Skip to main content
    Semgrep themed logoSemgrep themed logo

    Semgrep docs

    Find bugs and reachable dependency vulnerabilities in code. Enforce your code standards on every commit.

    Scan with Semgrep AppSec Platform

    Deploy static application security testing (SAST), software composition analysis (SCA), and secrets scans from one platform.

    Get started

    Run your first Semgrep scan.

    Deploy Semgrep

    Deploy Semgrep to your organization quickly and at scale.

    Triage and remediate

    Triage and remediate findings; fine-tune guardrails for developers.

    Write rules

    Create custom rules to enforce your organization's coding standards.

    Supported languages

    ProductLanguages
    Semgrep CodeGenerally available (GA)
    C and C++ • C# • Generic • Go • Java • JavaScript • JSON • Kotlin • Python • TypeScript • Ruby • Rust • JSX • PHP • Scala • Swift • Terraform

    Beta
    APEX • Elixir

    Experimental
    Bash • Cairo • Circom • Clojure • Dart • Dockerfile • Hack • HTML • Jsonnet • Julia • Lisp • Lua • Move on Aptos • Move on Sui • OCaml• R • Scheme • Solidity • YAML • XML
    Semgrep Supply ChainGenerally available reachability
    C# • Go • Java • JavaScript and TypeScript • Kotlin • Python • Ruby • Scala • Swift

    Beta or languages without support for reachability analysis
    Dart • Elixir • PHP • Rust
    Semgrep SecretsLanguage-agnostic; can detect 630+ types of credentials or keys.

    See the Supported languages documentation for more details.

    February 2025 release notes summary

    • Semgrep Managed Scans for repositories hosted by Bitbucket Cloud is now in public beta.
    • You can now manage your projects' enrollment in Semgrep Managed Scans through the Semgrep API's /project and /project/managed-scan endpoints.
    • Added support for Critical severity level to denote the highest severity level for a Code or Secrets finding. You can now filter by Critical severity level in Semgrep AppSec Platform, and you can filter for and identify rules that generate critical severity findings in the Semgrep Registry.
    • New rules for JavaScript and TypeScript have been added to Semgrep's default ruleset, p/default. The new rules cover the OWASP Top 10 and the most popular server-side frameworks, like Express, NestJS, Hapi, and Koa.
    • You can now configure policies for Supply Chain findings. These policies let you set certain conditions by which developers are notified of findings through a PR or MR comment, or potentially blocked from merging a PR or MR.
      • For example, you can create a policy to block a PR or MR from merging when a reachable finding with an available fix (upgrade) is detected.
      • Policies can have different scopes, which are the projects or project tags the policies are applied to.
    • Semgrep Assistant is now available for users with repositories hosted by Bitbucket Cloud and Azure DevOps.

    See the latest release notes

    Not finding what you need in this doc? Ask questions in our Community Slack group, or see Support for other ways to get help.