Skip to main content
    Semgrep themed logoSemgrep themed logo

    Semgrep docs

    Find bugs and reachable dependency vulnerabilities in code. Enforce your code standards on every commit.

    Scan with Semgrep AppSec Platform

    Deploy static application security testing (SAST), software composition analysis (SCA), and secrets scans from one platform.

    Get started

    Run your first Semgrep scan.

    Deploy Semgrep

    Deploy Semgrep to your organization quickly and at scale.

    Triage and remediate

    Triage and remediate findings; fine-tune guardrails for developers.

    Write rules

    Create custom rules to enforce your organization's coding standards.

    Supported languages

    ProductLanguages
    Semgrep CodeGenerally available (GA)
    C and C++ • C# • Generic • Go • Java • JavaScript • JSON • Kotlin • Python • TypeScript • Ruby • Rust • JSX • PHP • Scala • Swift • Terraform

    Beta
    APEX • Elixir

    Experimental
    Bash • Cairo • Circom • Clojure • Dart • Dockerfile • Hack • HTML • Jsonnet • Julia • Lisp • Lua • Move on Aptos • Move on Sui • OCaml• R • Scheme • Solidity • YAML • XML
    Semgrep Supply ChainGenerally available reachability
    C# • Go • Java • JavaScript and TypeScript • Kotlin • Python • Ruby • Scala • Swift

    Beta or languages without support for reachability analysis
    Dart • Elixir • PHP • Rust
    Semgrep SecretsLanguage-agnostic; can detect 630+ types of credentials or keys.

    See the Supported languages documentation for more details.

    November 2024 release notes summary

    • Semgrep Supply Chain now provides reachability analysis for Scala and Swift.
    • Dashboard:
      • You can now view trends, comparing the previous time period to the current one, in the following charts:
        • Production backlog
        • Secure guardrails
        • Median open finding age
      • You can now export the Dashboard as a PDF. Sign in to Semgrep AppSec Platform, then click Dashboard > Download > Download as PDF (report).
    • Various improvements and fixes to Semgrep Managed Scans (SMS).
    • Added Pro rules for JavaScript and TypeScript, including:
      • Code injection rules for the vm, vm2, and puppeteer libraries
      • NoSQL injection rules for mongodb and mongoose libraries
      • SQL injection rules for the knex, mysql, pg, sequelize, and sqlite libraries
      • Path traversal rules for fs and fs-extra
    • Semgrep Assistant: Added support for Google Gemini. To integrate Semgrep Assistant with Google Gemini, reach out to support@semgrep.com.

    See the latest release notes

    Not finding what you need in this doc? Ask questions in our Community Slack group, or see Support for other ways to get help.