Skip to main content
    Semgrep themed logoSemgrep themed logo

    Semgrep docs

    Find bugs and reachable dependency vulnerabilities in code. Enforce your code standards on every commit.

    Scan with Semgrep AppSec Platform

    Deploy static application security testing (SAST), software composition analysis (SCA), and secrets scans from one platform.

    Get started

    Run your first Semgrep scan.

    Deploy Semgrep

    Deploy Semgrep to your organization quickly and at scale.

    Triage and remediate

    Triage and remediate findings; fine-tune guardrails for developers.

    Write rules

    Create custom rules to enforce your organization's coding standards.

    Supported languages

    ProductLanguages
    Semgrep CodeGenerally available (GA)
    C and C++ • C# • Generic • Go • Java • JavaScript • JSON • Kotlin • Python • TypeScript • Ruby • Rust • JSX • PHP • Scala • Swift • Terraform

    Beta
    APEX • Elixir

    Experimental
    Bash • Cairo • Circom • Clojure • Dart • Dockerfile • Hack • HTML • Jsonnet • Julia • Lisp • Lua • Move on Aptos • Move on Sui • OCaml• R • Scheme • Solidity • YAML • XML
    Semgrep Supply ChainGenerally available reachability
    C# • Go • Java • JavaScript and TypeScript • Kotlin • Python • Ruby • Scala • Swift

    Beta or languages without support for reachability analysis
    Dart • Elixir • PHP • Rust
    Semgrep SecretsLanguage-agnostic; can detect 630+ types of credentials or keys.

    See the Supported languages documentation for more details.

    January 2025 release notes summary

    • The Policy Management API is now generally available. The Policy Management API allows you to automate tasks such as:
      • Add, update, and disable rules across multiple policies.
      • Apply rules in different modes, such as monitor, comment, block, or disable, to align with security workflows.
      • Integrate policy management into CI/CD pipelines to ensure consistent enforcement during software development.
    • Semgrep Managed Scans for repositories hosted by Azure DevOps is now in public beta.
    • Dependency Paths are now available in public beta for the following languages and package managers:
      • JavaScript: npm, pnpm, and yarn are supported.
      • Python: Only Poetry is supported.
    • Semgrep now ingests CVE information from Electron release notes. This information is used to generate rules that can detect if you're affected by CVEs from this source.
    • Noise filtering is now in public beta. With Noise Filtering, Assistant evaluates each Semgrep Code finding to determine if it's a true positive using additional context and prevents a PR comment from being posted in the developer workflow if it's not.
    • Auto-triage Memories is now in public beta. With this feature, you can identify findings that are safe to ignore and write triage notes indicating why this is so. Assistant then stores this information as a memory and uses it to assess whether similar findings are shown to developers in the future. Assistant also takes that memory, reanalyzes similar findings in your backlog, and suggests issues that may be safe to close.

    See the latest release notes

    Not finding what you need in this doc? Ask questions in our Community Slack group, or see Support for other ways to get help.