Skip to main content

    Semgrep integration guide for partners

    We're excited that you're integrating Semgrep into your tooling! Our goal with Semgrep is to bring world-class security tools to developers based on our conviction that software will run the most exciting parts of the future. It's not something that we can do alone; we want to build a community around sharing programmatic knowledge about how to build secure software.

    Requirements for integrators

    • Do not resell rules from the registry, unless you acquire an explicit license from Semgrep, Inc. Semgrep rules are released under the Commons Clause License, which prohibits redistribution in a commercial product.
    • State that you are using Semgrep; refer to Semgrep as capital S with the trademark: Semgrep™
    • Link to to allow users to get an API token to pass to Semgrep so they can access the Pro Engine and rules.
    • Set SEMGREP_INTEGRATION_NAME in your environment to your domain name (for example, ""). This helps us reproduce and debug issues with Semgrep in your environment.
    • Don't integrate semgrep scan in a CI setup. Instead use semgrep ci, which has diff-awareness built-in and is designed to be easy to integrate into dozens of CI environments. It's also much faster.
    • Enable metrics (--metrics=on) by default, which lets the Semgrep team prioritize languages and technologies to improve speed and accuracy.
    • Contribute new public rules back to the semgrep-rules repository. This helps us avoid community fragmentation and will automatically pull your rule into the searchable registry on; plus Semgrep will maintain it for you!

    For more information, please refer to the section on licensing in our documentation. If you have additional questions, email us at

    Not finding what you need in this doc? Ask questions in our Community Slack group, or see Support for other ways to get help.