Products
- Semgrep Code
  Find and fix the issues that matter in your code (SAST)
- Semgrep Supply Chain
  Find and fix reachable dependency vulnerabilities (SCA)
- Semgrep Secrets
  Find and fix hardcoded secrets with semantic analysis
- Semgrep Assistant
  Get triage and code fix recommendations from AI
- Semgrep AppSec Platform
  Automate, manage, and enforce security across your organization
- Semgrep Pro Engine
  Find more true positives and fewer false positives with dataflow analysis
- Product Updates
  Stay up to date on changes to the Semgrep platform, big and small
Solutions
- Software supply chain security
  Mitigate software supply chain risks
- Static application security testing
  Increase security while accelerating development
- OWASP Top 10
  Prevent the most critical web application security risks
Resources
- Docs
  Want to read all the docs? Start here
- Blog
  Get the latest news about Semgrep
- ROI Calculator
  See how Semgrep can save you time and money
- Community Slack
  Join the friendly Slack group to ask questions or share feedback
- Events
  Join us at a Semgrep Event!
- Case Studies
  See why users love Semgrep
- Video Library
  View our library of on-demand webinars
Company
- About
  The Semgrep story & values
- Careers
  Join the team!
- Partners
  Become a Semgrep partner
Pricing
Sign in
Product support
Contact us
Book demo Try for free

Works with Semgrep Pro Engine

Pro rules

Greatly reduce false positives while increasing scan coverage for critical vulnerability types. Bring findings directly to developers with confidence.

Start scanning for free Book a demo

Improved coverage and developer-oriented results

Semgrep Pro rules are written to minimize false positives so findings can be presented to developers in their workflows, avoiding lengthy triage sessions.
Pro rules provide high-confidence results by leveraging cross-file and cross-funtion dataflow analysis.
High confidence rules use features like taint tracking with sources, sinks, propagators, and sanitizers curated by our Security Research team.

Rules for popular languages and frameworks:

Injection Deserialization XXE

Find injection vulnerabilities

More than 100 high-accuracy rules to find injection vulnerabilities in Java, PHP, JavaScript, Kotlin, Rust, and Swift.

Browse rules for detecting vulnerabilities

Discover malicious deserialization mechanisms

60+ rules supporting 14 Python libraries/frameworks and 3 commonly used Java libraries, both standalone or in combination with Java Servlets and the Spring Framework.

See rules for deserialization

Detect XXE vulnerabilities

Detect XML external entity issues with support for common Java libraries and classes, to identify the many different ways they can be insecurely configured and used.

Learn more about XML security

Continuously monitored and updated

Rules are continuously updated by our Security Research team based on rule performance and user feedback.
Compared to Community rules, Pro rules provide better coverage for Java, JavaScript, TypeScript, Python, PHP, Ruby, C#, Swift, and Go.
Pro rule coverage for languages is continuously expanded by our Security Research team.

Customize and manage rules at scale

Rule syntax is intuitive and similar to source code so there's no need to learn new domain-specific languages to make tweaks.
Get a top-down view of fix and ignore rates to optimize rule policies and behaviors (monitor, comment, or blocking).

Learn about Semgrep Cloud Platform