Find bugs and reachable dependency vulnerabilities in code.
Enforce your code standards on every commit.
Semgrep is an AppSec suite for finding bugs, detecting dependency vulnerabilities, and enforcing code standards. Its rules look like the code you already write -- no abstract syntax trees, regex wrestling, or painful DSLs.
The following code editor shows a rule for finding Python print() statements. Run it by clicking the [▸] button:
The Semgrep ecosystem includes:
- Semgrep AppSec Platform - Deploy, manage, and monitor Code, Supply Chain, and Secrets at scale. Semgrep integrates with continuous integration (CI) providers such as GitHub, GitLab, CircleCI, and more.
- Semgrep Code - Scan your code with Semgrep to find OWASP Top 10 vulnerabilities and protect against critical security risks specific to your organization.
- Semgrep Secrets - Detect and validate leaked credentials in your codebase.
- Semgrep Supply Chain (SSC) - A high-signal dependency scanner to reachable vulnerabilities in open source third-party libraries and functions.
Semgrep AppSec Platform, Code, and Supply Chain are free for up to 10 contributors. Get started →
Language support
| Product | Language support |
|---|---|
| Semgrep Code | Semgrep Code supports over 30 languages and counting! 🚀 |
| Semgrep Secrets | Semgrep Secrets detects API keys, hardcoded passwords, authentication tokens, and more in your repositories. |
| Semgrep Supply Chain | Semgrep Supply Chain supports C#, Go, Java, JavaScript and TypeScript, Python, and Ruby, as well as a variety of package managers and lockfiles. 🛡️ |
Not finding what you need in this doc? Ask questions in our Community Slack group, or see Support for other ways to get help.