Skip to main content

Semgrep logo

Static analysis at ludicrous speed
Find bugs and enforce code standards

Semgrep is a fast, open-source, static analysis tool for finding bugs and enforcing code standards at editor, commit, and CI time. Get started โ†’

Semgrep analyzes code locally on your computer or in your build environment: code is never uploaded.

Its rules look like the code you already write; no abstract syntax trees, regex wrestling, or painful DSLs. Here's a quick rule for finding Python print() statements, run it by clicking the [โ–ธ] button:


The Semgrep ecosystem includes:

  • Semgrep - the open-source command line tool at the heart of everything
  • Semgrep CI - a specialized Docker image for running Semgrep in CI environments
  • Semgrep Playground - an online interactive editor for writing and sharing rules
  • Semgrep Registry - 1,000+ community-driven rules covering security, correctness, and performance bugs
  • Semgrep App - deploy, manage, and monitor Semgrep at scale with free and paid tiers

Semgrep is developed and commercially supported by r2c, a software security company.

Get started โ†’

Language support

Semgrep supports 17+ languages.

GA โœ…Beta ๐Ÿ›Experimental ๐Ÿšง
C#KotlinBash
GoTerraformC
JavaScalaC++
JavaScriptHack
JSONLua
JSXOCaml
PythonPHP
RubyRust
TypeScriptYAML
TSXGeneric (ERB, Jinja, etc.)

To determine experimental, beta, or general availability (GA) status we scan a wide corpus of projects and measure the parse rate of each language. For more details see the breakdown of all supported languages.

History

Semgrep is an evolution of pfff, which began at Facebook in 2009, which itself was an evolution of the Linux refactoring tool Coccinelle. r2c revitalized the project after its original author, Yoann Padioleau, joined the company.

Understanding Semgrep development philosophy

See the Semgrep CLI Philosophy for details about why Semgrep is free, our goals for development, and the designed capabailities and limits of the static analysis engine.