- Semgrep Cloud Platform
- Community Tier
- Team & Enterprise Tier
Pricing and billing
The following Semgrep tools are free to use:
- Semgrep OSS Engine
- Semgrep Code (up to 20 developers under the Community tier)
Semgrep OSS Engine is open source software (OSS), licensed under LGPL 2.1. It is a fast static analysis command line tool for finding bugs and enforcing code standards. It can be run locally or in continuous integration (CI).
Semgrep Code, which builds on Semgrep OSS Engine, provides additional features that enable developer and security teams to triage security vulnerabilities, set up notifications, and enforce organizational coding standards. Semgrep Code includes Semgrep Cloud Platform (SCP). Semgrep Code has both free and paid tiers.
Semgrep Code’s paid tiers include Semgrep Pro Engine and Semgrep Pro rules. These provide interprocedural and interfile analysis, producing high confidence findings for a variety of OWASP top ten vulnerabilities.
This page contains information for Semgrep Code and Semgrep OSS. For Semgrep Supply Chain, a software composition analysis (SCA) product, see the Semgrep Pricing page.
Semgrep Code and Semgrep OSS Engine
The following tables provide an overview of features and their availability based on tier.
Organizational management and usage limits
Feature | Semgrep OSS | Semgrep Code Community | Semgrep Code Team |
---|---|---|---|
Member limit | n/a | 20 developers | ♾️ unlimited |
Project limit | n/a | ♾️ unlimited | ♾️ unlimited |
Notes:
- Semgrep OSS does not support any member count function.
- Member usage limits are visible in your Settings page > Upgrade tab.
- If your organization exceeds the member limit:
- Only the 20 most recent developers can view findings from Semgrep scans.
- Overlimit findings data is retained for three months. When your organization goes below the usage limit, or upgrades to Team or Enterprise, the findings data will be accessible again.
- You are notified of a 30-day grace period through in-app notifications and emails. After this grace period ends, additional developers (the 21st onwards) will not receive notifications or comments. Findings introduced by additional developers won't be surfaced in Semgrep Cloud Platform.
GitHub and GitLab integration support
Feature | Semgrep OSS | Semgrep Code Community | Semgrep Code Team |
---|---|---|---|
GitHub Free | n/a | ✔️ yes | ✔️ yes |
GitHub Team | n/a | ✔️ yes | ✔️ yes |
GitHub Enterprise Cloud | n/a | ❌ no | ✔️ yes |
GitHub Enterprise Server | n/a | ❌ no | ✔️ yes |
GitLab SaaS | n/a | ✔️ yes | ✔️ yes |
GitHub Enterprise | n/a | ❌ no | ✔️ yes |
GitLab Self Managed | n/a | ❌ no | ✔️ yes |
Findings, language support, and rules
Feature | Semgrep OSS | Semgrep Code Community | Semgrep Code Team |
---|---|---|---|
Custom rules | ✔️ yes | ✔️ yes | ✔️ yes |
Community rule registry | ✔️ yes | ✔️ yes | ✔️ yes |
Editor | n/a (alternatively, use Playground) | ✔️ yes | ✔️ yes |
Autofix through PR/MR comments | n/a | ❌ no | ✔️ yes |
Custom rule messages | ✔️ yes (for your custom rules) | ✔️ yes (for your custom rules) | ✔️ yes (for any rule) |
Semgrep Pro Engine | n/a | ❌ no | ✔️ yes |
Developer feedback | n/a | ❌ no | ✔️ yes |
Private rules | n/a | ❌ no | ✔️ yes |
Custom language support | n/a | ❌ no | ❌ no |
Findings retention | n/a | 1 month | 5 years |
Notes:
- Custom rules are rules that you can create and save through either the Playground or the Editor. The Playground and the Editor are online tools where you can write your rule patterns and test them on sample code. You must be signed in to use the Editor.
- Developers can create fixes to their rules through an
autofix
key. For example, when banning outdated libraries, setting an autofix value with the correct library replaces the banned library. - Semgrep Cloud Platform provides this functionality with Autofix through PR/MR comments. These comments appear as suggestions that developers can commit with a single click.
- Custom rule messages can be applied to public and private rules.
- Semgrep Pro Engine enables interfile tracking within a codebase, keeping track of class and function definitions beyond a single file.
- Developer feedback is a means for developers to communicate to security or rule-writing teams about a rule's precision. Discover what rules result in false positives and refine them through this feature.
- Custom language support is available for Enterprise tier users.
Integrations and notifications
Feature | Semgrep OSS | Semgrep Code Community | Semgrep Code Team |
---|---|---|---|
Automatic CI/CD integration | n/a | ✔️ yes | ✔️ yes |
Email notifications | n/a | ✔️ yes | ✔️ yes |
Slack notifications | n/a | ✔️ yes | ✔️ yes |
Jira integration | n/a | ❌ no | ❌ no |
Webhook integration | n/a | ❌ no | ✔️ yes |
API | n/a | ❌ no | ✔️ yes |
Notes:
- There is no limit to the number of integrations or notification channels. You can make more than one integration of any type.
- Automatic CI/CD integration means that repositories added to Semgrep are scanned as part of the code repository's CI pipeline when a pull request is made.
- Webhook integration uses a generic webhook to send JSON messages. These messages are triggered when a policy is changed, a new scan runs, or a new finding has emerged.
- Jira integration allows organizations to directly create Jira tickets from a finding.
Authentication
Feature | Semgrep OSS | Semgrep Code Community | Semgrep Code Team |
---|---|---|---|
GitHub or GitLab single sign-on (SSO) | n/a | ✔️ yes | ✔️ yes |
SAML SSO | n/a | ❌ no | ✔️ yes |
Role-based access control (RBAC) | n/a | ❌ no | ✔️ yes |
Custom authentication features | n/a | ❌ no | ❌ no |
Notes:
- GitLab SSO is only available for users of GitLab.com. This does not include self-managed GitLab instances.
- Available RBAC roles are
admin
anduser
. - Custom authentication features are availble for Enterprise tier users.
Support and troubleshooting
Feature | Semgrep OSS | Semgrep Code Community | Semgrep Code Team |
---|---|---|---|
Slack support | Community Slack | Community Slack | Private Slack channel |
Semgrep support portal | n/a | ❌ no | ✔️ yes |
Customer success manager | n/a | ❌ no | ❌ no |
Dedicated and customized onboarding | n/a | ❌ no | ❌ no |
Notes:
- Email, phone, and chat support is available 8 hours a day, 5 days a week.
- Request support and track the status of your tickets through the Semgrep Support Portal at any time.
- Dedicated customer success manager and custom onboarding are available for Enterprise tier users.
Determining your plan needs
Number of developers
Within your team or organization, assess the number of members that make commits. That determines the number of licenses needed for the plan purchase.
For example, if a project has 4 unique developers who create commits during the billing period while Semgrep is scanning their repositories, only 4 licenses are required even if the organization has a total of 10 members. If these unique developers commit to many projects within the same organization, they are counted once, so no additional cost is charged.
All members of the organization, regardless of developer (license) status, have access to paid features for the chosen tier. This means that project managers and other non-programming roles can still view the Semgrep Cloud Platform Dashboard.
Semgrep add-on reconciliation of licenses
If the organization exceeds the number of purchased licenses, the organization will be charged based on the number of licenses that exceeded the purchased amount. The additional charge starts the month after the use of licenses exceeds the contracted amount.
Check in with your Semgrep Account Executive every 60 days if you need more licenses than initially purchased.
Example of license reconciliation
On January 21st, you purchased annual licenses for 50 developers of Semgrep Supply Chain’s Team tier ($40 per developer per month). The 21st of the month is the start date of the annual contract. In the following month, on February 28th, the number of used developer licenses exceeded the original purchased quantity by 20 users. This requires a contract adjustment.
Contract adjustment:
- Since the organization’s use exceeded the amount of purchased licenses on February 28th, the future date of March 21st is selected to align with the remaining months in the contract. There are 10 months remaining in the contract.
- The additional amount charged, the add-on cost, is $8,000 ($40 per developer per month x 10 months x 20 users).
- Resulting add-on cost: $8,000
Upgrading your plan
To upgrade to the Team tier through a credit card:
- In the Settings page, select the Payment tab.
- Select the number of developers to purchase licenses for.
- Fill in your payment details.
To upgrade to the Enterprise tier, please contact us.
Billing
Team tier users who pay through a credit card are charged monthly. Enterprise tier users are charged at an agreed-upon billing cycle. For any concerns such as custom payment methods and billing cycles, send an email to billing@semgrep.com to get in touch with our sales team.
Modifying or canceling your plan
To modify or cancel your plan, send an email to billing@semgrep.com.
Paying for your plan
Pay through the following methods:
- Pay using your credit card.
- The payment will be processed through Stripe.
- Pay through a purchase order or invoice.
- Send an email to billing@semgrep.com to get in touch with our sales team.
See also
Additional resources
Find what you needed in this doc? Join the Semgrep Community Slack group to ask the maintainers and the community if you need help.