Skip to main content

Supported languages

This document provides information about supported languages and language maturity definitions for the following products:

  • Semgrep Code
  • Semgrep Community Edition (CE)
  • Semgrep Supply Chain

Semgrep Code and Community Edition

Semgrep CE is a fast, lightweight program analysis tool that can help you detect bugs in your code. It makes use of Semgrep's LGPL 2.1 open source engine. These languages are supported by the Semgrep community, at best effort.

Semgrep Code is a static application security testing (SAST) solution designed to detect complex security vulnerabilities. It makes use of proprietary Semgrep analyses, such as cross-file (interfile) dataflow analysis and framework specific analyses, in addition to Semgrep CE. This results in a higher true positive rate than Semgrep CE. Semgrep Code provides the highest quality support by the Semgrep team: reported issues are resolved promptly.

Use either tool to scan local code or integrate it into your CI/CD pipeline to automate the continuous scanning of your repositories.

Language support

Semgrep Code supports over 35 languages.

Languages🚀 Semgrep Code: Free for small teams🌱 Semgrep CE
C / C++✅ Generally available
• Cross-file dataflow analysis
• 150+ Pro rules
Community supported
• Limited to single-function analysis
• Community rules
C#✅ Generally available
• Cross-file dataflow analysis
• Supports up to C# 13 (latest)
• 40+ Pro rules
Community supported
• Limited to single-function analysis
• Community rules
• Supports up to C# 7.0
Go✅ Generally available
• Cross-file dataflow analysis
• 60+ Pro rules
Community supported
• Limited to single-function analysis
• Community rules
Java✅ Generally available
• Cross-file dataflow analysis
• Framework-specific control flow analysis
• 160+ Pro rules
JavaScript✅ Generally available
• Cross-file dataflow analysis
• Framework-specific control flow analysis
• 70+ Pro rules
Kotlin✅ Generally available
• Cross-file dataflow analysis
• 60+ Pro rules
Python✅ Generally available
• Cross-file dataflow analysis
• Framework-specific control flow analysis
• 300+ Pro rules
• See Python-specific support details
Typescript✅ Generally available
• Cross-file dataflow analysis
• Framework-specific control flow analysis
• 70+ Pro rules
Ruby✅ Generally available
• Cross-function dataflow analysis
• 20+ Pro rules
Rust✅ Generally available
• Cross-function dataflow analysis
• 40+ Pro rules
JSX✅ Generally available
• Cross-function dataflow analysis
• 70+ Pro rules
PHP✅ Generally available
• Cross-function dataflow analysis
• 20+ Pro rules
Scala✅ Generally available
• Cross-function dataflow analysis
• Community rules
Swift✅ Generally available
• Cross-function dataflow analysis
• 50+ Pro rules
Terraform✅ Generally available
• Cross-function dataflow analysis
• Community rules
Generic✅ Generally available Community supported
JSON✅ Generally available
APEXBetaNot available
ElixirBeta
Click to view experimental languages.
  • Bash
  • Cairo
  • Circom
  • Clojure
  • Dart
  • Dockerfile
  • Hack
  • HTML
  • Jsonnet
  • Julia
  • Lisp
  • Lua
  • Move on Aptos
  • Move on Sui
  • OCaml
  • R
  • Scheme
  • Solidity
  • YAML
  • XML

Language maturity levels

Semgrep Code languages can be classified into four maturity levels:

  • Generally available (GA)
  • Beta
  • Experimental
  • Community supported*

*Community supported languages meet the parse rate and syntax requirements of Experimental languages. Users can still access community rules or write their own rules.

Their differences are outlined in the following table:

FeatureGABetaExperimentalCommunity supported
SupportHighest quality support by the Semgrep team. Reported issues are resolved promptly.Supported by the Semgrep team. Reported issues are fixed after GA languages.There are limitations to this language's functionality. Reported issues are tracked and prioritized with best effort.These languages are supported by the Semgrep community. While Semgrep may develop rules or engine updates for these languages, they are not prioritized.
Parse Rate99%+95%+90%+
Number of Pro rules10+5+0+. Query the Registry to see if any rules exist for your language.
Semgrep syntaxRegex, equivalence, deep expression operators, types and typing. All features supported in Beta.Complete metavariable support, metavariable equality. All features supported in Experimental.Syntax, ellipsis operator, basic metavariable functionality.

More information

Visit the cheat sheet generation script and associated semgrep-core test files to learn more about each feature:

Visit the Semgrep public language dashboard to see the parse rates for each language

Semgrep Supply Chain

Semgrep Supply Chain is a software composition analysis (SCA) tool that detects security vulnerabilities in your codebase introduced by open source dependencies. It can also:

  • Generate a software bill of materials (SBOM) that provides a complete inventory of your open source components
  • Query for information about your dependencies
  • Support the enforcement of your business' open source package licensing requirements

For projects with lockfiles, Semgrep parses lockfiles for dependencies, then scans your codebase for reachable findings based on the lockfiles. Some languages, such as Java, have several supported lockfiles, depending on your repository's package manager. For a lockfile to be scanned by Semgrep Supply Chain, it must have one of the supported lockfile names.

For some languages, such as JavaScript and Python, a manifest file is also parsed to determine transitivity. For more information on transitivity, see Transitive dependencies and reachability analysis.

Additionally, Semgrep offers beta support for the scanning of Java projects without lockfiles if they're built using Maven or Gradle with the help of the Gradle Wrapper.

LanguageSupported package managersLockfileReachability support levelLicense detection supportPeriod of reachability rule coverage for CVEs/GHSAs
C#NuGetpackages.lock.jsonGA80% of all critical severity CVEs since 2017 and 100% of critical and high severity CVEs since May 2022
GoGo modules (go mod)go.modGA
JavaGradlegradle.lockfileGA
MavenMaven-generated dependency tree (See Setting up SSC scans for Apache Maven for instructions.)GA
JavaScript or TypeScriptnpm (Node.js)package-lock.jsonGA
Yarn, Yarn 2, Yarn 3yarn.lockGA
pnpmpnpm-lock.yamlGA
KotlinGradlegradle.lockfileGA
MavenMaven-generated dependency tree (See Setting up SSC scans for Apache Maven for instructions.)GA
PythonpipAny of the following:
  • *requirement*.txt file
  • Any lockfile in a requirements folder, such as **/requirements/*.txt
  • requirements.pip
The file must be generated automatically and have values set to exact versions (pinned dependencies).
GA✅ (PyPI packages only)
pip-toolsGA
PipenvPipfile.lockGA
Poetrypoetry.lockGA
RubyRubyGemsGemfile.lockGA
ScalaMavenMaven-generated dependency tree (See Setting up SSC scans for Apache Maven for instructions.)GA
SwiftSwiftPMPackage.swift file and Swift-generated Package.resolved file. (See Swift documentation for instructions.)GA✅ (License detection for new packages is asynchronous and processed after the initial scan. Policies aren't applied on first detection, but are enforced in subsequent scans.)
RustCargo*cargo.lock--Not applicable due to reachability support level
DartPubpubspec.lock----
ElixirHexmix.lock----
PHPComposercomposer.lock----

*Supply Chain does not analyze the transitivity of packages for these language and lockfile combinations. All dependencies are listed as No Reachability Analysis.

Maturity levels

Semgrep Supply Chain has two maturity levels:

  • Generally available
  • Beta

Their differences are outlined in the following table:

FeatureGenerally availableBeta
Number of reachability rules10+1+
Semgrep, Inc. rule-writing supportQuickly release new rules for all critical and high vulnerabilities based on the latest security advisories.No commitment for new rules based on the latest security advisories.
Semgrep CE language supportSemgrep CE support is GA.Semgrep CE support is at least Beta.
Feature and product maturity levels
  • The detailed specifications previously provided apply only to language support. Language maturity levels differ from feature and product maturity levels.
  • Semgrep features and products documented as experimental, beta, or GA generally follow the definitions in a Software release life cycle.

Reachability support level

Reachability support level refers to the level of support for reachability analysis for the language. At the minimum, Semgrep Supply Chain compares a package's version against a list of versions with known vulnerabilities


Not finding what you need in this doc? Ask questions in our Community Slack group, or see Support for other ways to get help.