Semgrep AppSec Platform versus Semgrep OSS

You can use Semgrep AppSec Platform or Semgrep OSS to scan your code for security issues, bugs, and compliance to coding standards. However, there are key differences between the two offerings.

tip

Refer to the appendix to skim all features of both offerings.

Product terms

The offerings in this document are defined as follows:

Semgrep OSS

Includes an open source, lightweight SAST scanner and rules in the Semgrep Registry with open source licenses. You can also write your own custom rules for use with Semgrep OSS. Semgrep OSS is best for small teams or personal projects.

Semgrep AppSec Platform (Semgrep)

Refers to a proprietary software suite tailored to support AppSec engineers through the entire software development life cycle (SDLC). Best for deploying security programs throughout their organization. Many of Semgrep's features support the deployment of secure guardrails. Semgrep includes the following products:

Semgrep Code: A SAST scanner that uses cross-file (interfile) and cross-function (intrafile) analysis for improved results over Semgrep OSS. Semgrep Code includes rules written by Semgrep's Security Research team, called Pro Rules. These rules use cross-file analysis to reduce false positives.
Semgrep Supply Chain: A high-signal dependency scanner that detects reachable vulnerabilities in open source third-party libraries and functions across the software development life cycle (SDLC).
Semgrep Secrets: A secrets scanner that, in addition to detecting secrets, validates these leaked secrets on a variety of services to help you prioritize active secrets.

note

Semgrep Code and Semgrep Supply Chain are free for up to 10 contributors.

Comparison by core workflows

Scope of each offering by core workflows
Figure. A typical AppSec security program's core workflows and the scope of out-of-the-box Semgrep OSS and Semgrep AppSec Platform features.

Deployment

The process of integrating Semgrep into your developer and infrastructure workflows.

Semgrep OSS

Semgrep OSS runs in your local machine's CLI through the semgrep scan command.

Deploying in bulk or at scale is a manual task. Semgrep OSS can scan a remote repository by running as part of a CI job but you must write and configure the CI job for each repository.

Semgrep AppSec Platform

Semgrep AppSec Platform can scan in the following environments:

CI
Web app (for Managed Scans)
CLI
IDE
pre-commit

Your scan configuration, such as rules and policies, and scan analysis (SAST, SCA, or secrets) are preserved across all environments.

Users comfortable with granting Semgrep code access can quickly deploy Semgrep to thousands of repositories through Managed Scans.

AppSec Platform supports various CI providers and source code managers (SCMs) such as GitHub, GitLab, Bitbucket, and Azure.

Scanning and analyses

The process of analyzing source code for findings. This section explains the analyses available to both product offerings.

Semgrep OSS

Semgrep OSS provides the following SAST analyses:

Single file, cross function constant propagation
Single function taint analysis
Semantic analysis

The limited scope makes it fast, at the cost of coverage and precision.

It can't track data beyond a single function or file and may find more false positives.

Semgrep AppSec Platform

Semgrep AppSec Platform supports SAST, SCA, and secret scans as listed in Product terms. You can run these scan types across all of your environments, preserving any configuration you have made.

Click to view Semgrep Code analyses (SAST)

Cross file, cross function constant propagation
Cross file, cross function taint analysis
Framework and language-specific semantic analysis
Semgrep Assistant (AI-assisted) post-processing analysis:
- Reduces noise by 20%
- Adds contextual remediation guidance

Click to view Semgrep Supply Chain analyses and functions (SCA)

Reachability analysis
Open source license enforcement
Dependency search

Click to view Semgrep Secrets analyses and functions

Validation of active, leaked secrets
Entropy
Historical scanning

Additionally, the Semgrep team maintains and contributes to premium rules, known as Pro rules, that specifically make use of the advanced analyses listed here.

tip

Certain languages, such as Apex, are available only on Semgrep AppSec Platform.

The following diagrams summarize the differences between the two:

Semrep OSS scan process
Figure. Semgrep OSS scan process.

Figure. Semgrep AppSec Platform scan process.

Triage and remediation

Triage is the process of reviewing findings and determining if a finding is a true or false positive, and whether to fix the finding or not. Remediation refers to the steps taken to resolve the finding.

Ticketing and notification integrations are included in this workflow to inform developers of fixes and remediation guidance they may need to take to close the finding.

Semgrep OSS

Triage

There are no out-of-the-box features in Semgrep OSS for triaging findings.

However, you can output findings to JSON and SARIF then send those findings to an AppSec Posture Management (ASPM) software such as DefectDojo.

Semgrep AppSec Platform

Triage

Semgrep AppSec Platform tracks a single finding throughout its lifetime from its initial creation, when its status is Open, to various triage states such as Ignored, or Reviewing.

Developers and AppSec engineers are able to provide reasons for a finding's status, such as Acceptable risk or False positive for Ignored findings.

Semgrep AppSec Platform provides AI-assisted triage through Semgrep Assistant, which can analyze all your findings to suggest which findings it thinks are false positives.

Click to view Semgrep Assistant analyses and functions

Step-by-step remediation
Can be viewed by developers and AppSec engineers in their preferred environment
Ability to learn your preferred libraries and functions through Assistant Memories

Learn more about Semgrep Assistant's accuracy.

Lastly, Semgrep supports the creation of tickets in Jira and various notification channels such as Slack and webhooks.

Tuning and prevention

Tuning refers to the improvement of Semgrep's engine, rules, and policies to improve such metrics as the true positive rate, net new findings, and findings fixed before they enter production.

Tuning assists in the prevention of vulnerabilities from entering production.

Semgrep OSS

Tuning is not supported in Semgrep OSS, but you can customize the rules you run on your scans.

Semgrep OSS does not provide any metrics that may inform you of potential performance improvements you can make.

Semgrep AppSec Platform

The Policies feature manages rules, helps block PRs or MRs from entering production, and configures which findings are presented to developers. This feature is available for both Semgrep Code and Secrets.

You can test a rule's performance by first monitoring its performance (and showing it only in AppSec environments), then changing its mode to leave comments or help block a PR or MR from merging.

You can also write custom SAST and Secrets rules and share these rules to the rest of your organization.

Reporting

Track the success of your security program and trends over time by generating reports.

Semgrep OSS

Semgrep OSS does not include any reporting features.

Semgrep AppSec Platform

Semgrep AppSec Platform's dashboard provides filters to create multiple views over different periods of time.

It is optimized to show progress towards the adoption of a secure guardrails approach to AppSec through the following key metrics:

Findings shown to developers
Findings fixed before backlog (before entering production)
Most findings by project

Semgrep Supply Chain can export SBOMs (software bills of materials) for you to keep track of all of a codebase's dependencies.

Figure. The dashboard page. Hover over the charts to view data for that point in time.