Supported languages

This document provides information about supported languages and language maturity definitions for the following products:

• Semgrep Code
• Semgrep OSS
• Semgrep Supply Chain

Semgrep Code and OSS

Semgrep OSS is a fast, lightweight program analysis tool that can help you detect security issues in your code. It makes use of Semgrep's LGPL 2.1 open source engine.

Semgrep Code is a static application security testing SAST solution that uses both Semgrep OSS Engine and a proprietary Semgrep Pro engine. This engine can perform more complex code analyses, resulting in a higher true positive rate than Semgrep OSS.

Use either tool to scan local code or integrate it into your CI/CD pipeline to automate the continuous scanning of your repositories.

Product	Analysis
Semgrep OSS	Single-function analysis Single-file analysis
Semgrep Code	All analyses in the OSS Engine Cross-file (interfile) analysis Cross-function (interprocedural) analysis

Language maturity levels

Semgrep Code languages can be classified into four maturity levels:

• Generally available (GA)
• Beta
• Experimental
• Community supported*

*Community supported languages meet the parse rate and syntax requirements of Experimental languages. Users can still access community rules or write their own rules.

Their differences are outlined in the following table:

Feature	GA	Beta	Experimental	Community supported
Parse Rate	99%+	95%+	90%+
Number of rules	10+	5+	0+. Query the Registry to see if any rules exist for your language.
Semgrep syntax	Regex, equivalence, deep expression operators, types and typing. All features supported in Beta.	Complete metavariable support, metavariable equality. All features supported in Experimental.	Syntax, ellipsis operator, basic metavariable functionality.
Support	Highest quality support by the Semgrep team. Reported issues are resolved promptly.	Supported by the Semgrep team. Reported issues are fixed after GA languages.	There are limitations to this language's functionality. Reported issues are tracked and prioritized with best effort.	These languages are supported by the Semgrep community. While Semgrep may develop rules or engine updates for these languages, they are not prioritized.

Semgrep Code language support

Semgrep Code supports over 30 languages and counting! 🚀

Language	Maturity level	Cross-function analysis	Cross-file analysis
C	GA	✅	✅
C++	GA	✅	✅
C#	GA	✅	✅
Go	GA	✅	✅
Java	GA	✅	✅
JavaScript	GA	✅	✅
Kotlin	GA	✅	✅
TypeScript	GA	✅	✅
Ruby	GA	✅	--
Rust	GA	✅	--
JSX	GA	✅	--
PHP	GA	✅	--
Python	GA	✅	--
Scala	GA	✅	--
Swift	GA	✅	--
Generic	GA	--	--
JSON	GA	--	--
Terraform	GA	--	--
Apex	Beta	✅	--
Elixir	Beta	✅	--

The following languages are Experimental:

• Bash
• Cairo
• Clojure
• Dart
• Dockerfile
• Hack
• HTML
• Jsonnet
• Julia
• Lisp
• Lua
• Ocaml
• R
• Scheme
• Solidity
• YAML
• XML

If you'd like to request a language not shown here, please create an issue on the Semgrep GitHub repo.

Semgrep OSS language support

All Semgrep OSS languages are community supported. Community supported languages must meet the parse rate and syntax requirements of experimental support in Semgrep Code to be listed here. Semgrep OSS uses Semgrep's open source engine.

Community supported languages have varying levels of rule coverage - view the registry and filter out Pro rules to see the level of coverage for OSS.

Click to view Semgrep OSS languages.

• Bash
• C
• C++
• C#
• Cairo
• Clojure
• Dart
• Dockerfile
• Generic
• Go
• Hack
• HTML
• Java
• JavaScript
• JSON
• Jsonnet
• Julia
• Lisp
• Lua
• Kotlin
• Ruby
• Rust
• JSX
• OCaml
• PHP
• Python
• R
• Scala
• Scheme
• Solidity
• Swift
• TypeScript
• YAML
• XML

More information

Visit the cheat sheet generation script and associated semgrep-core test files to learn more about each feature:

• Generation script
• semgrep-core test files

Visit the Semgrep public language dashboard to see the parse rates for each language

• See Parse rates by language.

Semgrep Supply Chain

Semgrep Supply Chain is a software composition analysis (SCA) tool that detects security vulnerabilities in your codebase introduced by open source dependencies. It can also:

• Generate a software bill of materials (SBOM) that provides a complete inventory of your open source components
• Query for information about your dependencies
• Support the enforcement of your business' open source package licensing requirements

Semgrep Supply Chain parses lockfiles for dependencies, then scans your codebase for reachable findings based on the lockfiles. Some languages, such as Java, have several lockfiles, depending on your repository's package manager. For some languages, such as JavaScript and Python, a manifest file is also parsed to determine transitivity.

Language	Supported package managers	Lockfile	Reachability support level‡	License detection support	Time period of reachability rule coverage for CVEs/GHSAs
C#	NuGet	packages.lock.json	GA	✅	Since May 2022
Go	Go modules (go mod)	go.mod	GA	✅
Java	Gradle	gradle.lockfile	GA	✅
	Maven	Maven-generated dependency tree (See Setting up SSC scans for Apache Maven for instructions.)	GA	✅
JavaScript or TypeScript	npm (Node.js)	package-lock.json	GA	✅
	Yarn, Yarn 2, Yarn 3	yarn.lock	GA	--
	pnpm	pnpm-lock.yaml	GA	--
Python	pip	requirements.txt†† (generated by pip freeze for example)	GA	✅ (PyPI packages only)
	pip-tools	requirements.txt	GA
	Pipenv	Pipfile.lock	GA
	Poetry	poetry.lock	GA
Ruby	RubyGems	Gemfile.lock	GA	✅
Rust	Cargo§	cargo.lock	Lockfile-only	✅	Not applicable due to reachability support level
Dart	Pub	pubspec.lock	Lockfile-only	--
Kotlin	Gradle	gradle.lockfile§	Lockfile-only	--
	Maven	Maven-generated dependency tree (See Setting up SSC scans for Apache Maven for instructions.)	Lockfile-only	--
PHP	Composer	composer.lock	Lockfile-only	--
Scala	Maven	Maven-generated dependency tree (See Setting up SSC scans for Apache Maven for instructions.)	Lockfile-only	--
Swift	SwiftPM	Swift-generated Package.resolved file. (See Swift documentation for instructions.)	Lockfile-only	--

*Semgrep Supply Chain scans transitive dependencies for all supported languages but does not perform reachability analysis on transitive dependencies.
‡Reachability support level refers to the level of support for reachability analysis for the language. At the minimum, Semgrep Supply Chain uses lockfile-only rules, which compare a package's version against versions with known vulnerabilities.
**††**Semgrep Supply Chain supports requirements.txt when it is used as a lockfile. This means that requirements.txt must be set to exact versions (pinned dependencies) and the file must be generated automatically.
§ Supply Chain does not analyze the transitivity of packages for these language or lockfile combinations. All dependencies are listed as Unknown transitivity.

info

Semgrep ingests CVE information and security advisories from sources such as Reviewed GitHub Security Advisories to ensure effective rule coverage. Semgrep processes new information at least once per day to:

• Generate rules for new security advisories;
• Update rules based on changes to existing security advisories.

Transitivity support

For more information on transitivity, see Transitive dependencies and reachability analysis.

Maturity levels

Semgrep Supply Chain has two maturity levels:

• General Availability (GA)
• Beta

Their differences are outlined in the following table:

Feature	GA	Beta
Number of reachability rules	10+	1+
Semgrep, Inc. rule-writing support	Quickly release new rules for all critical and high vulnerabilities based on the latest security advisories.	No commitment for new rules based on the latest security advisories.
Semgrep OSS Engine language support	Semgrep OSS Engine support is GA.	Semgrep OSS Engine support is at least Beta.

Feature and product maturity levels

• The detailed specifications previously provided apply only to language support. Language maturity levels differ from feature and product maturity levels.
• Semgrep features and products documented as experimental, beta, or GA generally follow the definitions in a Software release life cycle.