Supported languages
This document provides information about supported languages and language maturity definitions for the following products:
- Semgrep Code (SAST) - a static application security testing (SAST) solution designed to detect complex security vulnerabilities.
- Semgrep Supply Chain (SCA) - a software composition analysis (SCA) tool that detects security vulnerabilities in your codebase introduced by open source dependencies.
Semgrep Code and Semgrep Supply Chain are free for small teams.
Language maturity summary
The following table lists all Generally available (GA) and Beta languages for Semgrep Code and Semgrep Supply Chain.
Languages are arranged by feature completeness from most to least. Cross-file (interfile) analysis for Semgrep Code and reachability analysis for Semgrep Supply Chain are the most advanced analyses that Semgrep provides; see Feature definitions for more details.
| Languages | Semgrep Code Supports 35+ languages | Semgrep Supply Chain Supports 10+ languages |
| C# | Generally available • Cross-file dataflow analysis • Supports up to C# 13 • 40+ Pro rules | Generally available • Reachability analysis • Can detect open source licenses |
| Go | Generally available • Cross-file dataflow analysis • 60+ Pro rules | Generally available • Reachability analysis • Can detect open source licenses |
| Java | Generally available • Cross-file dataflow analysis • Framework-specific control flow analysis • 160+ Pro rules | Generally available • Reachability analysis • Can detect open source licenses |
| JavaScript | Generally available • Cross-file dataflow analysis • Framework-specific control flow analysis • 70+ Pro rules | Generally available • Reachability analysis • Can detect open source licenses |
| Kotlin | Generally available • Cross-file dataflow analysis • 60+ Pro rules | Generally available • Reachability analysis • Can detect open source licenses |
| Python | Generally available • Cross-file dataflow analysis • Framework-specific control flow analysis • 300+ Pro rules • See Python-specific support details | Generally available • Reachability analysis • Can detect open source licenses |
| Typescript | Generally available • Cross-file dataflow analysis • Framework-specific control flow analysis • 70+ Pro rules | Generally available • Reachability analysis • Can detect open source licenses |
| C / C++ | Generally available • Cross-file dataflow analysis • 150+ Pro rules | N/a |
| JSX | Generally available • Cross-function dataflow analysis • 70+ Pro rules | Generally available • Reachability analysis • Can detect open source licenses |
| Ruby | Generally available • Cross-function dataflow analysis • 20+ Pro rules | Generally available • Reachability analysis • Can detect open source licenses |
| Scala | Generally available • Cross-function dataflow analysis • Community rules | Generally available • Reachability analysis • Can detect open source licenses |
| Swift | Generally available • Cross-function dataflow analysis • 50+ Pro rules | Generally available • Reachability analysis • Can detect open source licenses |
| Rust | Generally available • Cross-function dataflow analysis • 40+ Pro rules | Beta • Can detect open source licenses |
| PHP | Generally available • Cross-function dataflow analysis • 20+ Pro rules | Beta |
| Terraform | Generally available • Cross-function dataflow analysis • Community rules | N/a |
| Generic | Generally available | N/a |
| JSON | Generally available | N/a |
| Elixir | Beta | Beta |
| APEX | Beta | -- |
| Dart | Experimental | Beta |
Click to view experimental languages for Semgrep Code.
- Bash
- Cairo
- Circom
- Clojure
- Dart
- Dockerfile
- Hack
- HTML
- Jsonnet
- Julia
- Lisp
- Lua
- Move on Aptos
- Move on Sui
- OCaml
- R
- Scheme
- Solidity
- YAML
- XML
Feature definitions
Cross-file dataflow analysis
Cross-file analysis (also known as interfile analysis) takes into account how information flows between files. In particular, cross-file analysis includes cross-file taint analysis, which tracks unsanitized variables flowing from a source to a sink through arbitrarily many files. Other analyses performed across files include constant propagation and type inference.
Cross-file analysis is usually used in contrast to intrafile, or per-file analysis, where each file is analyzed as a standalone block of code.
Languages with cross-file support also include cross-function support.
Cross-function dataflow analysis
Cross-function analysis means that interactions between functions are taken into account. This improves taint analysis, which tracks unsanitized variables flowing from a source to a sink through arbitrarily many functions.
Reachability analysis
Reachability refers to whether or not a vulnerable piece of code from a dependency is used in the codebase that imports it. In Semgrep Supply Chain, both a dependency's vulnerable version and code pattern must match for a vulnerability to be considered reachable.
See Overview of Semgrep Supply Chain to learn how Semgrep leverages its code-scanning and rule syntax capabilities to provide high-signal rules that determine a finding's reachability. This assists security engineers in remediation and triage processes.
See Language maturity levels to learn which features define GA or beta language support.
Semgrep Supply Chain feature maturity
Semgrep Supply Chain is a software composition analysis (SCA) tool that detects security vulnerabilities in your codebase introduced by open source dependencies. It can also:
- Generate a software bill of materials (SBOM) that provides a complete inventory of your open source components
- Query for information about your dependencies
- Support the enforcement of your business' open source package licensing requirements
For projects with lockfiles, Semgrep parses lockfiles for dependencies, then scans your codebase for reachable findings based on the lockfiles. For a lockfile to be scanned by Semgrep Supply Chain, it must have one of the supported lockfile names.
For some languages, such as JavaScript and Python, a lockfile or manifest file is parsed to determine transitivity. For more information on transitivity, see Transitive dependencies and reachability analysis.
Additionally, Semgrep offers beta support for the scanning of Java projects without lockfiles if they're built using Maven or Gradle with the help of the Gradle Wrapper.
| Language | Supported package managers | Manifest file or lockfile | Reachability | License detection support | Reachability rule coverage for CVEs/GHSAs |
|---|---|---|---|---|---|
| C# | NuGet | packages.lock.json | GA | ✅ | GA |
| Go | Go modules (go mod) | go.mod | GA | ✅ | GA |
| Java | Gradle | gradle.lockfile | GA | ✅ | GA |
| Maven | Maven-generated dependency tree (See Setting up SSC scans for Apache Maven for instructions.) | GA | ✅ | ||
| JavaScript or TypeScript | npm | package-lock.json | GA | ✅ | GA |
| Yarn | yarn.lock | GA | ✅ | ||
| pnpm | pnpm-lock.yaml | GA | ✅ | ||
| Kotlin | Gradle | gradle.lockfile | GA | ✅ | GA |
| Maven | Maven-generated dependency tree (See Setting up SSC scans for Apache Maven for instructions.) | GA | ✅ | ||
| Python | pip | Any of the following:
| GA | (PyPI only) | GA |
| pip-tools | GA | ||||
| Pipenv | Pipfile.lock | GA | |||
| Poetry | poetry.lock | GA | |||
| Ruby | RubyGems | Gemfile.lock | GA | ✅ | GA |
| Scala | Maven | Maven-generated dependency tree (See Setting up SSC scans for Apache Maven for instructions.) | GA | ✅ | GA |
| Swift | SwiftPM | Package.swift file and Swift-generated Package.resolved file. (See Swift documentation for instructions.) | GA | ✅† | GA |
| Rust | Cargo* | cargo.lock | No reachability analysis. However, Semgrep can compare a package's version against a list of versions with known vulnerabilities. | ✅ | Not applicable due to reachability support level. |
| Dart | Pub | pubspec.lock | -- | ||
| Elixir | Hex | mix.lock | -- | ||
| PHP | Composer | composer.lock | -- |
*Supply Chain does not analyze the transitivity of packages for these language and manifest file or lockfile combinations. All dependencies are listed as No Reachability Analysis.
†License detection for new packages is asynchronous and processed after the initial scan. Policies aren't applied on first detection, but are enforced in subsequent scans.
Reachability support level
GA coverage means that Semgrep provides full reachability analysis for that language.
Rule coverage support level
GA coverage means that Semgrep provides coverage and rules for the following:
- 80% of all critical severity CVEs since 2017
- 100% of critical and high severity CVEs since May 2022
Language maturity levels
Semgrep Code
Semgrep Code languages can be classified into four maturity levels:
- Generally available (GA)
- Beta
- Experimental
- Community supported*
*Community supported languages meet the parse rate and syntax requirements of Experimental languages. Users can still access community rules or write their own rules.
Click to view table of definitions.
| Feature | GA | Beta | Experimental | Community supported |
| Support | Highest quality support by the Semgrep team. Reported issues are resolved promptly. | Supported by the Semgrep team. Reported issues are fixed after GA languages. | There are limitations to this language's functionality. Reported issues are tracked and prioritized with best effort. | These languages are supported by the Semgrep community. While Semgrep may develop rules or engine updates for these languages, they are not prioritized. |
| Parse Rate | 99%+ | 95%+ | 90%+ | |
| Number of Pro rules | 10+ | 5+ | 0+. Query the Registry to see if any rules exist for your language. | |
| Semgrep syntax | Regex, equivalence, deep expression operators, types and typing. All features supported in Beta. | Complete metavariable support, metavariable equality. All features supported in Experimental. | Syntax, ellipsis operator, basic metavariable functionality. | |
Semgrep Supply Chain
Semgrep Supply Chain has two language maturity levels:
- Generally available
- Beta
Click to view table of definitions.
| Feature | Generally available | Beta |
| Number of reachability rules | 10+ | No required number |
| Semgrep, Inc. rule-writing support | Quickly release new rules for all critical and high vulnerabilities based on the latest security advisories. | No commitment for new rules based on the latest security advisories. |
| Semgrep CE language support | Semgrep CE support is GA. | Semgrep CE support is at least Beta. |
Feature and product maturity levels
The detailed specifications previously provided apply only to language support. Language maturity levels differ from feature and product maturity levels.
More information
Visit the cheat sheet generation script and associated semgrep-core test files to learn more about each feature:
To see the parse rates for each language, visit the Semgrep public language dashboard.
Not finding what you need in this doc? Ask questions in our Community Slack group, or see Support for other ways to get help.