role

As a full stack engineer on Semgrep’s Supply Chain team, you’ll build customer-facing features to help developers secure their software from vulnerabilities introduced by third-party dependencies. Other supply chain management tools exist, but they produce far too much noise to be useful or efficient. Security and engineering teams may receive thousands of critical vulnerabilities that need updating, when in reality they are not even using those dependencies in a vulnerable way. Perhaps you’ve even felt this pain yourself!

Our goal is to cut through the noise: to make it easy to find and remediate the 2% of vulnerabilities that are actually reachable given the way our customers’ use their dependencies. We work to make supply chain security as simple and intuitive so developers can focus on their own mission.

Semgrep Supply Chain has strong product-market fit, and is loved by tiny startups to large enterprises. We need your help to meet the needs of our growing customer base.

You will:

Build a product that makes the world safer by making developers’ lives easier
Work on major product initiatives end-to-end, from user-research through design, implementation, and deployment
Help set technical and product direction, collaborating with the team to determine the future of the product, what features to build, and how to build them
Build scalable systems that meet the demands of tomorrow’s customers
Advise and mentor other engineers via thoughtful code reviews, planning discussions, technical documentation, and formal mentorship

You are ideal for this role if you have:

5+ years of experience writing production software, building web applications, and operating with high autonomy. Our stack includes Python, Typescript, Postgres, and DGraph
Excitement about building a product for developers in a highly iterative environment
Enjoy helping startups mature their product to meet new demands in scale and performance
Excellent and proactive communication, both verbal and written

Some examples projects you might work on include:

Tastefully using AI to help customers prioritize and remediate security vulnerabilities
Features to help customers respond to the next dependency malware incident (e.g. sha1-hulud, tj-actions)
Allow customers across a wide variety of languages and package managers to have a seamless onboarding experience
Collect and expose health metrics on open source dependencies to help keep users’ software free of poorly maintained, low quality, and malicious packages
Build data flow and call graphs to determine whether vulnerabilities from transitive dependencies are reachable from users’ code

This position is preferred to go into an office 2-3 days/week.

Compensation

Salary Range: $176,000-207,000

Our compensation package includes equity and benefits in addition to salary.

Please note that the range listed is for someone based in the San Francisco Bay Area.

What we offer (FTE only)

Our goal is to competitively and fairly compensate every Semgrep employee with a system that equally rewards those who are vocal and those who are less comfortable making demands during the final steps of the hiring process. To that end, we generate internal compensation bands that are used when discussing and negotiating salaries. We update these based on market data to make sure they’re above the average for comparable roles.

We invest in our employees’ well-being and long-term success through a competitive, market-aligned benefits program that meets or exceeds local market standards across all of the regions in which we hire. Benefits offerings vary by location to reflect local requirements and norms. For more detailed, location-specific information, please visit Semgrep Benefits.

Who we are

We bring together people from a wide range of backgrounds and disciplines—from physics and philosophy to formal methods research and full-fledged corporations. We’re new parents and new grads, dog lovers and dogfooders. We get together often to bike, bake, and meet up in parks. In our interactions, we believe respect and honesty go hand in hand, and prioritize both.

Semgrep is an equal-opportunity employer seeking a diverse range of backgrounds. We value who you are — including your cultural heritage, your socioeconomic status, your age, your race, your gender, your sexual orientation, your disabilities. We value what’s vitally important to you — your family, your religion, your politics. We value what you love in this world — your music, your weekend pursuits. We believe in welcoming varied professional backgrounds, educations, and interests. If you’re exceptional in your role, believe in Semgrep’s mission, and treat Semgrep’s values as your own, you belong here.