Pricing and billing
The following Semgrep tools are free to use:
- Semgrep CLI
- Semgrep CI
- Semgrep App (through the Community tier)
Semgrep CLI is free open-source software (FOSS), licensed under LGPL 2.1. It is a fast static analysis command line tool for finding bugs and enforcing code standards. Semgrep CI is a source-available Docker image for running Semgrep in CI environments. All features for both Semgrep CLI and Semgrep CI are free.
Semgrep App, which builds on Semgrep CLI and CI, enables developer and security teams to create their own institutional code standards, enforce them, and analyze findings. Semgrep App has both free and paid tiers.
Choosing a Semgrep App tierβ
Semgrep App has three tiers:
Tier | Price | Description |
---|---|---|
Community | Free | For general-purpose security scanning. |
Team | US$40 monthly per developer | For the enforcement of company-specific coding standards, private rules, and the analysis of findings. |
Enterprise | Custom pricing | For custom solutions, including deployment into virtual private clouds (VPCs) with dedicated technical support. |
Semgrep App integrates with a GitHub or GitLab account at either the organizational or individual level. There is no limit to the number of members in an organization for all tiers.
Billing depends on the number of developers. Any organization member who has made a commit in a project within the past 30 days is considered a developer.
Members who do not make any commits on the code do not need to pay for Semgrep and are not billed. Semgrep Team tier features apply to the entire organization, even if not all members are billed.
Comparing free and paid tier featuresβ
Organizational management and usage limitsβ
Feature | Community | Team | Enterprise |
---|---|---|---|
Member limit | 20 developers | βΎοΈ unlimited | βΎοΈ unlimited |
Project limit | βΎοΈ unlimited | βΎοΈ unlimited | βΎοΈ unlimited |
Notes:
- Member usage limits are visible in your settings page.
- If your organization exceeds the member limit:
- Only the 20 most recent developers can view findings from Semgrep scans.
- Overlimit findings data is retained for three months. When your organization goes below the usage limit, or upgrades to Team or Enterprise, the findings data will be accessible again.
- You are notified of a 30-day grace period through in-app notifications and emails. After this grace period ends, additional developers (the 21st onwards) will not receive notifications or comments. Findings introduced by additional developers won't be surfaced in Semgrep App.
Source code management (SCM) supportβ
Feature | Community | Team | Enterprise |
---|---|---|---|
GitHub | βοΈ yes | βοΈ yes | βοΈ yes |
GitLab SaaS | βοΈ yes | βοΈ yes | βοΈ yes |
GitHub Enterprise | β no | βοΈ yes | βοΈ yes |
GitLab Self Managed | β no | βοΈ yes | βοΈ yes |
VPC deployment | β no | β no | βοΈ yes |
Findings, language support, and rulesβ
Feature | Community | Team | Enterprise |
---|---|---|---|
Custom rules | βοΈ yes | βοΈ yes | βοΈ yes |
Community rule registry | βοΈ yes | βοΈ yes | βοΈ yes |
Editor | βοΈ yes | βοΈ yes | βοΈ yes |
Autofix through PR/MR comments | β no | βοΈ yes | βοΈ yes |
Custom rule messages | β no | βοΈ yes | βοΈ yes |
DeepSemgrep | β no | βοΈ yes | βοΈ yes |
Developer feedback | β no | βοΈ yes | βοΈ yes |
Private rules | β no | βοΈ yes | βοΈ yes |
Custom language support | β no | β no | βοΈ yes |
Findings retention | 1 month | 5 years | 5 years |
Notes:
- Custom rules are rules that you can create and save through either the Playground or the Editor. The Playground and the Editor are online tools where you can write your rule patterns and test them on sample code. You must be signed in to use the Editor.
- Developers can create fixes to their rules through an
autofix
key. For example, when banning outdated libraries, setting an autofix value with the correct library replaces the banned library. - Semgrep App provides this functionality with Autofix through PR/MR comments. These comments appear as suggestions that developers can commit with a single click.
- Custom rule messages can be applied to public and private rules.
- DeepSemgrep enables interfile tracking within a codebase, keeping track of class and function definitions beyond a single file.
- Developer feedback is a means for developers to communicate to security or rule-writing teams about a rule's precision. Discover what rules result in false positives and refine them through this feature.
Integrations and notificationsβ
Feature | Community | Team | Enterprise |
---|---|---|---|
Automatic CI/CD integration | βοΈ yes | βοΈ yes | βοΈ yes |
Email notifications | βοΈ yes | βοΈ yes | βοΈ yes |
Slack notifications | βοΈ yes | βοΈ yes | βοΈ yes |
Jira integration | β no | βοΈ yes | βοΈ yes |
Webhook integration | β no | βοΈ yes | βοΈ yes |
Notes:
- There is no limit to the number of integrations or notification channels. You can make more than one integration of any type.
- Automatic CI/CD integration means that repositories added to Semgrep are scanned as part of the code repository's CI pipeline when a pull request is made.
- Webhook integration uses a generic webhook to send JSON messages. These messages are triggered when a policy is changed, a new scan runs, or a new finding has emerged.
- Jira integration allows organizations to directly create Jira tickets from a finding.
Authenticationβ
Feature | Community | Team | Enterprise |
---|---|---|---|
GitHub or GitLab single sign-on (SSO) | βοΈ yes | βοΈ yes | βοΈ yes |
SAML SSO | β no | βοΈ yes | βοΈ yes |
Role-based access control (RBAC) | β no | βοΈ yes | βοΈ yes |
Custom authentication features | β no | β no | βοΈ yes |
Notes:
- GitLab SSO is only available for users of GitLab.com. This does not include self-managed GitLab instances.
- Available RBAC roles are
admin
anduser
.
Support and troubleshootingβ
Feature | Community | Team | Enterprise |
---|---|---|---|
Slack support | Community Slack | Private Slack channel | Private Slack channel |
Semgrep support portal | β no | βοΈ yes | βοΈ yes |
Customer success manager | β no | β no | βοΈ yes |
Dedicated and customized onboarding | β no | β no | βοΈ yes |
Notes:
- Email, phone, and chat support is available 8 hours a day, 5 days a week.
- Request support and track the status of your tickets through the Semgrep Support Portal at any time.
Determining your plan needsβ
Number of developersβ
Within your team or organization, assess the number of members that make commits. That determines the number of developers needed for the plan purchase.
For example, if a project has 4 unique developers who create commits during the billing period while Semgrep is scanning their repositories, only 4 developers are required even if the organization has a total of 10 members. If these unique developers commit to many projects within the same organization, they are counted once, so no additional cost is charged.
All members of the organization, regardless of developer status, have access to paid features for the chosen tier. This means that project managers and other non-programming roles can still view the Semgrep App dashboard.
Plan limitsβ
Should your plan exceed the limit, we will reach out and come up with a new plan that fits your needs.
Upgrading your planβ
To upgrade to the Team tier through a credit card:
- In the Settings page, select the Payment tab.
- Select the number of developers to purchase licenses for.
- Fill in your payment details.
To upgrade to the Enterprise tier, please contact us.
Billingβ
Team tier users who pay through a credit card are charged monthly. Enterprise tier users are charged at an agreed-upon billing cycle. For any concerns such as custom payment methods and billing cycles, send an email to billing@r2c.dev to get in touch with our sales team.
Modifying or canceling your planβ
To modify or cancel your plan, send an email to billing@r2c.dev.
Paying for your planβ
Pay through the following methods:
- Pay using your credit card.
- The payment will be processed through Stripe.
- Pay through a purchase order or invoice.
- Send an email to billing@r2c.dev to get in touch with our sales team.
See alsoβ
Additional resourcesβ
Find what you needed in this doc? Join the Slack group to ask the maintainers and the community if you need help.