Supported languages
This document provides information about supported languages and language maturity definitions for the following products:
- Semgrep Code (SAST) - a static application security testing (SAST) solution designed to detect complex security vulnerabilities.
- Semgrep Supply Chain (SCA) - a software composition analysis (SCA) tool that detects security vulnerabilities in your codebase introduced by open source dependencies.
Semgrep Code and Semgrep Supply Chain are free for small teams.
Language maturity summary
The following table lists all Generally available (GA) and Beta languages for Semgrep Code and Semgrep Supply Chain.
Languages are arranged by feature completeness from most to least. Cross-file (interfile) analysis for Semgrep Code and reachability analysis for Semgrep Supply Chain are the most advanced analyses that Semgrep provides; see Feature definitions for more details.
| Languages | Semgrep Code Supports 35+ languages | Semgrep Supply Chain Supports 10+ languages |
| C# | Generally available • Cross-file dataflow analysis • Supports up to C# 13 • 40+ Pro rules | Generally available • Reachability analysis • Can detect open source licenses • Can detect malicious dependencies |
| Go | Generally available • Cross-file dataflow analysis • 60+ Pro rules | Generally available • Reachability analysis • Can detect open source licenses • Can detect malicious dependencies |
| Java | Generally available • Cross-file dataflow analysis • Framework-specific control flow analysis • 160+ Pro rules | Generally available • Reachability analysis • Can detect open source licenses |
| JavaScript | Generally available • Cross-file dataflow analysis • Framework-specific control flow analysis • 70+ Pro rules | Generally available • Reachability analysis • Can detect open source licenses • Can detect malicious dependencies |
| Kotlin | Generally available • Cross-file dataflow analysis • 60+ Pro rules | Generally available • Reachability analysis • Can detect open source licenses |
| Python | Generally available • Cross-file dataflow analysis • Framework-specific control flow analysis • 300+ Pro rules • See Python-specific support details | Generally available • Reachability analysis • Can detect open source licenses • Can detect malicious dependencies |
| Typescript | Generally available • Cross-file dataflow analysis • Framework-specific control flow analysis • 70+ Pro rules | Generally available • Reachability analysis • Can detect open source licenses |
| C / C++ | Generally available • Cross-file dataflow analysis • 150+ Pro rules | N/a |
| JSX | Generally available • Cross-function dataflow analysis • 70+ Pro rules | Generally available • Reachability analysis • Can detect open source licenses |
| Ruby | Generally available • Cross-function dataflow analysis • 20+ Pro rules | Generally available • Reachability analysis • Can detect open source licenses • Can detect malicious dependencies |
| Scala | Generally available • Cross-function dataflow analysis • Community rules | Generally available • Reachability analysis • Can detect open source licenses |
| Swift | Generally available • Cross-function dataflow analysis • 50+ Pro rules | Generally available • Reachability analysis • Can detect open source licenses |
| Rust | Generally available • Cross-function dataflow analysis • 40+ Pro rules | Beta • Can detect open source licenses • Can detect malicious dependencies |
| PHP | Generally available • Cross-function dataflow analysis • 20+ Pro rules | Beta |
| Terraform | Generally available • Cross-function dataflow analysis • Community rules | N/a |
| Generic | Generally available | N/a |
| JSON | Generally available | N/a |
| Elixir | Beta | Beta |
| APEX | Beta | -- |
| Dart | Experimental | Beta |
Click to view experimental languages for Semgrep Code.
- Bash
- Cairo
- Circom
- Clojure
- Dart
- Dockerfile
- Hack
- HTML
- Jsonnet
- Julia
- Lisp
- Lua
- Move on Aptos
- Move on Sui
- OCaml
- R
- Scheme
- Solidity
- YAML
- XML
Language maturity levels
Semgrep Code
Semgrep Code languages can be classified into four maturity levels:
- Generally available (GA)
- Beta
- Experimental
- Community supported*
*Community supported languages meet the parse rate and syntax requirements of Experimental languages. Users can still access community rules or write their own rules.
Click to view table of definitions.
| Feature | GA | Beta | Experimental | Community supported |
| Support | Highest quality support by the Semgrep team. Reported issues are resolved promptly. | Supported by the Semgrep team. Reported issues are fixed after GA languages. | There are limitations to this language's functionality. Reported issues are tracked and prioritized with best effort. | These languages are supported by the Semgrep community. While Semgrep may develop rules or engine updates for these languages, they are not prioritized. |
| Parse Rate | 99%+ | 95%+ | 90%+ | |
| Number of Pro rules | 10+ | 5+ | 0+. Query the Registry to see if any rules exist for your language. | |
| Semgrep syntax | Regex, equivalence, deep expression operators, types and typing. All features supported in Beta. | Complete metavariable support, metavariable equality. All features supported in Experimental. | Syntax, ellipsis operator, basic metavariable functionality. | |
Semgrep Supply Chain
Semgrep Supply Chain has two language maturity levels:
- Generally available
- Beta
Click to view table of definitions.
| Feature | Generally available | Beta |
| Number of reachability rules | 10+ | No required number |
| Semgrep, Inc. rule-writing support | Quickly support CVE coverage with reachability analysis for all critical and high vulnerabilities based on the latest security advisories. | Coverage for CVEs but without reachability analysis. |
| Semgrep CE language support | Semgrep CE support is GA. | Semgrep CE support is at least Beta. |
Feature definitions
Cross-file dataflow analysis
Cross-file analysis (also known as interfile analysis) takes into account how information flows between files. In particular, cross-file analysis includes cross-file taint analysis, which tracks unsanitized variables flowing from a source to a sink through arbitrarily many files. Other analyses performed across files include constant propagation and type inference.
Cross-file analysis is usually used in contrast to intrafile, or per-file analysis, where each file is analyzed as a standalone block of code.
Languages with cross-file support also include cross-function support.
Cross-function dataflow analysis
Cross-function analysis means that interactions between functions are taken into account. This improves taint analysis, which tracks unsanitized variables flowing from a source to a sink through arbitrarily many functions.
Reachability analysis
Reachability refers to whether or not a vulnerable code pattern from a dependency is used in the codebase that imports it. In Semgrep Supply Chain, both a dependency's vulnerable version and code pattern must match for a vulnerability to be considered reachable.
See Overview of Semgrep Supply Chain to learn how Semgrep leverages its code-scanning and rule syntax capabilities to provide high-signal rules that determine a finding's reachability. This assists security engineers in remediation and triage processes.
See Language maturity levels to learn which features define GA or beta language support.
Semgrep Supply Chain feature support
Semgrep Supply Chain is a software composition analysis (SCA) tool that detects security vulnerabilities in your codebase introduced by open source dependencies. It can also:
- Generate a software bill of materials (SBOM) that provides a complete inventory of your open source components
- Query for information about your dependencies
- Support the enforcement of your business' open source package licensing requirements
- Detect malicious dependencies (currently in private beta; reach out to support to join the program)
For projects with lockfiles, Semgrep parses lockfiles for dependencies, then scans your codebase for reachable findings based on the lockfiles. For a lockfile to be scanned by Semgrep Supply Chain, it must have one of the supported lockfile names.
For some languages, such as JavaScript and Python, a lockfile or manifest file is parsed to determine transitivity. For more information on transitivity, see Transitive dependencies and reachability analysis.
Additionally, Semgrep offers beta support for the scanning of Java or Kotlin projects without lockfiles.
Package manager support
The following table lists all Semgrep-supported package managers for each language. Languages with reachability support are listed first.
| Language | Supported package managers | Manifest file or lockfile |
|---|---|---|
| C# | NuGet | packages.lock.json |
| Go | Go modules (go mod) | go.mod |
| Java | Gradle | gradle.lockfile |
| Maven | Maven-generated dependency tree (See Setting up SSC scans for Apache Maven for instructions.) | |
| JavaScript or TypeScript | npm | package-lock.json |
| Yarn | yarn.lock | |
| pnpm | pnpm-lock.yaml | |
| Kotlin | Gradle | gradle.lockfile |
| Maven | Maven-generated dependency tree (See Setting up SSC scans for Apache Maven for instructions.) | |
| Python | pip | Any of the following:
|
| pip-tools | ||
| Pipenv | Pipfile.lock | |
| Poetry | poetry.lock | |
| Ruby | RubyGems | Gemfile.lock |
| Scala | Maven | Maven-generated dependency tree (See Setting up SSC scans for Apache Maven for instructions.) |
| Swift | SwiftPM | Package.swift file and Swift-generated Package.resolved file. (See Swift documentation for instructions.) |
| Rust | Cargo* | cargo.lock |
| Dart | Pub | pubspec.lock |
| Elixir | Hex | mix.lock |
| PHP | Composer | composer.lock |
*Supply Chain does not analyze the transitivity of packages for these language and manifest file or lockfile combinations. All dependencies are listed as No Reachability Analysis.
Feature support
The following table lists all Supply Chain features for each language. Languages with reachability support are listed first.
| Language | Reachability (see CVE coverage) | License detection | Malicious dependency detection (beta) |
|---|---|---|---|
| C# | ✅ | ✅ | ✅ |
| Go | ✅ | ✅ | ✅ |
| Java | ✅ | ✅ | -- |
| JavaScript or TypeScript | ✅ | ✅ | ✅ |
| Kotlin | ✅ | ✅ | -- |
| Python | ✅ | ✅ For PyPi only | ✅ |
| Ruby | ✅ | ✅ | ✅ |
| Scala | ✅ | ✅† | -- |
| Swift | ✅ | ✅ | -- |
| Rust | No reachability analysis. However, Semgrep can compare a package's version against a list of versions with known vulnerabilities. | ✅ | ✅ |
| Dart | -- | -- | |
| Elixir | -- | -- | |
| PHP | -- | -- |
†License detection for new packages is asynchronous and processed after the initial scan. Policies aren't applied on first detection, but are enforced in subsequent scans.
CVE coverage
Semgrep's reachability analysis covers the following CVEs:
- 80% of all critical severity CVEs since 2017 from supported sources
- 100% of critical and high severity CVEs since May 2022 from supported sources
Supported sources
Feature and product maturity levels
The detailed specifications previously provided apply only to language support. Language maturity levels differ from feature and product maturity levels.
More information
Visit the cheat sheet generation script and associated semgrep-core test files to learn more about each feature:
To see the parse rates for each language, visit the Semgrep public language dashboard.
Not finding what you need in this doc? Ask questions in our Community Slack group, or see Support for other ways to get help.