Code scanning at ludicrous speed.
Find bugs and reachable dependency vulnerabilities in code.
Enforce your code standards on every commit.
Semgrep is a fast, open-source, static analysis engine for finding bugs, detecting dependency vulnerabilities, and enforcing code standards. Get started →
Semgrep analyzes code locally on your computer or in your build environment: code is never uploaded.
Its rules look like the code you already write; no abstract syntax trees, regex wrestling, or painful DSLs. Here's a rule for finding Python print() statements. Run it by clicking the [▸] button:
The Semgrep ecosystem includes the following products:
- Semgrep OSS Engine - The open-source engine at the heart of everything.
- Semgrep Cloud Platform (SCP) - Deploy, manage, and monitor SAST, SCA, and leaked secrets at scale using Semgrep Integrates with continuous integration (CI) providers such as GitHub, GitLab, CircleCI, and more.
- Semgrep Code - Scan your code with Semgrep's Pro rules and Semgrep Pro Engine to find OWASP Top 10 vulnerabilities and protect against critical security risks specific to your organization.
- Semgrep Pro rules - High-confidence rules written by Semgrep Security Research team for a variety of languages
- Semgrep Pro Engine - Advanced engine that performs interfile and interprocedural analysis
- Semgrep Supply Chain (SSC) - A high-signal dependency scanner that detects reachable vulnerabilities in open source third-party libraries and functions across the software development life cycle (SDLC).
- Semgrep Secrets - A secrets scanner that detects valid secrets in your codebase through semantic analysis, entropy analysis, and validation.
The following products are free for up to 10 contributors:
- Semgrep Cloud Platform
- Semgrep Code
Support and be supported by the Semgrep community through:
- Semgrep Playground - An online interactive tool for writing and sharing rules.
- Semgrep Registry - 2,000+ community-driven rules covering security, correctness, and dependency vulnerabilities.
Semgrep is developed and commercially supported by Semgrep, Inc a software security company.
Language support
Semgrep Code
Semgrep Code supports over 30 languages and counting! 🚀 Visit Semgrep Code's supported languages to see all the languages supported.
Semgrep Supply Chain
Semgrep Supply Chain supports Go, Javascript/Typescript, Python, Ruby, and Java. 🛡️ Visit Semgrep Supply Chain's supported languages to see all the package managers and lockfiles supported.
Environments
The following table lists environments in which you can run various Semgrep products.
| Product | Local CLI | Remote CI |
|---|---|---|
| Semgrep OSS Engine | ✅ Run locally with Semgrep Engine | ✅ Can send findings to Semgrep Cloud Platform or run stand-alone CI jobs |
| Semgrep Code | ✅ Log in to access Pro Engine and Pro rules (Team and Enterprise tier) | ✅ Best used with Semgrep Cloud Platform |
| Semgrep Supply Chain | ✅ Log in to access Supply Chain rules (Team and Enterprise tier) | ✅ Best used with Semgrep Cloud Platform |
Semgrep Cloud Platform is a hosted web application (SaaS) and as such is excluded from the table.
History
Semgrep is an evolution of pfff, which began at Facebook in 2009, which itself was an evolution of the Linux refactoring tool Coccinelle. Semgrep, Inc revitalized the project after its original author, Yoann Padioleau, joined the company. Read more in the blog post "Semgrep: A static analysis journey"
Semgrep development philosophy
See the Semgrep OSS Engine Philosophy for details about why Semgrep is free, our goals for development, and the designed capabilities and limits of the static analysis engine.