Semgrep logo

Find bugs and enforce code standards.

Explore the Semgrep docs and join an amazing community of engineering and security teams already using Semgrep to enforce their code standards 🚀


Overview

Semgrep is a fast, open-source, static analysis tool that excels at expressing code standards — without complicated queries — and surfacing bugs early at editor, commit, and CI time. Precise rules look like the code you’re searching; no more traversing abstract syntax trees or wrestling with regexes.

Semgrep encompasses:

  • Semgrep CLI - the open-source command-line tool at the heart of everything
  • Semgrep CI - an adaptation of Semgrep CLI for continuously scanning commits and builds
  • Semgrep Registry: 900+ rules written by the Semgrep community and r2c that cover security, correctness, and performance bugs. No need to DIY unless you want to.
  • Semgrep Community & Semgrep Team - hosted services with free and paid tiers to help write and share rules, and centrally manage Semgrep CI across many projects

Semgrep CLI is an evolution of pfff, which began at Facebook in 2009, which itself was an evolution of the Linux refactoring tool Coccinelle. r2c revitalized the project after its original author, Yoann Padioleau, joined the company.

Language support

Some supported languages are in alpha or beta; we take a data-driven approach that evaluates the parse rate of the language on a wide corpus before we promote it to general availability (GA). For more details, see our breakdown of all supported languages.