Skip to main content

Overview

Semgrep Code is a static application security testing (SAST) tool that detects security vulnerabilities in your first-party code.

You can use Semgrep Code to scan local repositories or integrate it into your CI/CD pipeline to automate the continuous scanning of your code.

Rules

Semgrep Code uses rules, which encapsulate pattern matching logic and data flow analysis, to scan your code and find issues such as code violations, security issues, and the use of outdated or vulnerable libraries. Semgrep generates and reports findings to you whenever it finds code that matches the patterns defined by rules.

In addition to rules available in the Registry, you can write custom rules to determine what Semgrep Code detects in your repositories. Whether you use pre-existing rules or write custom rules, knowing which rules Semgrep Code runs can help you understand how it detects security issues.

Semgrep Code is transparent; you can configure the rules it runs and inspect its syntax to understand how the finding was detected. You can also customize the content of a rule to improve the true positive rate of a rule or have Semgrep send a relevant message to developers.

Findings

Semgrep Cloud Platform (SCP) displays Semgrep Code's findings. Additionally, SCP allows you to:

  • Triage findings
  • Send alerts and notifications or create tickets to track findings identified by Semgrep Code
  • Customize how Semgrep Code scans your repositories
  • Manage your users and facilitate team collaboration in remediating security issues

OSS versus Pro Engine

By default, Semgrep Code is powered by Semgrep's OSS engine. It can analyze interactions within a single function, a process known as intraprocedural analysis, and its smaller scope of analysis makes it faster and easier to integrate into developer workflows.

For cross-file and cross-function analysis (interfile and interprocedural analysis, respectively), you can enable Semgrep's Pro Engine. These scans produce fewer false positives and more true positives, but take longer to complete.

Next steps

Further reading

Further reading


Not finding what you need in this doc? Ask questions in our Community Slack group, or see Support for other ways to get help.