On-demand webinar now available featuring Clint Gibler & Jim Manico

Check out Clint and Jim talking about why OWASP classifies access control as one of the top 10 concerns for security teams.

close-banner
SAST
Semgrep Code
Scan Code
product-semgrep-code-mobileproduct-semgrep-code-tabletproduct-semgrep-code
Use Pro and Community rules to scan for OWASP Top 10 vulnerabilities and protect against web applications’ most critical security risks.
SCA
Semgrep Supply Chain
Scan Dependencies
product-semgrep-supply-chain-mobileproduct-semgrep-supply-chain-tabletSSC background
Use Semgrep's Reachability rules to quickly find and remediate the 2% of issues that are actually reachable.
cloud-icon-dark
Semgrep Cloud Platform
Configure, monitor, and manage Semgrep Code and Semgrep Supply Chain
engine-icon-dark
Semgrep Pro Engine
Analyze code across files and functions
gears-icon-dark
Semgrep OSS Engine
Open source engine

Enhanced SAST results using Semgrep Pro Engine

Semgrep Pro Engine detects vulnerabilities across file and function boundaries.

Semgrep OSS EngineSemgrep Pro Engine

Please click on Semgrep OSS Engine and then on Semgrep Pro Engine to see the difference in results.

Semgrep RuleRule Icon
rules:
- id: example-rule
  pattern: return 1;
  Languages: [java]
  severity: WARNING
Code Box Image
File 1Rule File Icon
class Bar {
  static final int CST = 1;
  int bar_trivial() {
  return 1;
    }
  int bar_simple() {
  return CST;
    }
  int bar_intrafile() {
  return Foo.CST;
    }
  }
File 2Rule File Icon
public class Foo {
  final static int
  CST = 1;
   }
chevron downContinue to Semgrep homepageBack to topchevron up

Powered by Semgrep Open Source

Semgrep: Code Analysis at Ludicrous Speed

Find bugs, run security scans in CI, and enforce security standards across your organization.

Trusted and contributed to by thousands of great teams

GitlabSlackDropboxShopifyCheggShowflake

Built for modern development workflows

Scan code and find vulnerabilities in minutes

  • Integrate into your CI/CD pipeline in minutes

    Supports GitHub Actions, GitLab CI/CD, BitBucket, Jenkins, and other CI platforms (learn more)

  • Get security results where you want them
    See results in Semgrep App, PR/MR comments, or your own infrastructure via API

  • Quickly build a SAST program at scale
    See how Razorpay gets results in minutes

ENFORCE SECURITY STANDARDS

Scan across the stack

Secure the infrastructure layer

Secure the infrastructure layer

Find and prevent security issues in Terraform, Docker, Kubernetes, nginx, and AWS configs before they go into production.

Find OWASP Top 10 risks

Find OWASP Top 10 risks

Use Semgrep rules to scan for OWASP Top 10 vulnerabilities and protect against web applications' most critical security risks.

Protect your CI/CD pipeline

Protect your CI/CD pipeline

Protect the privileged CI/CD environment from malicious activity that could result in access to source code, secrets, and more.

Engage Developers

Engage Developers

Work in the context of code changes without disrupting feature velocity. Discussions in pull requests display results where developers expect.

Works with 30+ frameworks and technologies

Python Logojava iconGo-logoRuby LogoJS-logoTypescript-logoGithub-logoGitlab-logoTrust Bar Logo 08Trust Bar Logo 09Slack Logo

CODE ANALYSIS FOR MODERN LANGUAGES

Purpose-built for security engineers and developers

Scale your security team

Actionable, low-noise, and developer-friendly results let you scale your security and ship with high velocity.

website-purpose-driven-3

Enable developers to be more productive

Reduce friction between security engineers and developers by finding and sharing vulnerabilities in your code and in open source dependencies.

Easily write custom rules

Easily write rules to find bugs specific to your organization — rules look like source code, so there’s no need to learn a new proprietary language.

print(...)
$X == $X
boto3.client(...)
hello('world')
foo(1)
Semgrep example for print(...)
website-purpose-driven-3
Semgrep example for print(...)

FEATURED CUSTOMER SUCCESS STORY

How Policygenius shifted left with Semgrep

  • With Semgrep, Policygenius has nearly zero false positives per scan.

  • Semgrep scans their entire repository in seconds.

  • Policygenius’ security team appreciates easy-to-create rulesets.

Policygenius Image

Learn more on Semgrep’s blog

Announcing Semgrep CodeAnnouncement

February 14, 20235 min read

Announcing Semgrep Code: SAST designed and built for engineers
Raghav JainRaghav Jain
Thumbnail: Developer-focused results and improved coverage with Semgrep Pro rulesBest practices

February 24, 20235 min read

Developer-focused results and improved coverage with Semgrep Pro rules
Claudio MerloniClaudio Merloni
xml-javaHow to’s

January 17, 20236 min read

XML Security in Java
Pieter De CremerPieter De Cremer

Code analysis at ludicrous speed

Find Bugs and Enforce Code Standards

Semgrep Logo

Code analysis at ludicrous speed

Products

Semgrep Code
Semgrep Supply Chain
Semgrep Cloud Platform
Semgrep Pro Engine

Community

Blog

Resources

Docs
ROI Calculator
Pricing
Getting Started With Semgrep
Registry
Playground
Book a demo
Help Center

Company

About
Careers
Contact us
Twitter-logo-greenSlack-logo-greenGitHub-logo-greenYoutube-logo-green

© 2023 r2c. Semgrep is a registered trademark of r2c.

TermsPrivacy