Compliance
Semgrep provides security tooling that can support compliance efforts, but does not guarantee compliance. Organizations remain responsible for meeting all compliance requirements. Consult with your compliance team and auditors to determine how Semgrep fits into your compliance program.
Semgrep can help address security requirements in the following compliance frameworks and standards:
Government and federal standards
- FedRAMP: Federal Risk and Authorization Management Program for cloud services used by U.S. federal agencies
- NIST 800-171: Protecting Controlled Unclassified Information (CUI) in nonfederal systems
Healthcare and privacy
- HIPAA/HITRUST: Health Insurance Portability and Accountability Act and HITRUST Common Security Framework
- GDPR: General Data Protection Regulation for protecting personal data of EU residents
Financial services
- PCI DSS: Payment Card Industry Data Security Standard for protecting cardholder data
Information security standards
- ISO 27001: International standard for information security management systems (ISMS)
- ISO 27017: Code of practice for information security controls for cloud services
SOC 2
- SOC 2: Service Organization Control 2 for security, availability, processing integrity, confidentiality, and privacy
Getting started with compliance
- Review the specific framework page relevant to your organization from the list above
- Understand which controls Semgrep can help address in your compliance program
- Deploy Semgrep following the core deployment guide
- Configure policies that align with your compliance requirements
- Work with your compliance team to incorporate Semgrep into your compliance documentation and audit processes
For questions about how Semgrep fits into your specific compliance program, contact your compliance team or Semgrep support.
Not finding what you need in this doc? Ask questions in our Community Slack group, or see Support for other ways to get help.