For Semgrep, an AI-assisted AppSec platform, code reviews were complicated: Engineers were ready to ship, but large diffs made it harder for reviewers to give timely feedback. That friction wasn’t sustainable. The team wanted a faster path to merge, without sacrificing quality or security. In short, they needed a way to reduce review time and pull request (PR) size, while letting developers stay focused on building. In this case study, we’ll take a look at how Semgrep leveraged Graphite and the stacked PR workflow to reduce manual overhead and speed up their development and review cycles.
A new way to review and ship
The process of stacking allows developers to create a series of smaller, dependent pull requests that build on one another. This means large changes can be broken down into more manageable, reviewable pieces. Some engineers on the team, especially those who’d worked at Meta, were already familiar with stacked diffs. So, the concept wasn’t new, but even experienced engineers who tried to split up their work manually found the process clunky and time-consuming.
“I was getting these massive PRs that were sometimes impossible to review," Austin Theriault, Senior Software Engineer at Semgrep recalls. “And on the other hand, I like using Git, so I would split and rebase PRs on my own, but it really was just a pain to do all that manually,” he explains. Semgrep began to trial Graphite, and Austin realized this mirrored the manual splitting he already did, but Graphite enabled automation, which made stacking fast and more repeatable.
Tangible results
Today, Semgrep engineers are using Graphite to break down large changes, isolate refactors and feature changes, and security‑triggered changes into separate PRs for more focused code reviews. Since adoption, Semgrep benefits from:
Clear separation of features: Refactors were decoupled from feature work. Security or permissions-heavy changes could be isolated, making audits, reversions, and approvals simpler.
Accelerated feedback loops: More focused PRs allowed for faster reviews and merges of non-conflicting parts, ultimately freeing time for deeper reviews of more critical changes.
CI optimization: By splitting out changes that trigger expensive builds from lighter, follow-up changes, Semgrep uses Graphite’s stacked workflow to benefit from CI caching, so expensive jobs run once and subsequent PRs complete faster.
The numbers tell the story. With Graphite, Semgrep has also seen a 17% reduction in median pull request (PR) size, with PRs becoming smaller and more frequent, which indicates a clear shift toward incremental development. Alongside this change, there was a 36% increase in PRs shipped per engineer, showing that developers are contributing and releasing work more often. Combined with a 65% increase in code shipped per engineer, these improvements reflect a significant boost in overall throughput and development velocity. Together, these gains point to faster, more scalable development and review processes.
Looking ahead
By enabling smaller, stackable PRs, Graphite has simplified Semgrep’s code review processes. Semgrep engineers now ship faster, reviewers stay unblocked, and the team has more time to focus on what matters: building secure software and advancing the frontier of AI-driven AppSec. “Personally, I’ve enjoyed using Graphite so much that I wrote my own Emacs integration for it,” Austin shares.
Semgrep’s innovation isn’t limited to its product; it extends into how the engineering team ships. As the team works to expose more of Semgrep’s capabilities as tools for LLMs to invoke, Graphite ensures development keeps pace, helping the team usher in a new era of AppSec.
To learn more about how Graphite can help accelerate your development and review cycles, check out other case studies or set up a call with our team.