Skip to main content
  • Semgrep Cloud Platform
  • Semgrep OSS
  • Team & Enterprise Tier

Pricing and billing

Semgrep's various functionalities are available through several offerings:

Semgrep OSS
The OSS (open source software) offering includes Semgrep OSS Engine, a fast static analysis command line tool for finding bugs and and enforcing code standards. It is licensed under LGPL 2.1.
Semgrep Team tier
Team tier includes:
  • Semgrep Code and Semgrep Supply Chain (SSC), which enable users to scan both first-party and third-party open source dependencies.
  • Semgrep Cloud Platform, a web app enabling users to manage users, organizations, repositories, and scans.
  • Cross-function (intrafile) and cross-file (interfile) analysis through Semgrep Pro Engine.
Semgrep Enterprise tier
The Enterprise tier offers custom features and the highest levels of support in addition to all of the features in the Team tier.

All Semgrep offerings can scan the following repository providers or SCMs (source code managers):

  • GitHub
  • GitLab
  • Bitbucket
  • Azure Repos
Usage limits
  • Semgrep Team tier is free for 10 monthly contributors.
  • A contributor is someone who has made at least one commit to a Semgrep-scanned private repository within the last month.
  • See the Usage limits FAQ for more information.

Semgrep OSS Engine and Team tier offeringsโ€‹

The following tables provide an overview of Semgrep features and comparison between Semgrep OSS and Semgrep Team tier.

๐Ÿ”Ž Core scanning featuresโ€‹

The following tables describe Semgrep's essential scanning and findings management capabilities.

SAST (Static Application Security Testing)โ€‹

FeatureSemgrep OSSSemgrep Code Team tier
Intrafile (single-file) analysisโœ”๏ธโœ”๏ธ
Cross-file (across multiple files or interfile) analysisโŒโœ”๏ธ
Single-file taint (dataflow) analysisโœ”๏ธโœ”๏ธ
Cross-file taint (dataflow) analysisโŒโœ”๏ธ

SCA (Software composition analysis)โ€‹

FeatureSemgrep OSSSemgrep Supply Chain Team tier
Reachability analysis for direct dependenciesโŒโœ”๏ธ
License complianceโŒโœ”๏ธ
Dependency searchโŒโœ”๏ธ

๐Ÿ’ฌ Scan management and monitoringโ€‹

The following table displays various notification channels and reporting features.

FeatureSemgrep OSSSemgrep Team tier
Centralized management of scan results (triage, remediation, fine-tuning noisy rules)โŒโœ”๏ธ
Notifications and reports (Slack, email, webhooks, and API)โŒโœ”๏ธ
Send scan results to GitLab SAST and GitHub Advanced SecurityโŒโœ”๏ธ
Findings dashboardโŒโœ”๏ธ
Findings retentionโŒ5 years

๐Ÿงฐ Scan customization featuresโ€‹

The following table displays customization features and tools that enhance Semgrep's core scanning capabilities. These features can increase true-positive rate and provide deeper insights into remediation.

FeatureSemgrep OSSSemgrep Team tier
Write your own rulesโœ”๏ธโœ”๏ธ
Private rules*n/aโœ”๏ธ
Community-contributed rule registryโœ”๏ธโœ”๏ธ
Proprietary rule registryโŒโœ”๏ธ
Policy-based workflowsโ€ โŒโœ”๏ธ
Rule-writing environmentโœ”๏ธ Playgroundโœ”๏ธ Playground and Editor for logged-in users

*Private rules refer to rules that are guaranteed a private access scope in the cloud. This scope of access does not apply to Semgrep OSS, as it is purely CLI-based.
โ€  Policy-based workflows provide security teams a means to block merges, leave PR/MR comments, or silently monitor for potential issues based on the presence of a finding.

๐Ÿค– Developer experienceโ€‹

The following table lists tools to enable developers to resolve their own code.

FeatureSemgrep OSSSemgrep Team tier
VS Code extensionโœ”๏ธโœ”๏ธ
Autofix in PR/MR commentsโŒโœ”๏ธ
Autofix AIโŒโœ”๏ธ

โ€กpre-commit requires some manual set-up.

๐Ÿข User and organization managementโ€‹

FeatureSemgrep OSSSemgrep Team tier
Role-based access control (RBAC)โŒโœ”๏ธ
Personal and organizational accountsโŒโœ”๏ธ
SSO, OpenID, or OAuth2 authenticationโŒโœ”๏ธ

Determining your plan needsโ€‹

Number of contributorsโ€‹

Within your team or organization, assess the number of contributors. Contributors are members of your organization that make commits. That determines the number of licenses needed for the plan purchase.

For example, if a project has 4 unique contributors who create commits during the billing period while Semgrep is scanning their repositories, only 4 licenses are required even if the organization has a total of 10 members. If these unique contributors commit to many projects within the same organization, they are counted once, so no additional cost is charged.

Usage limits

Semgrep Team tier is free for the first 10 contributors. You only need to buy licenses for contributors over 10.

All members of the organization, regardless of contributor (license) status, have access to paid features for the chosen tier. This means that project managers and other non-programming roles can still view the Semgrep Cloud Platform dashboard.

Semgrep add-on reconciliation of licensesโ€‹

If the organization exceeds the number of purchased licenses, the organization will be charged based on the number of licenses that exceeded the purchased amount. The additional charge starts the month after the use of licenses exceeds the contracted amount.

Check in with your Semgrep Account Executive every 60 days if you need more licenses than initially purchased.

Example of license reconciliationโ€‹

On January 21st, you purchased annual licenses for 50 developers of Semgrep Supply Chainโ€™s Team tier ($40 per developer per month). The 21st of the month is the start date of the annual contract. In the following month, on February 28th, the number of used developer licenses exceeded the original purchased quantity by 20 users. This requires a contract adjustment.

Contract adjustment:

  • Since the organizationโ€™s use exceeded the amount of purchased licenses on February 28th, the future date of March 21st is selected to align with the remaining months in the contract. There are 10 months remaining in the contract.
  • The additional amount charged, the add-on cost, is $8,000 ($40 per developer per month x 10 months x 20 users).
  • Resulting add-on cost: $8,000

Upgrading your planโ€‹

To upgrade to the Semgrep Code Team tier through a credit card:

  1. In the Settings page, select the Payment tab.
  2. Select the number of developers to purchase licenses for.
  3. Fill in your payment details.

Screenshot of payment menu

To purchase seats for Semgrep Supply Chain or to upgrade to the Enterprise tier, please contact us.


Team tier users who pay through a credit card are charged monthly. Enterprise tier users are charged at an agreed-upon billing cycle. For any concerns such as custom payment methods and billing cycles, send an email to to get in touch with our sales team.

Modifying or canceling your planโ€‹

To modify or cancel your plan, send an email to

Paying for your planโ€‹

Pay through the following methods:

Pay using your credit card.
The payment will be processed through Stripe.
Pay through a purchase order or invoice.
Send an email to to get in touch with our sales team.

See alsoโ€‹

Additional resourcesโ€‹

Find what you needed in this doc? Join the Semgrep Community Slack group to ask the maintainers and the community if you need help, or check out other ways to get help.