- Semgrep Cloud Platform
- Semgrep OSS
- Team & Enterprise Tier
Pricing and billing
Semgrep's various functionalities are available through several offerings:
- Semgrep OSS
- The OSS (open source software) offering includes Semgrep OSS Engine, a fast static analysis command line tool for finding bugs and and enforcing code standards. It is licensed under LGPL 2.1.
- Semgrep Team tier
- Team tier includes:
- Semgrep Code and Semgrep Supply Chain (SSC), which enable users to scan both first-party and third-party open source dependencies.
- Semgrep Cloud Platform, a web app enabling users to manage users, organizations, repositories, and scans.
- Cross-function (intrafile) and cross-file (interfile) analysis through Semgrep Pro Engine.
- Semgrep Enterprise tier
- The Enterprise tier offers custom features and the highest levels of support in addition to all of the features in the Team tier.
All Semgrep offerings can scan the following repository providers or SCMs (source code managers):
- GitHub
- GitLab
- Bitbucket
- Azure Repos
- Semgrep Team tier is free for 10 monthly contributors.
- A contributor is someone who has made at least one commit to a Semgrep-scanned private repository within the last month.
- See the Usage limits FAQ for more information.
Semgrep OSS Engine and Team tier offeringsโ
The following tables provide an overview of Semgrep features and comparison between Semgrep OSS and Semgrep Team tier.
๐ Core scanning featuresโ
The following tables describe Semgrep's essential scanning and findings management capabilities.
SAST (Static Application Security Testing)โ
| Feature | Semgrep OSS | Semgrep Code Team tier |
|---|---|---|
| Intrafile (single-file) analysis | โ๏ธ | โ๏ธ |
| Cross-file (across multiple files or interfile) analysis | โ | โ๏ธ |
| Single-file taint (dataflow) analysis | โ๏ธ | โ๏ธ |
| Cross-file taint (dataflow) analysis | โ | โ๏ธ |
SCA (Software composition analysis)โ
| Feature | Semgrep OSS | Semgrep Supply Chain Team tier |
|---|---|---|
| Reachability analysis for direct dependencies | โ | โ๏ธ |
| License compliance | โ | โ๏ธ |
| Dependency search | โ | โ๏ธ |
๐ฌ Scan management and monitoringโ
The following table displays various notification channels and reporting features.
| Feature | Semgrep OSS | Semgrep Team tier |
|---|---|---|
| Centralized management of scan results (triage, remediation, fine-tuning noisy rules) | โ | โ๏ธ |
| Notifications and reports (Slack, email, webhooks, and API) | โ | โ๏ธ |
| Send scan results to GitLab SAST and GitHub Advanced Security | โ | โ๏ธ |
| Findings dashboard | โ | โ๏ธ |
| Findings retention | โ | 5 years |
๐งฐ Scan customization featuresโ
The following table displays customization features and tools that enhance Semgrep's core scanning capabilities. These features can increase true-positive rate and provide deeper insights into remediation.
| Feature | Semgrep OSS | Semgrep Team tier |
|---|---|---|
| Write your own rules | โ๏ธ | โ๏ธ |
| Private rules* | n/a | โ๏ธ |
| Community-contributed rule registry | โ๏ธ | โ๏ธ |
| Proprietary rule registry | โ | โ๏ธ |
| Policy-based workflowsโ | โ | โ๏ธ |
| Rule-writing environment | โ๏ธ Playground | โ๏ธ Playground and Editor for logged-in users |
*Private rules refer to rules that are guaranteed a private access scope in the cloud. This scope of access does not apply to Semgrep OSS, as it is purely CLI-based.
โ Policy-based workflows provide security teams a means to block merges, leave PR/MR comments, or silently monitor for potential issues based on the presence of a finding.
๐ค Developer experienceโ
The following table lists tools to enable developers to resolve their own code.
| Feature | Semgrep OSS | Semgrep Team tier |
|---|---|---|
| VS Code extension | โ๏ธ | โ๏ธ |
| Autofix | โ๏ธ | โ๏ธ |
| Autofix in PR/MR comments | โ | โ๏ธ |
| Autofix AI | โ | โ๏ธ |
pre-commitโก | โ๏ธ | โ๏ธ |
โกpre-commit requires some manual set-up.
๐ข User and organization managementโ
| Feature | Semgrep OSS | Semgrep Team tier |
|---|---|---|
| Role-based access control (RBAC) | โ | โ๏ธ |
| Personal and organizational accounts | โ | โ๏ธ |
| SSO, OpenID, or OAuth2 authentication | โ | โ๏ธ |
Determining your plan needsโ
Number of contributorsโ
Within your team or organization, assess the number of contributors. Contributors are members of your organization that make commits. That determines the number of licenses needed for the plan purchase.
For example, if a project has 4 unique contributors who create commits during the billing period while Semgrep is scanning their repositories, only 4 licenses are required even if the organization has a total of 10 members. If these unique contributors commit to many projects within the same organization, they are counted once, so no additional cost is charged.
Semgrep Team tier is free for the first 10 contributors. You only need to buy licenses for contributors over 10.
All members of the organization, regardless of contributor (license) status, have access to paid features for the chosen tier. This means that project managers and other non-programming roles can still view the Semgrep Cloud Platform dashboard.
Semgrep add-on reconciliation of licensesโ
If the organization exceeds the number of purchased licenses, the organization will be charged based on the number of licenses that exceeded the purchased amount. The additional charge starts the month after the use of licenses exceeds the contracted amount.
Check in with your Semgrep Account Executive every 60 days if you need more licenses than initially purchased.
Example of license reconciliationโ
On January 21st, you purchased annual licenses for 50 developers of Semgrep Supply Chainโs Team tier ($40 per developer per month). The 21st of the month is the start date of the annual contract. In the following month, on February 28th, the number of used developer licenses exceeded the original purchased quantity by 20 users. This requires a contract adjustment.
Contract adjustment:
- Since the organizationโs use exceeded the amount of purchased licenses on February 28th, the future date of March 21st is selected to align with the remaining months in the contract. There are 10 months remaining in the contract.
- The additional amount charged, the add-on cost, is $8,000 ($40 per developer per month x 10 months x 20 users).
- Resulting add-on cost: $8,000
Upgrading your planโ
To upgrade to the Semgrep Code Team tier through a credit card:
- In the Settings page, select the Payment tab.
- Select the number of developers to purchase licenses for.
- Fill in your payment details.
To purchase seats for Semgrep Supply Chain or to upgrade to the Enterprise tier, please contact us.
Billingโ
Team tier users who pay through a credit card are charged monthly. Enterprise tier users are charged at an agreed-upon billing cycle. For any concerns such as custom payment methods and billing cycles, send an email to billing@semgrep.com to get in touch with our sales team.
Modifying or canceling your planโ
To modify or cancel your plan, send an email to billing@semgrep.com.
Paying for your planโ
Pay through the following methods:
- Pay using your credit card.
- The payment will be processed through Stripe.
- Pay through a purchase order or invoice.
- Send an email to billing@semgrep.com to get in touch with our sales team.
See alsoโ
Additional resourcesโ
Find what you needed in this doc? Join the Semgrep Community Slack group to ask the maintainers and the community if you need help, or check out other ways to get help.