Semgrep logo

Static analysis at ludicrous speed
Find bugs and enforce code standards


Semgrep is a fast, open-source, static analysis tool for finding bugs and enforcing code standards at editor, commit, or CI time. Its rules look like the code you’re searching; no more traversing abstract syntax trees or wrestling with regexes.

Here's an example rule. You can try it out by clicking the "Run" button. The Semgrep rule looks like the code it matches. You can edit this rule here, try writing a rule in the Semgrep editor, or visit the tutorial.

Semgrep runs locally or in your build environment: code is never sent anywhere. It encompasses:

  • Semgrep CLI - the open-source command-line tool at the heart of everything
  • Semgrep CI - Semgrep for continuously scanning commits and builds
  • Semgrep App - hosted app with free and paid tiers to:
    • Choose from 1,000+ rules written by the community and r2c to find security, correctness, and performance bugs.
    • Deploy Semgrep in CI with the click of a button
    • Centrally manage policies across all your projects
    • See results where you want them
    • Measure the efficacy of code policies
    • Save, share, and run custom rules

Get started here →


Semgrep is an evolution of pfff, which began at Facebook in 2009, which itself was an evolution of the Linux refactoring tool Coccinelle. r2c revitalized the project after its original author, Yoann Padioleau, joined the company.

Language support

Some supported languages are in alpha or beta; a data-driven approach that evaluates the parse rate of the language on a wide corpus determines when to promote a language to general availability (GA). For more details, see the breakdown of all supported languages.

GA Alpha Experimental
Go C C#
Java OCaml Kotlin
JavaScript PHP Lua
JSX Generic (ERB, Jinja, etc.) Rust