Code is the lifeblood of the modern world, yet the tooling for some programming environments can be remarkably spartan. While developers have long had access to graphical programming environments (IDEs) and performance profilers and debuggers, advanced products to analyze and improve lines of code have been harder to find.
These days, the most typical tool in the kit is a linter, which scans through code pointing out flaws that might cause issues. For instance, there might be too many spaces on a line, or a particular line might have a well-known ambiguity that could cause bugs that are hard to diagnose and would best be avoided.
What if we could expand the power of linters to do a lot more though? What if programmers had an assistant that could analyze their code and actively point out new security issues, erroneous code, style problems, and bad logic?
Static code analysis is a whole interesting branch of computer science, and some of those ideas have trickled into the real-world with tools like semgrep, which was developed at Facebook to add more robust code-checking tools to its developer workflow. Semgrep is an open-source project, and it’s being commercialized through r2c, a startup that wants to bring the power of this tool to the developer masses.
The whole project has found enough traction among developers that Satish Dharmaraj at Redpoint and Jim Goetz at Sequoia teamed up to pour $13 million into the company for its Series A round, and also backed the company in an earlier, unannounced seed round.
The company was founded by three MIT grads — CEO Isaac Evans and Drew Dennison were roommates in college, and they joined up with head of product Luke O’Malley. Across their various experiences, they have worked at Palantir, the intelligence community, and Fortune 500 companies, and when Evans and Dennison were EIRs at Redpoint, they explored ideas based on what they had seen in their wide-ranging coding experiences.
“Facebook, Apple, and Amazon are so far ahead when it comes to what they do at the code level to bake security [into their products compared to] other companies, it’s really not even funny,” Evans explained. The big tech companies have massively scaled their coding infrastructure to ensure uniform coding standards, but few others have access to the talent or technology to be on an equal playing field. Through r2c and semgrep, the founders want to close the gap.
With r2c’s technology, developers can scan their codebases on-demand or enforce a regular code check through their continuous integration platform. The company provides its own template rulesets (“rule packs”) to check for issues like security holes, complicated errors, and other potential bugs, and developers and companies can add their own custom rulesets to enforce their own standards. Currently, r2c supports eight programming languages including Javascript and Python and a variety of frameworks, and it is actively working on more compatibility.
One unique focus for r2c has been getting developers onboard with the model. The core technology remains open-sourced. Evans said that “if you actually want something that’s going to get broad developer adoption, it has to be predominantly open source so that developers can actually mess with it and hack on it and see whether or not it’s valuable without having to worry about some kind of super restrictive license.”
Beyond its model, the key has been getting developers to actually use the tool. No one likes bugs, and no developer wants to find more bugs that they have to fix. With semgrep and r2c though, developers can get much more immediate and comprehensive feedback — helping them fix tricky errors before they move on and forget the context of what they were engineering.
“I think one of the coolest things for us is that none of the existing tools in the space have ever been adopted by developers, but for us, it’s about 50/50 developer teams who are getting excited about it versus security teams getting excited about it,” Evans said. Developers hate finding more bugs, but they also hate writing them in the first place. Evans notes that the company’s key metric is the number of bugs found that are actually fixed by developers, indicating that they are offering “good, actionable results” through the product. One area that r2c has explored is actively patching obvious bugs, saving developers time.
Breaches, errors and downtime are a bedrock of software, but it doesn’t have to be that way. With more than a dozen employees and a hefty pool of capital, r2c hopes to improve the reliability of all the experiences we enjoy — and save developers time in the process.