Skip to main content

Semgrep Pro versus Semgrep OSS

You can use Semgrep Pro or Semgrep OSS to scan your code for security issues, bugs, and compliance to coding standards. Semgrep uses both an engine and rules to scan your code.

Rules, which are written in YAML, describe how Semgrep generates a finding, such as a security issue. A rule encapsulates the pattern-matching logic and is meant to be readable and customizable.

Semgrep Pro includes different types of analyses, such as Semgrep Code's cross-file, cross-function analysis in Semgrep Code. Semgrep OSS runs only single-function analysis.

This document outlines key differences between the Semgrep OSS and Pro product lines.

The terms used in this document are defined as follows:

Semgrep OSS

Refers to Semgrep offerings with an open-source license, primarily the Semgrep OSS Engine, a fast and customizable static application security testing (SAST) scanner. To run Semgrep completely on OSS, use the OSS Engine and rules in the Semgrep Registry with open source licenses, or write your own custom rules.

Semgrep Pro

Refers to proprietary product offerings from Semgrep, Inc. These include:

Semgrep Code
A SAST scanner that uses cross-file (interfile) and cross-function (interprocedural) analysis for improved results over Semgrep OSS. Semgrep Code includes premium rules, known as Pro rules, that use the cross-file analysis to reduce false positives.
Semgrep Supply Chain
A high-signal dependency scanner that detects reachable vulnerabilities in open source third-party libraries and functions across the software development life cycle (SDLC).
Semgrep Secrets
A a secrets scanner that, in addition to detecting secrets, validates these leaked secrets on a variety of services to help you prioritize active secrets.
Semgrep AppSec Platform
A a web application for the deployment, management, and monitoring of findings from Semgrep's SAST, SCA, and secrets scanners. It integrates with continuous integration (CI) providers such as GitHub Actions, GitLab CI/CD, CircleCI, and more.
tip

All Semgrep Pro products are free for up to 10 contributors.

๐Ÿ”Ž Core scanning featuresโ€‹

The following tables describe Semgrep's essential scanning and findings management capabilities.

SAST (Static application security testing)โ€‹

FeatureSemgrep OSSSemgrep Pro
Single-file analysisโœ”๏ธโœ”๏ธ
Single-function analysisโœ”๏ธโœ”๏ธ
Cross-file (across multiple files or interfile) analysis--โœ”๏ธ
Cross-function (across multiple functions or interprocedural) analysis--โœ”๏ธ
Dataflow analysis (taint)--โœ”๏ธ

SCA (Software composition analysis)โ€‹

FeatureSemgrep OSSSemgrep Pro
Reachability analysis for direct dependencies--โœ”๏ธ
License compliance--โœ”๏ธ
Dependency search--โœ”๏ธ
SBOM export--โœ”๏ธ

๐Ÿ’ฌ Scan management and monitoringโ€‹

The following table displays various notification channels and reporting features.

FeatureSemgrep OSSSemgrep Pro
Centralized management of scan results (triage, remediation, fine-tuning noisy rules)--โœ”๏ธ
Notifications and reports (Slack, email, webhooks, and API)--โœ”๏ธ
Send scan results to GitLab SAST and GitHub Advanced Security--โœ”๏ธ
Findings dashboard--โœ”๏ธ
Findings retention--As long as account is active

๐Ÿงฐ Scan customization featuresโ€‹

The following table displays customization features and tools that enhance Semgrep's core scanning capabilities. These features can increase true-positive rate and provide deeper insights into remediation.

FeatureSemgrep OSSSemgrep Pro
Write your own rulesโœ”๏ธโœ”๏ธ
Community-contributed rule registryโœ”๏ธโœ”๏ธ
Rule-writing environmentโœ”๏ธ Playgroundโœ”๏ธ Playground and Editor for logged-in users
Private rules*--โœ”๏ธ
Proprietary rule registry--โœ”๏ธ
Policy-based workflowsโ€ --โœ”๏ธ

*Private rules refer to rules that are guaranteed a private access scope in the cloud. This scope of access does not apply to Semgrep OSS, as Semgrep OSS is purely CLI-based.
โ€  Policy-based workflows provide security teams a means to block merges, leave PR/MR comments, or silently monitor for potential issues based on the presence of a finding.

๐Ÿค– Developer experienceโ€‹

The following table lists tools to enable developers to resolve findings in their own code.

FeatureSemgrep OSSSemgrep Pro
VS Code extensionโœ”๏ธโœ”๏ธ
IntelliJ extensionโœ”๏ธโœ”๏ธ
pre-commitโ€กโœ”๏ธโœ”๏ธ
Autofixโœ”๏ธโœ”๏ธ
Autofix in PR/MR comments--โœ”๏ธ
GPT-assisted autofix--โœ”๏ธ

โ€กpre-commit requires some manual set-up.

๐Ÿข User and organization managementโ€‹

FeatureSemgrep OSSSemgrep Pro
Role-based access control (RBAC)--โœ”๏ธ
Personal and organizational accounts--โœ”๏ธ
SSO, OpenID, or OAuth2 authentication--โœ”๏ธ

๐Ÿงพ Licenses and tiersโ€‹

Product lineLicenseSubscription tiers
Semgrep ProProprietary
  • Semgrep Team
  • Semgrep Enterprise
Semgrep OSS EngineGNU LGPL 2.1--
Publicly-contributed rulesDependent on author--

See Licensing for more details.


Not finding what you need in this doc? Ask questions in our Community Slack group, or see Support for other ways to get help.