Supported languages
This document provides information about supported languages and language maturity definitions for the following products:
- Semgrep Code
- Semgrep Community Edition (CE)
- Semgrep Supply Chain
Semgrep Code and Community Edition
Semgrep CE is a fast, lightweight program analysis tool that can help you detect bugs in your code. It makes use of Semgrep's LGPL 2.1 open source engine. These languages are supported by the Semgrep community, at best effort.
Semgrep Code is a static application security testing (SAST) solution designed to detect complex security vulnerabilities. It makes use of proprietary Semgrep analyses, such as cross-file (interfile) dataflow analysis and framework specific analyses, in addition to Semgrep CE. This results in a higher true positive rate than Semgrep CE. Semgrep Code provides the highest quality support by the Semgrep team: reported issues are resolved promptly.
Use either tool to scan local code or integrate it into your CI/CD pipeline to automate the continuous scanning of your repositories.
Language support
Semgrep Code supports over 35 languages.
Languages | 🚀 Semgrep Code: Free for small teams | 🌱 Semgrep CE |
C / C++ | ✅ Generally available • Cross-file dataflow analysis • 150+ Pro rules | Community supported • Limited to single-function analysis • Community rules |
C# | ✅ Generally available • Cross-file dataflow analysis • Supports up to C# 13 (latest) • 40+ Pro rules | Community supported • Limited to single-function analysis • Community rules • Supports up to C# 7.0 |
Go | ✅ Generally available • Cross-file dataflow analysis • 60+ Pro rules | Community supported • Limited to single-function analysis • Community rules |
Java | ✅ Generally available • Cross-file dataflow analysis • Framework-specific control flow analysis • 160+ Pro rules | |
JavaScript | ✅ Generally available • Cross-file dataflow analysis • Framework-specific control flow analysis • 70+ Pro rules | |
Kotlin | ✅ Generally available • Cross-file dataflow analysis • 60+ Pro rules | |
Python | ✅ Generally available • Cross-file dataflow analysis • Framework-specific control flow analysis • 300+ Pro rules • See Python-specific support details | |
Typescript | ✅ Generally available • Cross-file dataflow analysis • Framework-specific control flow analysis • 70+ Pro rules | |
Ruby | ✅ Generally available • Cross-function dataflow analysis • 20+ Pro rules | |
Rust | ✅ Generally available • Cross-function dataflow analysis • 40+ Pro rules | |
JSX | ✅ Generally available • Cross-function dataflow analysis • 70+ Pro rules | |
PHP | ✅ Generally available • Cross-function dataflow analysis • 20+ Pro rules | |
Scala | ✅ Generally available • Cross-function dataflow analysis • Community rules | |
Swift | ✅ Generally available • Cross-function dataflow analysis • 50+ Pro rules | |
Terraform | ✅ Generally available • Cross-function dataflow analysis • Community rules | |
Generic | ✅ Generally available | Community supported |
JSON | ✅ Generally available | |
APEX | Beta | Not available |
Elixir | Beta |
Click to view experimental languages.
- Bash
- Cairo
- Circom
- Clojure
- Dart
- Dockerfile
- Hack
- HTML
- Jsonnet
- Julia
- Lisp
- Lua
- Move on Aptos
- Move on Sui
- OCaml
- R
- Scheme
- Solidity
- YAML
- XML
Language maturity levels
Semgrep Code languages can be classified into four maturity levels:
- Generally available (GA)
- Beta
- Experimental
- Community supported*
*Community supported languages meet the parse rate and syntax requirements of Experimental languages. Users can still access community rules or write their own rules.
Their differences are outlined in the following table:
Feature | GA | Beta | Experimental | Community supported |
Support | Highest quality support by the Semgrep team. Reported issues are resolved promptly. | Supported by the Semgrep team. Reported issues are fixed after GA languages. | There are limitations to this language's functionality. Reported issues are tracked and prioritized with best effort. | These languages are supported by the Semgrep community. While Semgrep may develop rules or engine updates for these languages, they are not prioritized. |
Parse Rate | 99%+ | 95%+ | 90%+ | |
Number of Pro rules | 10+ | 5+ | 0+. Query the Registry to see if any rules exist for your language. | |
Semgrep syntax | Regex, equivalence, deep expression operators, types and typing. All features supported in Beta. | Complete metavariable support, metavariable equality. All features supported in Experimental. | Syntax, ellipsis operator, basic metavariable functionality. |
More information
Visit the cheat sheet generation script and associated semgrep-core test files to learn more about each feature:
Visit the Semgrep public language dashboard to see the parse rates for each language
Semgrep Supply Chain
Semgrep Supply Chain is a software composition analysis (SCA) tool that detects security vulnerabilities in your codebase introduced by open source dependencies. It can also:
- Generate a software bill of materials (SBOM) that provides a complete inventory of your open source components
- Query for information about your dependencies
- Support the enforcement of your business' open source package licensing requirements
For projects with lockfiles, Semgrep parses lockfiles for dependencies, then scans your codebase for reachable findings based on the lockfiles. Some languages, such as Java, have several supported lockfiles, depending on your repository's package manager. For a lockfile to be scanned by Semgrep Supply Chain, it must have one of the supported lockfile names.
For some languages, such as JavaScript and Python, a manifest file is also parsed to determine transitivity. For more information on transitivity, see Transitive dependencies and reachability analysis.
Additionally, Semgrep offers beta support for the scanning of Java projects without lockfiles if they're built using Maven or Gradle with the help of the Gradle Wrapper.
Language | Supported package managers | Lockfile | Reachability support level | License detection support | Period of reachability rule coverage for CVEs/GHSAs |
---|---|---|---|---|---|
C# | NuGet | packages.lock.json | GA | ✅ | 80% of all critical severity CVEs since 2017 and 100% of critical and high severity CVEs since May 2022 |
Go | Go modules (go mod ) | go.mod | GA | ✅ | |
Java | Gradle | gradle.lockfile | GA | ✅ | |
Maven | Maven-generated dependency tree (See Setting up SSC scans for Apache Maven for instructions.) | GA | ✅ | ||
JavaScript or TypeScript | npm (Node.js) | package-lock.json | GA | ✅ | |
Yarn, Yarn 2, Yarn 3 | yarn.lock | GA | ✅ | ||
pnpm | pnpm-lock.yaml | GA | ✅ | ||
Kotlin | Gradle | gradle.lockfile | GA | ✅ | |
Maven | Maven-generated dependency tree (See Setting up SSC scans for Apache Maven for instructions.) | GA | ✅ | ||
Python | pip | Any of the following:
| GA | ✅ (PyPI packages only) | |
pip-tools | GA | ||||
Pipenv | Pipfile.lock | GA | |||
Poetry | poetry.lock | GA | |||
Ruby | RubyGems | Gemfile.lock | GA | ✅ | |
Scala | Maven | Maven-generated dependency tree (See Setting up SSC scans for Apache Maven for instructions.) | GA | ✅ | |
Swift | SwiftPM | Package.swift file and Swift-generated Package.resolved file. (See Swift documentation for instructions.) | GA | ✅ (License detection for new packages is asynchronous and processed after the initial scan. Policies aren't applied on first detection, but are enforced in subsequent scans.) | |
Rust | Cargo* | cargo.lock | -- | ✅ | Not applicable due to reachability support level |
Dart | Pub | pubspec.lock | -- | -- | |
Elixir | Hex | mix.lock | -- | -- | |
PHP | Composer | composer.lock | -- | -- |
*Supply Chain does not analyze the transitivity of packages for these language and lockfile combinations. All dependencies are listed as No Reachability Analysis.
Maturity levels
Semgrep Supply Chain has two maturity levels:
- Generally available
- Beta
Their differences are outlined in the following table:
Feature | Generally available | Beta |
Number of reachability rules | 10+ | 1+ |
Semgrep, Inc. rule-writing support | Quickly release new rules for all critical and high vulnerabilities based on the latest security advisories. | No commitment for new rules based on the latest security advisories. |
Semgrep CE language support | Semgrep CE support is GA. | Semgrep CE support is at least Beta. |
- The detailed specifications previously provided apply only to language support. Language maturity levels differ from feature and product maturity levels.
- Semgrep features and products documented as experimental, beta, or GA generally follow the definitions in a Software release life cycle.
Reachability support level
Reachability support level refers to the level of support for reachability analysis for the language. At the minimum, Semgrep Supply Chain compares a package's version against a list of versions with known vulnerabilities
Not finding what you need in this doc? Ask questions in our Community Slack group, or see Support for other ways to get help.