AI Code Editing: Redpoint & Sequoia Back New Startup

The foundation of our contemporary world is code, however the development tools available for certain programming environments can be surprisingly basic. While programmers have consistently utilized graphical programming environments (IDEs) alongside performance profilers and debuggers, more sophisticated solutions for analyzing and refining code have been less readily available.

Currently, the most common tool employed is a linter, which examines code to identify potential problems that could lead to issues. For example, a line might contain excessive whitespace, or it could present an ambiguity known to cause difficult-to-diagnose bugs that are best avoided.

But what if the capabilities of linters could be significantly expanded? Imagine programmers having an assistant capable of analyzing their code and proactively highlighting potential security vulnerabilities, coding errors, stylistic inconsistencies, and logical flaws?

Static code analysis represents a fascinating field within computer science, and concepts from this area are now appearing in practical tools like semgrep. This tool was originally created at Facebook to enhance code-checking procedures within its development process. Semgrep is an open-source project that is now being commercially developed by r2c, a company focused on making this powerful tool accessible to a wider range of developers.

The project has gained considerable momentum within the developer community, leading Satish Dharmaraj of Redpoint and Jim Goetz of Sequoia to invest $13 million in the company’s Series A funding round, and also to support the company in a prior, undisclosed seed round.

The company was established by three MIT graduates – CEO Isaac Evans and Drew Dennison, who were college roommates, and Luke O’Malley, who serves as head of product. Their collective experience includes work at Palantir, within the intelligence sector, and at Fortune 500 companies. While serving as EIRs at Redpoint, Evans and Dennison investigated concepts based on their extensive coding experiences.

“The disparity in coding practices between companies like Facebook, Apple, and Amazon, who prioritize security integration, and other organizations is substantial,” Evans stated. These large technology companies have significantly scaled their coding infrastructure to ensure consistent coding standards, a level of capability that is often beyond the reach of others due to limitations in talent and technology. r2c and semgrep aim to bridge this gap.

r2c’s technology allows developers to scan their codebases as needed or to implement regular code checks within their continuous integration pipelines. The company offers pre-built rule sets (“rule packs”) to detect issues such as security weaknesses, complex errors, and other potential bugs, while also enabling developers and organizations to create and implement their own custom rule sets to enforce specific standards. Currently, r2c supports eight programming languages, including JavaScript and Python, and a variety of frameworks, with ongoing efforts to expand compatibility.

A key aspect of r2c’s strategy has been fostering developer adoption of the tool. The underlying technology remains open-source. Evans explained that “for widespread developer acceptance, a predominantly open-source approach is crucial, allowing developers to experiment with the tool and assess its value without restrictive licensing concerns.”

Beyond the licensing model, a critical factor has been encouraging developers to actually utilize the tool. While no one enjoys encountering bugs, developers are understandably reluctant to uncover more issues that require resolution. However, semgrep and r2c provide developers with more immediate and thorough feedback, enabling them to address complex errors before losing context.

“What’s particularly encouraging is that, unlike existing tools in this space, we’re seeing roughly equal interest from both developer teams and security teams,” Evans said. Developers dislike discovering bugs, but they also prefer to avoid introducing them in the first place. Evans emphasized that the company’s primary metric is the number of bugs identified that are subsequently fixed by developers, demonstrating that the product delivers “valuable, actionable results.” r2c has also explored automatically patching obvious bugs to save developers time.

Software vulnerabilities, errors, and downtime are common occurrences, but they don’t have to be. With a team of over a dozen employees and significant funding, r2c intends to enhance the reliability of the digital experiences we rely on – and streamline the development process for programmers.