What happened
Semgrep's April 2026 AppSec platform update introduced AI-powered detection in beta for complex vulnerability classes including Insecure Direct Object Reference (IDOR) and broken authorisation — categories historically resistant to rule-based static analysis. The update also adds direct integration with developer AI environments (Cursor, Claude Code) for real-time scanning and ties AI feature usage to credit limits with visibility controls.
Why it matters
AI-powered code generation has dramatically increased the volume of code reaching production; Semgrep's AI-detection capabilities address the security tooling gap where traditional SAST struggles to keep pace with AI-generated output. The governance layer (credit limits, AI feature controls) responds to enterprise concerns about ungoverned AI tooling inside AppSec workflows.
Applicability
Engineering-led security teams and DevSecOps organisations using Semgrep should evaluate the beta AI detection features against their IDOR and auth vulnerability backlog; organisations using Cursor or Claude Code for development should prioritise integration testing to enable real-time scanning in AI-assisted coding workflows.