Skip to main content

Pricing and billing

The following Semgrep tools are free to use:

  • Semgrep CLI
  • Semgrep CI
  • Semgrep App (through the Community tier)

Semgrep CLI is free open-source software (FOSS), licensed under LGPL 2.1. It is a fast static analysis command line tool for finding bugs and enforcing code standards. Semgrep CI is a source-available Docker image for running Semgrep in CI environments. All features for both Semgrep CLI and Semgrep CI are free.

Semgrep App, which builds on Semgrep CLI and CI, enables developer and security teams to create their own institutional code standards, enforce them, and analyze findings. Semgrep App has both free and paid tiers.

Choosing a Semgrep App tier​

Semgrep App has three tiers:

TierPriceDescription
CommunityFreeFor general-purpose security scanning.
TeamUS$40 monthly per developerFor the enforcement of company-specific coding standards, private rules, and the analysis of findings.
EnterpriseCustom pricingFor custom solutions, including deployment into virtual private clouds (VPCs) with dedicated technical support.

Semgrep App integrates with a GitHub or GitLab account at either the organizational or individual level. There is no limit to the number of members in an organization for all tiers.

Billing depends on the number of developers. Any organization member who has made a commit in a project within the past 30 days is considered a developer.

Members who do not make any commits on the code do not need to pay for Semgrep and are not billed. Semgrep Team tier features apply to the entire organization, even if not all members are billed.

Comparing free and paid tier features​

Organizational management and usage limits​

FeatureCommunityTeamEnterprise
Member limit20 developers♾️ unlimited♾️ unlimited
Project limit♾️ unlimited♾️ unlimited♾️ unlimited

Notes:

  • Member usage limits are visible in your settings page.
  • If your organization exceeds the member limit:
    • Only the 20 most recent developers can view findings from Semgrep scans.
    • Overlimit findings data is retained for three months. When your organization goes below the usage limit, or upgrades to Team or Enterprise, the findings data will be accessible again.
    • You are notified of a 30-day grace period through in-app notifications and emails. After this grace period ends, additional developers (the 21st onwards) will not receive notifications or comments. Findings introduced by additional developers won't be surfaced in Semgrep App.

Source code management (SCM) support​

FeatureCommunityTeamEnterprise
GitHubβœ”οΈ yesβœ”οΈ yesβœ”οΈ yes
GitLab SaaSβœ”οΈ yesβœ”οΈ yesβœ”οΈ yes
GitHub Enterprise❌ noβœ”οΈ yesβœ”οΈ yes
GitLab Self Managed❌ noβœ”οΈ yesβœ”οΈ yes
VPC deployment❌ no❌ noβœ”οΈ yes

Findings, language support, and rules​

FeatureCommunityTeamEnterprise
Custom rulesβœ”οΈ yesβœ”οΈ yesβœ”οΈ yes
Community rule registryβœ”οΈ yesβœ”οΈ yesβœ”οΈ yes
Editorβœ”οΈ yesβœ”οΈ yesβœ”οΈ yes
Autofix through PR/MR comments❌ noβœ”οΈ yesβœ”οΈ yes
Custom rule messages❌ noβœ”οΈ yesβœ”οΈ yes
DeepSemgrep❌ noβœ”οΈ yesβœ”οΈ yes
Developer feedback❌ noβœ”οΈ yesβœ”οΈ yes
Private rules❌ noβœ”οΈ yesβœ”οΈ yes
Custom language support❌ no❌ noβœ”οΈ yes
Findings retention1 month5 years5 years

Notes:

  • Custom rules are rules that you can create and save through either the Playground or the Editor. The Playground and the Editor are online tools where you can write your rule patterns and test them on sample code. You must be signed in to use the Editor.
  • Developers can create fixes to their rules through an autofix key. For example, when banning outdated libraries, setting an autofix value with the correct library replaces the banned library.
  • Semgrep App provides this functionality with Autofix through PR/MR comments. These comments appear as suggestions that developers can commit with a single click.
  • Custom rule messages can be applied to public and private rules.
  • DeepSemgrep enables interfile tracking within a codebase, keeping track of class and function definitions beyond a single file.
  • Developer feedback is a means for developers to communicate to security or rule-writing teams about a rule's precision. Discover what rules result in false positives and refine them through this feature.

Integrations and notifications​

FeatureCommunityTeamEnterprise
Automatic CI/CD integrationβœ”οΈ yesβœ”οΈ yesβœ”οΈ yes
Email notificationsβœ”οΈ yesβœ”οΈ yesβœ”οΈ yes
Slack notificationsβœ”οΈ yesβœ”οΈ yesβœ”οΈ yes
Jira integration❌ noβœ”οΈ yesβœ”οΈ yes
Webhook integration❌ noβœ”οΈ yesβœ”οΈ yes

Notes:

  • There is no limit to the number of integrations or notification channels. You can make more than one integration of any type.
  • Automatic CI/CD integration means that repositories added to Semgrep are scanned as part of the code repository's CI pipeline when a pull request is made.
  • Webhook integration uses a generic webhook to send JSON messages. These messages are triggered when a policy is changed, a new scan runs, or a new finding has emerged.
  • Jira integration allows organizations to directly create Jira tickets from a finding.

Authentication​

FeatureCommunityTeamEnterprise
GitHub or GitLab single sign-on (SSO)βœ”οΈ yesβœ”οΈ yesβœ”οΈ yes
SAML SSO❌ noβœ”οΈ yesβœ”οΈ yes
Role-based access control (RBAC)❌ noβœ”οΈ yesβœ”οΈ yes
Custom authentication features❌ no❌ noβœ”οΈ yes

Notes:

  • GitLab SSO is only available for users of GitLab.com. This does not include self-managed GitLab instances.
  • Available RBAC roles are admin and user.

Support and troubleshooting​

FeatureCommunityTeamEnterprise
Slack supportCommunity SlackPrivate Slack channelPrivate Slack channel
Semgrep support portal❌ noβœ”οΈ yesβœ”οΈ yes
Customer success manager❌ no❌ noβœ”οΈ yes
Dedicated and customized onboarding❌ no❌ noβœ”οΈ yes

Notes:

  • Email, phone, and chat support is available 8 hours a day, 5 days a week.
  • Request support and track the status of your tickets through the Semgrep Support Portal at any time.

Determining your plan needs​

Number of developers​

Within your team or organization, assess the number of members that make commits. That determines the number of developers needed for the plan purchase.

For example, if a project has 4 unique developers who create commits during the billing period while Semgrep is scanning their repositories, only 4 developers are required even if the organization has a total of 10 members. If these unique developers commit to many projects within the same organization, they are counted once, so no additional cost is charged.

All members of the organization, regardless of developer status, have access to paid features for the chosen tier. This means that project managers and other non-programming roles can still view the Semgrep App dashboard.

Plan limits​

Should your plan exceed the limit, we will reach out and come up with a new plan that fits your needs.

Upgrading your plan​

To upgrade to the Team tier through a credit card:

  1. In the Settings page, select the Payment tab.
  2. Select the number of developers to purchase licenses for.
  3. Fill in your payment details.

Screenshot of Semgrep App payment menu

To upgrade to the Enterprise tier, please contact us.

Billing​

Team tier users who pay through a credit card are charged monthly. Enterprise tier users are charged at an agreed-upon billing cycle. For any concerns such as custom payment methods and billing cycles, send an email to billing@r2c.dev to get in touch with our sales team.

Modifying or canceling your plan​

To modify or cancel your plan, send an email to billing@r2c.dev.

Paying for your plan​

Pay through the following methods:

Pay using your credit card.
The payment will be processed through Stripe.
Pay through a purchase order or invoice.
Send an email to billing@r2c.dev to get in touch with our sales team.

See also​

Additional resources​

Find what you needed in this doc? Join the Slack group to ask the maintainers and the community if you need help.