Supported languages
This document provides information about supported languages and language maturity definitions for the following products:
- Semgrep Code
- Semgrep OSS
- Semgrep Supply Chain
Semgrep Code and OSSโ
Semgrep OSS is a fast, lightweight program analysis tool that can help you detect bugs in your code. It makes use of Semgrep's LGPL 2.1 open source engine.
Semgrep Code is a static application security testing (SAST) solution designed to detect complex security vulnerabilities. It makes use of proprietary Semgrep analyses, such as cross-file (interfile) dataflow analysis and framework specific analysis, in addition to Semgrep OSS. This results in a higher true positive rate than Semgrep OSS.
Use either tool to scan local code or integrate it into your CI/CD pipeline to automate the continuous scanning of your repositories.
| Product | Analysis |
|---|---|
| Semgrep OSS |
|
| Semgrep Code |
|
Semgrep Code language supportโ
Semgrep Code supports over 30 languages and counting! ๐
| Language | Maturity level | Cross-function analysis | Cross-file analysis |
|---|---|---|---|
| C | GA | โ | โ |
| C++ | GA | โ | โ |
| C# | GA | โ | โ |
| Go | GA | โ | โ |
| Java | GA | โ | โ |
| JavaScript | GA | โ | โ |
| Kotlin | GA | โ | โ |
| Python | GA | โ | โ |
| TypeScript | GA | โ | โ |
| Ruby | GA | โ | -- |
| Rust | GA | โ | -- |
| JSX | GA | โ | -- |
| PHP | GA | โ | -- |
| Scala | GA | โ | -- |
| Swift | GA | โ | -- |
| Generic | GA | -- | -- |
| JSON | GA | -- | -- |
| Terraform | GA | -- | -- |
| Apex (Pro Only) | Beta | โ | -- |
| Elixir (Pro Only) | Beta | โ | -- |
The following languages are Experimental:
- Bash
- Cairo
- Clojure
- Dart
- Dockerfile
- Hack
- HTML
- Jsonnet
- Julia
- Lisp
- Lua
- Ocaml
- R
- Scheme
- Solidity
- YAML
- XML
If you'd like to request a language not shown here, please create an issue on the Semgrep GitHub repo.
Language maturity levelsโ
Semgrep Code languages can be classified into four maturity levels:
- Generally available (GA)
- Beta
- Experimental
- Community supported*
*Community supported languages meet the parse rate and syntax requirements of Experimental languages. Users can still access community rules or write their own rules.
Their differences are outlined in the following table:
| Feature | GA | Beta | Experimental | Community supported |
| Support | Highest quality support by the Semgrep team. Reported issues are resolved promptly. | Supported by the Semgrep team. Reported issues are fixed after GA languages. | There are limitations to this language's functionality. Reported issues are tracked and prioritized with best effort. | These languages are supported by the Semgrep community. While Semgrep may develop rules or engine updates for these languages, they are not prioritized. |
| Parse Rate | 99%+ | 95%+ | 90%+ | |
| Number of rules | 10+ | 5+ | 0+. Query the Registry to see if any rules exist for your language. | |
| Semgrep syntax | Regex, equivalence, deep expression operators, types and typing. All features supported in Beta. | Complete metavariable support, metavariable equality. All features supported in Experimental. | Syntax, ellipsis operator, basic metavariable functionality. | |
GA languages have broad support for all versions of that language.
Semgrep OSS language supportโ
All Semgrep OSS languages are community supported. Community supported languages must meet the parse rate and syntax requirements of experimental support in Semgrep Code to be listed here. Semgrep OSS uses Semgrep's open source engine.
Community supported languages have varying levels of rule coverage - view the registry and filter out Pro rules to see the level of coverage for OSS.
Click to view Semgrep OSS languages.
- Bash
- C
- C++
- C#
- Cairo
- Clojure
- Dart
- Dockerfile
- Generic
- Go
- Hack
- HTML
- Java
- JavaScript
- JSON
- Jsonnet
- Julia
- Lisp
- Lua
- Kotlin
- Ruby
- Rust
- JSX
- OCaml
- PHP
- Python
- R
- Scala
- Scheme
- Solidity
- Swift
- TypeScript
- YAML
- XML
More informationโ
Visit the cheat sheet generation script and associated semgrep-core test files to learn more about each feature:
Visit the Semgrep public language dashboard to see the parse rates for each language
Semgrep Supply Chainโ
Semgrep Supply Chain is a software composition analysis (SCA) tool that detects security vulnerabilities in your codebase introduced by open source dependencies. It can also:
- Generate a software bill of materials (SBOM) that provides a complete inventory of your open source components
- Query for information about your dependencies
- Support the enforcement of your business' open source package licensing requirements
Semgrep Supply Chain parses lockfiles for dependencies, then scans your codebase for reachable findings based on the lockfiles. Some languages, such as Java, have several supported lockfiles, depending on your repository's package manager. For a lockfile to be scanned by Semgrep Supply Chain, it must have one of the supported lockfile names.
For some languages, such as JavaScript and Python, a manifest file is also parsed to determine transitivity. For more information on transitivity, see Transitive dependencies and reachability analysis.
| Language | Supported package managers | Lockfile | Reachability support level | License detection support | Period of reachability rule coverage for CVEs/GHSAs |
|---|---|---|---|---|---|
| C# | NuGet | packages.lock.json | GA | โ | 80% of all critical severity CVEs since 2017 and 100% of critical and high severity CVEs since May 2022 |
| Go | Go modules (go mod) | go.mod | GA | โ | |
| Java | Gradle | gradle.lockfile | GA | โ | |
| Maven | Maven-generated dependency tree (See Setting up SSC scans for Apache Maven for instructions.) | GA | โ | ||
| JavaScript or TypeScript | npm (Node.js) | package-lock.json | GA | โ | |
| Yarn, Yarn 2, Yarn 3 | yarn.lock | GA | โ | ||
| pnpm | pnpm-lock.yaml | GA | โ | ||
| Kotlin | Gradleยง | gradle.lockfile | GA | โ | |
| Maven | Maven-generated dependency tree (See Setting up SSC scans for Apache Maven for instructions.) | GA | โ | ||
| Python | pip | requirements.txt if used as a lockfile. The requirements.txt file must be generated automatically and have values set to exact versions (pinned dependencies). | GA | โ (PyPI packages only) | |
| pip-tools | requirements.txt | GA | |||
| Pipenv | Pipfile.lock | GA | |||
| Poetry | poetry.lock | GA | |||
| Ruby | RubyGems | Gemfile.lock | GA | โ | |
| Rust | Cargoยง | cargo.lock | Lockfile-only | โ | Not applicable due to reachability support level |
| Dart | Pub | pubspec.lock | Lockfile-only | -- | |
| Elixir | Hex | mix.lock | Lockfile-only | -- | |
| PHP | Composer | composer.lock | Lockfile-only | -- | |
| Scala | Maven | Maven-generated dependency tree (See Setting up SSC scans for Apache Maven for instructions.) | Lockfile-only | โ | |
| Swift | SwiftPM | Package.swift file and Swift-generated Package.resolved file. (See Swift documentation for instructions.) | Lockfile-only | โ (License detection for new packages is asynchronous and processed after the initial scan. Policies aren't applied on first detection, but are enforced in subsequent scans.) |
ยง Supply Chain does not analyze the transitivity of packages for these language and lockfile combinations. All dependencies are listed as No Reachability Analysis
Maturity levelsโ
Semgrep Supply Chain has two maturity levels:
- General Availability (GA)
- Beta
Their differences are outlined in the following table:
| Feature | GA | Beta |
| Number of reachability rules | 10+ | 1+ |
| Semgrep, Inc. rule-writing support | Quickly release new rules for all critical and high vulnerabilities based on the latest security advisories. | No commitment for new rules based on the latest security advisories. |
| Semgrep OSS Engine language support | Semgrep OSS Engine support is GA. | Semgrep OSS Engine support is at least Beta. |
- The detailed specifications previously provided apply only to language support. Language maturity levels differ from feature and product maturity levels.
- Semgrep features and products documented as experimental, beta, or GA generally follow the definitions in a Software release life cycle.
Reachability support levelโ
Reachability support level refers to the level of support for reachability analysis for the language. At the minimum, Semgrep Supply Chain uses lockfile-only rules, which compare a package's version against versions with known vulnerabilities.
Not finding what you need in this doc? Ask questions in our Community Slack group, or see Support for other ways to get help.