Skip to main content
    Semgrep themed logoSemgrep themed logo

    Semgrep docs

    Find bugs and reachable dependency vulnerabilities in code. Enforce your code standards on every commit.

    Scan with Semgrep AppSec Platform

    Deploy static application security testing (SAST), software composition analysis (SCA), and secrets scans from one platform.

    Get started

    Run your first Semgrep scan.

    Deploy Semgrep

    Deploy Semgrep to your organization quickly and at scale.

    Triage and remediate

    Triage and remediate findings; fine-tune guardrails for developers.

    Write rules

    Create custom rules to enforce your organization's coding standards.

    Supported languages

    ProductLanguages
    Semgrep CodeGenerally available (GA)
    C and C++ • C# • Generic • Go • Java • JavaScript • JSON • Kotlin • Python • TypeScript • Ruby • Rust • JSX • PHP • Scala • Swift • Terraform

    Beta
    APEX • Elixir

    Experimental
    Bash • Cairo • Circom • Clojure • Dart • Dockerfile • Hack • HTML • Jsonnet • Julia • Lisp • Lua • Move on Aptos • Move on Sui • OCaml• R • Scheme • Solidity • YAML • XML
    Semgrep Supply ChainGenerally available (GA) reachability
    C# • Go • Java • JavaScript and TypeScript • Kotlin • Python • Ruby • Scala

    Beta or lockfile-only reachability
    Dart • Elixir • PHP • Rust • Swift
    Semgrep SecretsLanguage-agnostic; can detect 630+ types of credentials or keys.

    See the Supported languages documentation for more details.

    October 2024 release notes summary

    • Added a Jira API endpoint to create Jira tickets, either by passing a list of issue_ids or filter query parameters to select findings. Refer to the Jira API documentation.
    • Semgrep Managed Scans: scans now follow fail open behavior, consistent with how Semgrep in CI behaves. Failing open means that Semgrep scans with internal errors do not result in a failed job.
    • Updated the C# parser to support all versions of the language up to 13.0 (.NET 9).
    • Developers can now triage findings by replying to a GitHub PR comment from Semgrep, without the need to log in to Semgrep Cloud Platform. See Triage findings through comments for more information.
    • Semgrep Assistant: Users can now use the Assistant with their own OpenAI API key.
      • Enterprise users can also use the following API providers:

    See the latest release notes

    Not finding what you need in this doc? Ask questions in our Community Slack group, or see Support for other ways to get help.