Skip to main content

Semgrep logo

Code scanning at ludicrous speed.
Find bugs and reachable dependency vulnerabilities in code.
Enforce your code standards on every commit.

Semgrep is a fast, open source, static analysis engine for finding bugs, detecting dependency vulnerabilities, and enforcing code standards. Get started โ†’

Semgrep analyzes code locally on your computer or in your build environment: code is never uploaded.

Its rules look like the code you already write; no abstract syntax trees, regex wrestling, or painful DSLs. Here's a quick rule for finding Python print() statements. Run it by clicking the [โ–ธ] button:


The Semgrep ecosystem includes:

  • Semgrep - The open-source command line tool at the heart of everything.
  • Semgrep Supply Chain - high-signal dependency scanner that detects reachable vulnerabilities in open source, third-party libraries and functions across the SDLC.
  • Semgrep App - Deploy, manage, and monitor Semgrep and Semgrep Supply Chain at scale with free and paid tiers. Integrates with CI providers such as GitHub, GitLab, CircleCI, and more.

and:

  • Semgrep Playground - An online interactive tool for writing and sharing rules.
  • Semgrep Registry - 2,000+ community-driven rules covering security, correctness, and dependency vulnerabilities.
  • Semgrep App - Deploy, manage, and monitor Semgrep at scale with free and paid tiers. Integrates with CI providers such as GitHub, GitLab, CircleCI, and more.

Semgrep is developed and commercially supported by r2c, a software security company.

Get started โ†’

tip

New: Semgrep Supply Chain finds reachable vulnerable dependencies in your code. More โ†’

Language supportโ€‹

Semgrep supports 20+ languages.

GA โœ…Beta ๐Ÿ›Experimental ๐Ÿšง
C#KotlinBash
GoC
JavaC++
JavaScriptDockerfile
JSONElixir
JSXHTML
PHPLua
PythonOCaml
RubyR
ScalaRust
TerraformSolidity
TSXSwift
TypeScriptYAML
Generic (ERB, Jinja, etc.)
  • Experimental: experimental support with many known bugs.
    • Looking for dedicated users to help us improve these languages.
    • Expect limited support responses, as these languages will be lowest priority.
  • Beta: supported language with known bugs.
    • Looking for beta users to report bugs and rapidly iterate with our team.
    • Expect best-effort support responses when there are no higher priority requests being handled.
  • GA: production-level support with few known bugs.
    • Looking for bug reports and feedback from users.
    • Expect timely and thorough support responses, generally within 24 hours.

To determine experimental, beta, or general availability (GA) status we scan a wide corpus of projects and measure the parse rate of each language. For more details see the breakdown of all supported languages.

Historyโ€‹

Semgrep is an evolution of pfff, which began at Facebook in 2009, which itself was an evolution of the Linux refactoring tool Coccinelle. r2c revitalized the project after its original author, Yoann Padioleau, joined the company.

Understanding Semgrep development philosophyโ€‹

See the Semgrep CLI Philosophy for details about why Semgrep is free, our goals for development, and the designed capabailities and limits of the static analysis engine.