Skip to main content

Compare Semrep to CodeQL

Both Semgrep and CodeQL use static analysis to find bugs, but there are a few differences:

  • Semgrep operates directly on source code, whereas CodeQL requires a buildable environment.
  • Semgrep provides both proprietary and open source options that can be run anywhere; CodeQL is not open source and you must pay to run it on any non-open-source code.
  • Semgrep focuses on speed and ease of use. and doesn’t require compiled code.
    • Semgrep Community Edition (CE) provides intraprocedural dataflow. Semgrep Code's cross-file and cross-function analysis has similar capabilities as CodeQL in terms of cross-function dataflow analysis for a subset of supported languages.
  • Both have publicly available rules.
  • Semgrep rules look like the source code you’re writing; CodeQL has a separate domain-specific-language for writing queries.
  • Semgrep has an online, hosted free plan for up to ten contributors to private repositories; both have a hosted paid plan.

See Semgrep versus GitHub Advanced Security for more about what makes Semgrep different.

Not finding what you need in this doc? Ask questions in our Community Slack group, or see Support for other ways to get help.