Semgrep docs

Deploy static application security testing (SAST), software composition analysis (SCA), and secrets scans from one platform.

Run your first Semgrep scan.

Deploy Semgrep to your organization quickly and at scale.

Triage and remediate findings; fine-tune guardrails for developers.

Enforce your organization’s coding standards with custom rules.

Product	Languages
Semgrep Code	Generally available (GA) C and C++ • C# • Generic • Go • Java • JavaScript • JSON • Kotlin • Python • TypeScript • Ruby • Rust • JSX • PHP • Scala • Swift • Terraform Beta APEX • Elixir Experimental Bash • Cairo • Circom • Clojure • Dart • Dockerfile • Hack • HTML • Jsonnet • Julia • Lisp • Lua • Move on Aptos • Move on Sui • OCaml• R • Scheme • Solidity • YAML • XML
Semgrep Supply Chain	Generally available reachability C# • Go • Java • JavaScript and TypeScript • Kotlin • PHP • Python • Ruby • Scala • Swift Languages without support for reachability analysis Dart • Elixir • Rust
Semgrep Secrets	Language-agnostic; can detect 630+ types of credentials or keys.

See the Supported languages documentation for more details.

Cortex and Sysdig integrations are now generally available. Semgrep now uses deployment status and, for Cortex, internet-exposure data from these CNAPP providers to better prioritize findings.
Malicious dependency detection is now generally available. Semgrep detects malicious packages, including malware, typosquatting, and credential-stealing dependencies, using over 80,000 rules.
Assistant now automatically analyzes all new Critical and High-severity findings with Medium or High confidence in full scans, removing the previous 10-issue limit.
The Settings > General tab now displays all Semgrep product settings on a single page.

Not finding what you need in this doc? Ask questions in our Community Slack group, or see Support for other ways to get help.