Semgrep Pro versus Semgrep OSS
You can use Semgrep Pro or Semgrep OSS to scan your code for security issues, bugs, and compliance to coding standards. Semgrep uses both an engine and rules to scan your code.
Rules, which are written in YAML, describe how Semgrep generates a finding, such as a security issue. A rule encapsulates the pattern-matching logic and is meant to be readable and customizable.
Semgrep Pro includes different types of analyses, such as Semgrep Code's cross-file, cross-function analysis in Semgrep Code. Semgrep OSS runs only single-function analysis.
This document outlines key differences between the Semgrep OSS and Pro product lines.
The terms used in this document are defined as follows:
- Semgrep OSS
- Refers to Semgrep offerings with an open-source license, primarily the Semgrep OSS Engine, a fast and customizable static application security testing (SAST) scanner. To run Semgrep completely on OSS, use the OSS Engine and rules in the Semgrep Registry with open source licenses, or write your own custom rules.
- Semgrep Pro
- Refers to proprietary product offerings from Semgrep, Inc. These include:
- Semgrep Code
- A SAST scanner that uses cross-file (interfile) and cross-function (interprocedural) analysis for improved results over Semgrep OSS. Semgrep Code includes premium rules, known as Pro rules, that use the cross-file analysis to reduce false positives.
- Semgrep Supply Chain
- A high-signal dependency scanner that detects reachable vulnerabilities in open source third-party libraries and functions across the software development life cycle (SDLC).
- Semgrep Secrets
- A a secrets scanner that, in addition to detecting secrets, validates these leaked secrets on a variety of services to help you prioritize active secrets.
- Semgrep AppSec Platform
- A a web application for the deployment, management, and monitoring of findings from Semgrep's SAST, SCA, and secrets scanners. It integrates with continuous integration (CI) providers such as GitHub Actions, GitLab CI/CD, CircleCI, and more.
All Semgrep Pro products are free for up to 10 contributors.
๐ Core scanning featuresโ
The following tables describe Semgrep's essential scanning and findings management capabilities.
SAST (Static application security testing)โ
| Feature | Semgrep OSS | Semgrep Pro |
|---|---|---|
| Single-file analysis | โ๏ธ | โ๏ธ |
| Single-function analysis | โ๏ธ | โ๏ธ |
| Cross-file (across multiple files or interfile) analysis | -- | โ๏ธ |
| Cross-function (across multiple functions or interprocedural) analysis | -- | โ๏ธ |
| Dataflow analysis (taint) | -- | โ๏ธ |
SCA (Software composition analysis)โ
| Feature | Semgrep OSS | Semgrep Pro |
|---|---|---|
| Reachability analysis for direct dependencies | -- | โ๏ธ |
| License compliance | -- | โ๏ธ |
| Dependency search | -- | โ๏ธ |
| SBOM export | -- | โ๏ธ |
๐ฌ Scan management and monitoringโ
The following table displays various notification channels and reporting features.
| Feature | Semgrep OSS | Semgrep Pro |
|---|---|---|
| Centralized management of scan results (triage, remediation, fine-tuning noisy rules) | -- | โ๏ธ |
| Notifications and reports (Slack, email, webhooks, and API) | -- | โ๏ธ |
| Send scan results to GitLab SAST and GitHub Advanced Security | -- | โ๏ธ |
| Findings dashboard | -- | โ๏ธ |
| Findings retention | -- | As long as account is active |
๐งฐ Scan customization featuresโ
The following table displays customization features and tools that enhance Semgrep's core scanning capabilities. These features can increase true-positive rate and provide deeper insights into remediation.
| Feature | Semgrep OSS | Semgrep Pro |
|---|---|---|
| Write your own rules | โ๏ธ | โ๏ธ |
| Community-contributed rule registry | โ๏ธ | โ๏ธ |
| Rule-writing environment | โ๏ธ Playground | โ๏ธ Playground and Editor for logged-in users |
| Private rules* | -- | โ๏ธ |
| Proprietary rule registry | -- | โ๏ธ |
| Policy-based workflowsโ | -- | โ๏ธ |
*Private rules refer to rules that are guaranteed a private access scope in the cloud. This scope of access does not apply to Semgrep OSS, as Semgrep OSS is purely CLI-based.
โ Policy-based workflows provide security teams a means to block merges, leave PR/MR comments, or silently monitor for potential issues based on the presence of a finding.
๐ค Developer experienceโ
The following table lists tools to enable developers to resolve findings in their own code.
| Feature | Semgrep OSS | Semgrep Pro |
|---|---|---|
| VS Code extension | โ๏ธ | โ๏ธ |
| IntelliJ extension | โ๏ธ | โ๏ธ |
pre-commitโก | โ๏ธ | โ๏ธ |
| Autofix | โ๏ธ | โ๏ธ |
| Autofix in PR/MR comments | -- | โ๏ธ |
| GPT-assisted autofix | -- | โ๏ธ |
โกpre-commit requires some manual set-up.
๐ข User and organization managementโ
| Feature | Semgrep OSS | Semgrep Pro |
|---|---|---|
| Role-based access control (RBAC) | -- | โ๏ธ |
| Personal and organizational accounts | -- | โ๏ธ |
| SSO, OpenID, or OAuth2 authentication | -- | โ๏ธ |
๐งพ Licenses and tiersโ
| Product line | License | Subscription tiers |
|---|---|---|
| Semgrep Pro | Proprietary |
|
| Semgrep OSS Engine | GNU LGPL 2.1 | -- |
| Publicly-contributed rules | Dependent on author | -- |
See Licensing for more details.