Skip to main content
  • Semgrep Cloud Platform
  • Community Tier
  • Team & Enterprise Tier

Pricing and billing

The following Semgrep tools are free to use:

  • Semgrep OSS Engine
  • Semgrep Code (up to 20 developers under the Community tier)

Semgrep OSS Engine is open source software (OSS), licensed under LGPL 2.1. It is a fast static analysis command line tool for finding bugs and enforcing code standards. It can be run locally or in continuous integration (CI).

Semgrep Code, which builds on Semgrep OSS Engine, provides additional features that enable developer and security teams to triage security vulnerabilities, set up notifications, and enforce organizational coding standards. Semgrep Code includes Semgrep Cloud Platform (SCP). Semgrep Code has both free and paid tiers.

Semgrep Code’s paid tiers include Semgrep Pro Engine and Semgrep Pro rules. These provide interprocedural and interfile analysis, producing high confidence findings for a variety of OWASP top ten vulnerabilities.

info

This page contains information for Semgrep Code and Semgrep OSS. For Semgrep Supply Chain, a software composition analysis (SCA) product, see the Semgrep Pricing page.

Semgrep Code and Semgrep OSS Engine

The following tables provide an overview of features and their availability based on tier.

Organizational management and usage limits

FeatureSemgrep OSSSemgrep Code CommunitySemgrep Code Team
Member limitn/a20 developers♾️ unlimited
Project limitn/a♾️ unlimited♾️ unlimited

Notes:

  • Semgrep OSS does not support any member count function.
  • Member usage limits are visible in your Settings page > Upgrade tab.
  • If your organization exceeds the member limit:
    • Only the 20 most recent developers can view findings from Semgrep scans.
    • Overlimit findings data is retained for three months. When your organization goes below the usage limit, or upgrades to Team or Enterprise, the findings data will be accessible again.
    • You are notified of a 30-day grace period through in-app notifications and emails. After this grace period ends, additional developers (the 21st onwards) will not receive notifications or comments. Findings introduced by additional developers won't be surfaced in Semgrep Cloud Platform.

Screenshot of member limits

GitHub and GitLab integration support

FeatureSemgrep OSSSemgrep Code CommunitySemgrep Code Team
GitHub Freen/a✔️ yes✔️ yes
GitHub Teamn/a✔️ yes✔️ yes
GitHub Enterprise Cloudn/a❌ no✔️ yes
GitHub Enterprise Servern/a❌ no✔️ yes
GitLab SaaSn/a✔️ yes✔️ yes
GitHub Enterprisen/a❌ no✔️ yes
GitLab Self Managedn/a❌ no✔️ yes

Findings, language support, and rules

FeatureSemgrep OSSSemgrep Code CommunitySemgrep Code Team
Custom rules✔️ yes✔️ yes✔️ yes
Community rule registry✔️ yes✔️ yes✔️ yes
Editorn/a (alternatively, use Playground)✔️ yes✔️ yes
Autofix through PR/MR commentsn/a❌ no✔️ yes
Custom rule messages✔️ yes (for your custom rules)✔️ yes (for your custom rules)✔️ yes (for any rule)
Semgrep Pro Enginen/a❌ no✔️ yes
Developer feedbackn/a❌ no✔️ yes
Private rulesn/a❌ no✔️ yes
Custom language supportn/a❌ no❌ no
Findings retentionn/a1 month5 years

Notes:

  • Custom rules are rules that you can create and save through either the Playground or the Editor. The Playground and the Editor are online tools where you can write your rule patterns and test them on sample code. You must be signed in to use the Editor.
  • Developers can create fixes to their rules through an autofix key. For example, when banning outdated libraries, setting an autofix value with the correct library replaces the banned library.
  • Semgrep Cloud Platform provides this functionality with Autofix through PR/MR comments. These comments appear as suggestions that developers can commit with a single click.
  • Custom rule messages can be applied to public and private rules.
  • Semgrep Pro Engine enables interfile tracking within a codebase, keeping track of class and function definitions beyond a single file.
  • Developer feedback is a means for developers to communicate to security or rule-writing teams about a rule's precision. Discover what rules result in false positives and refine them through this feature.
  • Custom language support is available for Enterprise tier users.

Integrations and notifications

FeatureSemgrep OSSSemgrep Code CommunitySemgrep Code Team
Automatic CI/CD integrationn/a✔️ yes✔️ yes
Email notificationsn/a✔️ yes✔️ yes
Slack notificationsn/a✔️ yes✔️ yes
Jira integrationn/a❌ no❌ no
Webhook integrationn/a❌ no✔️ yes
APIn/a❌ no✔️ yes

Notes:

  • There is no limit to the number of integrations or notification channels. You can make more than one integration of any type.
  • Automatic CI/CD integration means that repositories added to Semgrep are scanned as part of the code repository's CI pipeline when a pull request is made.
  • Webhook integration uses a generic webhook to send JSON messages. These messages are triggered when a policy is changed, a new scan runs, or a new finding has emerged.
  • Jira integration allows organizations to directly create Jira tickets from a finding.

Authentication

FeatureSemgrep OSSSemgrep Code CommunitySemgrep Code Team
GitHub or GitLab single sign-on (SSO)n/a✔️ yes✔️ yes
SAML SSOn/a❌ no✔️ yes
Role-based access control (RBAC)n/a❌ no✔️ yes
Custom authentication featuresn/a❌ no❌ no

Notes:

  • GitLab SSO is only available for users of GitLab.com. This does not include self-managed GitLab instances.
  • Available RBAC roles are admin and user.
  • Custom authentication features are availble for Enterprise tier users.

Support and troubleshooting

FeatureSemgrep OSSSemgrep Code CommunitySemgrep Code Team
Slack supportCommunity SlackCommunity SlackPrivate Slack channel
Semgrep support portaln/a❌ no✔️ yes
Customer success managern/a❌ no❌ no
Dedicated and customized onboardingn/a❌ no❌ no

Notes:

  • Email, phone, and chat support is available 8 hours a day, 5 days a week.
  • Request support and track the status of your tickets through the Semgrep Support Portal at any time.
  • Dedicated customer success manager and custom onboarding are available for Enterprise tier users.

Determining your plan needs

Number of developers

Within your team or organization, assess the number of members that make commits. That determines the number of developers needed for the plan purchase.

For example, if a project has 4 unique developers who create commits during the billing period while Semgrep is scanning their repositories, only 4 developers are required even if the organization has a total of 10 members. If these unique developers commit to many projects within the same organization, they are counted once, so no additional cost is charged.

All members of the organization, regardless of developer status, have access to paid features for the chosen tier. This means that project managers and other non-programming roles can still view the Semgrep Cloud Platform dashboard.

Plan limits

Should your plan exceed the limit, we will reach out and come up with a new plan that fits your needs.

Upgrading your plan

To upgrade to the Team tier through a credit card:

  1. In the Settings page, select the Payment tab.
  2. Select the number of developers to purchase licenses for.
  3. Fill in your payment details.

Screenshot of payment menu

To upgrade to the Enterprise tier, please contact us.

Billing

Team tier users who pay through a credit card are charged monthly. Enterprise tier users are charged at an agreed-upon billing cycle. For any concerns such as custom payment methods and billing cycles, send an email to billing@r2c.dev to get in touch with our sales team.

Modifying or canceling your plan

To modify or cancel your plan, send an email to billing@r2c.dev.

Paying for your plan

Pay through the following methods:

Pay using your credit card.
The payment will be processed through Stripe.
Pay through a purchase order or invoice.
Send an email to billing@r2c.dev to get in touch with our sales team.

See also

Additional resources

Find what you needed in this doc? Join the Semgrep Community Slack group to ask the maintainers and the community if you need help.