Skip to main content

Semgrep AppSec Platform versus Semgrep Community Edition

You can use Semgrep AppSec Platform (Semgrep) or Semgrep Community Edition (Semgrep CE) to scan your code for security issues, bugs, and compliance to coding standards. However, there are key differences between the two offerings.

tip

Refer to the appendix to skim all features of both offerings.

Product terms

The offerings in this document are defined as follows:

Semgrep Community Edition (Semgrep CE)

Includes an open source, lightweight SAST scanner and rules in the Semgrep Registry with open source licenses. You can also write your own custom rules. The Community Edition is best for small teams or personal projects.

Semgrep AppSec Platform (Semgrep)

Refers to a proprietary software suite tailored to support AppSec engineers through the entire software development life cycle (SDLC). Best for deploying security programs throughout their organization. Many of Semgrep's features support the deployment of secure guardrails. Semgrep includes the following products:

Semgrep Code
A SAST scanner that uses cross-file (interfile) and cross-function (intrafile) analysis for improved results over Semgrep Community Edition. Semgrep Code includes rules written by Semgrep's Security Research team, called Pro Rules. These rules use cross-file analysis to reduce false positives.
Semgrep Supply Chain
A high-signal dependency scanner that detects reachable vulnerabilities in open source third-party libraries and functions across the software development life cycle (SDLC).
Semgrep Secrets
A secrets scanner that, in addition to detecting secrets, validates these leaked secrets on a variety of services to help you prioritize active secrets.
note

Semgrep Code and Semgrep Supply Chain are free for up to 10 contributors.

Comparison by core workflows

Scope of each offering by core workflows
Figure. A typical AppSec security program's core workflows and the scope of out-of-the-box Semgrep CE and Semgrep AppSec Platform features.

Deployment

The process of integrating Semgrep into your developer and infrastructure workflows.

Semgrep Community Edition

Semgrep CE runs in your local machine's CLI through the semgrep scan command.

Deploying in bulk or at scale is a manual task. Semgrep CE can scan a remote repository by running as part of a CI job but you must write and configure the CI job for each repository.

Semgrep AppSec Platform

Semgrep can scan in the following environments:

  • CI
  • Web app (for Managed Scans)
  • CLI
  • IDE
  • pre-commit

Your scan configuration, such as rules and policies, and scan analysis (SAST, SCA, or secrets) are preserved across all environments.

Users comfortable with granting Semgrep code access can quickly deploy Semgrep to thousands of repositories through Managed Scans.

Semgrep supports various CI providers and source code managers (SCMs) such as GitHub, GitLab, Bitbucket, and Azure.

Scanning and analyses

The process of analyzing source code for findings. This section explains the analyses available to both product offerings.

Semgrep Community Edition

Semgrep CE provides the following SAST analyses:

  • Single file, cross function constant propagation
  • Single function taint analysis
  • Semantic analysis

The limited scope makes it fast, at the cost of coverage and precision.

It can't track data beyond a single function or file and may find more false positives.

Semgrep AppSec Platform

Semgrep supports SAST, SCA, and secret scans as listed in Product terms. You can run these scan types across all of your environments, preserving any configuration you have made.

Click to view Semgrep Code analyses (SAST)
  • Cross file, cross function constant propagation
  • Cross file, cross function taint analysis
  • Framework and language-specific semantic analysis
  • Semgrep Assistant (AI-assisted) post-processing analysis:
    • Reduces noise by 20%
    • Adds contextual remediation guidance
Click to view Semgrep Supply Chain analyses and functions (SCA)
  • Reachability analysis
  • Open source license enforcement
  • Dependency search
Click to view Semgrep Secrets analyses and functions
  • Validation of active, leaked secrets
  • Entropy
  • Historical scanning

Additionally, the Semgrep team maintains and contributes to premium rules, known as Pro rules, that specifically make use of the advanced analyses listed here.


tip

Certain languages, such as Apex, are available only on Semgrep AppSec Platform.

The following diagrams summarize the differences between the two:

Semrep OSS scan process
Figure. Semgrep CE scan process.


Semgrep AppSec Platform scan process
Figure. Semgrep AppSec Platform scan process.

Triage and remediation

Triage is the process of reviewing findings and determining if a finding is a true or false positive, and whether to fix the finding or not. Remediation refers to the steps taken to resolve the finding.

Ticketing and notification integrations are included in this workflow to inform developers of fixes and remediation guidance they may need to take to close the finding.

Semgrep Community Edition
Triage

There are no out-of-the-box features in Semgrep CE for triaging findings.

However, you can output findings to JSON and SARIF then send those findings to an AppSec Posture Management (ASPM) software such as DefectDojo.

Semgrep AppSec Platform
Triage

Semgrep tracks a single finding throughout its lifetime from its initial creation, when its status is Open, to various triage states such as Ignored, or Reviewing.

Developers and AppSec engineers are able to provide reasons for a finding's status, such as Acceptable risk or False positive for Ignored findings.

Semgrep provides AI-assisted triage through Semgrep Assistant, which can analyze all your findings to suggest which findings it thinks are false positives.

Click to view Semgrep Assistant analyses and functions
  • Step-by-step remediation
  • Can be viewed by developers and AppSec engineers in their preferred environment
  • Ability to learn your preferred libraries and functions through Assistant Memories

Learn more about Semgrep Assistant's accuracy.

Lastly, Semgrep supports the creation of tickets in Jira and various notification channels such as Slack and webhooks.

Tuning and prevention

Tuning refers to the improvement of Semgrep's engine, rules, and policies to improve such metrics as the true positive rate, net new findings, and findings fixed before they enter production.

Tuning assists in the prevention of vulnerabilities from entering production.

Semgrep Community Edition

Tuning is not supported in Semgrep CE, but you can customize the rules you run on your scans.

Semgrep CE does not provide any metrics that may inform you of potential performance improvements you can make.

Semgrep AppSec Platform

The Policies feature manages rules, helps block PRs or MRs from entering production, and configures which findings are presented to developers. This feature is available for both Semgrep Code and Secrets.

You can test a rule's performance by first monitoring its performance (and showing it only in AppSec environments), then changing its mode to leave comments or help block a PR or MR from merging.

You can also write custom SAST and Secrets rules and share these rules to the rest of your organization.

Reporting

Track the success of your security program and trends over time by generating reports.

Semgrep Community Edition

Semgrep CE does not include any reporting features.

Semgrep AppSec Platform

Semgrep's dashboard provides filters to create multiple views over different periods of time.

It is optimized to show progress towards the adoption of a secure guardrails approach to AppSec through the following key metrics:

  • Findings shown to developers
  • Findings fixed before backlog (before entering production)
  • Most findings by project

Semgrep Supply Chain can export SBOMs (software bills of materials) for you to keep track of all of a codebase's dependencies.


Dashboard page Figure. The dashboard page. Hover over the charts to view data for that point in time.

Appendix

This section provides a comprehensive comparison of each offering's features.

Deployment

Semgrep AppSec Platform

Scanning and analyses

Semgrep Community Edition

Semgrep CE provides cross function constant propagation and single function taint analysis.


Semgrep Community Edition (SAST)
Semgrep AppSec Platform

All Semgrep products make use of cross file, cross function taint analysis and more.

Semgrep Code (SAST)
Semgrep Supply Chain (SCA)
Semgrep Secrets

Triage and remediation

Semgrep Community Edition
  • You must manually set up Semgrep CE to send findings to an ASPM.
Semgrep AppSec Platform
  • Semgrep tracks triage states and enables triage from findings in any supported environment (CLI, CI, IDE, your PR or MR). See Code > Findings for more information.
  • Filtering by severity, confidence, and many other attributes assist in managing volume.
  • AI-assisted triage and remediation
  • AI-assisted component tagging
  • AI-assisted Memories, which enable you to tell the AI organization specific libraries to suggest when guiding developers
  • PR comments or MR comments can be sent to developers in their native environment (GitHub, GitLab, Azure DevOps, Bitbucket) and developers can triage in their native development through triage commands
  • Slack, email, and webhook notification channels
  • Creation of Jira tickets and customizable mapping of attributes

Tuning and prevention

Semgrep Community Edition

Minimal customization options to tune your scans:

  • Customize SAST scans through the rules you run in the CLI
  • Write custom SAST rules
Semgrep AppSec Platform
  • Customize SAST and Secrets scans through rule selection in policies
  • Write, save, manage, and fork custom SAST and Secrets detection rules in the Editor
  • AI assistance for rule writing
  • Store rules in Semgrep AppSec Platform and deploy to your organization
  • Policy-based workflows: Semgrep can perform workflow actions such as failing a CI job or leaving a PR comment based on user-defined policies for SAST and Secrets scans
  • Semgrep Code: Code search
  • Semgrep Supply Chain:

Reporting

Semgrep Community Edition
  • You must manually set up Semgrep CE to send findings to an ASPM.
Semgrep AppSec Platform

Not finding what you need in this doc? Ask questions in our Community Slack group, or see Support for other ways to get help.