Code scanning at ludicrous speed.
Find bugs and reachable dependency vulnerabilities in code.
Enforce your code standards on every commit.
Semgrep is a fast, open source, static analysis engine for finding bugs, detecting dependency vulnerabilities, and enforcing code standards. Get started →
Semgrep analyzes code locally on your computer or in your build environment: code is never uploaded.
Its rules look like the code you already write; no abstract syntax trees, regex wrestling, or painful DSLs. Here's a quick rule for finding Python
print() statements. Run it by clicking the [▸] button:
The Semgrep ecosystem includes the following products:
- Semgrep OSS Engine - The open-source engine at the heart of everything.
- Semgrep Cloud Platform (SCP) - Deploy, manage, and monitor SAST and SCA at scale using Semgrep, with free and paid tiers. Integrates with continuous integration (CI) providers such as GitHub, GitLab, CircleCI, and more.
- Semgrep Code - Scan your code with Semgrep's Pro rules and Semgrep Pro Engine to find OWASP Top 10 vulnerabilities and protect against critical security risks specific to your organization. Semgrep Code provides both Community (free) and Team (paid) tiers.
- Semgrep Supply Chain (SSC) - A high-signal dependency scanner that detects reachable vulnerabilities in open source third-party libraries and functions across the software development life cycle (SDLC). Semgrep Supply Chain is available on Team (paid) tiers.
Support and be supported by the Semgrep community through:
- Semgrep Playground - An online interactive tool for writing and sharing rules.
- Semgrep Registry - 2,000+ community-driven rules covering security, correctness, and dependency vulnerabilities.
Semgrep is developed and commercially supported by r2c, a software security company.
Semgrep supports 30+ languages.
|GA ✅||Beta 🐛||Experimental 🚧|
|Generic (ERB, Jinja, etc.)|
- Experimental: experimental support with many known bugs.
- Looking for dedicated users to help us improve these languages.
- Expect limited support responses, as these languages will be lowest priority.
- Semgrep Playground and Semgrep Editor support may be limited for these languages.
- Beta: supported language with known bugs.
- Looking for beta users to report bugs and rapidly iterate with our team.
- Expect best-effort support responses when there are no higher priority requests being handled.
- GA: production-level support with few known bugs.
- Looking for bug reports and feedback from users.
- Expect timely and thorough support responses, generally within 24 hours.
To determine experimental, beta, or general availability (GA) status, r2c scans a wide corpus of projects and measure the parse rate of each language. For more details see the breakdown of all supported languages.
The following table lists environments in which you can run various Semgrep products.
|Product||Local CLI||Remote CI|
|Semgrep OSS Engine||✅ Run locally with Semgrep Engine||✅ Can send findings to Semgrep Cloud Platform or run stand-alone CI jobs|
|Semgrep Code||✅ Log in to access Pro Engine and Pro rules (Team and Enterprise tier)||✅ Best used with Semgrep Cloud Platform|
|Semgrep Supply Chain||✅ Log in to access Supply Chain rules (Team and Enterprise tier)||✅ Best used with Semgrep Cloud Platform|
Semgrep Cloud Platform is a hosted web application (SaaS) and as such is excluded from the table.
Semgrep is an evolution of pfff, which began at Facebook in 2009, which itself was an evolution of the Linux refactoring tool Coccinelle. r2c revitalized the project after its original author, Yoann Padioleau, joined the company.
Semgrep development philosophy
See the Semgrep OSS Engine Philosophy for details about why Semgrep is free, our goals for development, and the designed capabilities and limits of the static analysis engine.