- Semgrep Supply Chain
- Semgrep
- Community Tier
- Team & Enterprise Tier
Supported languages
This document provides information about supported languages and language maturity definitions for the following products:
- Semgrep
- Semgrep Supply Chain
- DeepSemgrep
Semgrep
Semgrep is a fast, open source, static analysis engine for finding bugs and enforcing code standards.
Language maturity
Semgrep supports 30+ languages.
GA ✅ | Beta 🐛 | Experimental 🚧 |
---|---|---|
C# | Kotlin | Bash |
Go | C | |
Java | C++ | |
JavaScript | Clojure | |
JSON | Dart | |
JSX | Dockerfile | |
PHP | Elixir | |
Python | HTML | |
Ruby | Jsonnet | |
Scala | Lisp | |
Terraform | Lua | |
TSX | OCaml | |
TypeScript | R | |
Rust | ||
Scheme | ||
Solidity | ||
Swift | ||
YAML | ||
XML | ||
Generic (ERB, Jinja, etc.) |
- Experimental: experimental support with many known bugs.
- Looking for dedicated users to help us improve these languages.
- Expect limited support responses, as these languages will be lowest priority.
- Beta: supported language with known bugs.
- Looking for beta users to report bugs and rapidly iterate with our team.
- Expect best-effort support responses when there are no higher priority requests being handled.
- GA: production-level support with few known bugs.
- Looking for bug reports and feedback from users.
- Expect timely and thorough support responses, generally within 24 hours.
Maturity definitions
Language maturity factors
Language maturity is determined by 3 factors in the Semgrep ecosystem:
- Parse rate
- How well Semgrep can parse code in a given language.
- Feature support
- What Semgrep features are implemented for a given language.
- Ruleset count
- Number of Semgrep rule groupings in Semgrep Registry.
Levels of maturity
Semgrep defines 3 maturity levels:
- Experimental
- Experimental languages support the following:
- Syntax
- Ellipsis operator
- Basic metavariable functionality
- Beta
- Beta languages support the following:
- All features supported in Experimental
- Complete metavariable support
- Metavariable equality
- Generally available
- Generally available languages support all advanced features such as the following:
- All features supported in Beta
- Regexp
- Equivalence
- Deep expression operator
- Types and typing
Each of these maturity levels are combined with a threshold of the language maturity factors. When a language meets the maturity threshold for each of the factors, it’s moved into that maturity level.
The following thresholds define each maturity level:
- Experimental
- Parse rate: 90%+
- Rules: 0+
- Features:
concrete_syntax
deep_exprstmt
dots_args
dots_nested_stmts
dots_stmts
dots_string
metavar_arg
metavar_call
metavar_equality_var
- Beta
- Parse rate: 99%+
- Rules: 5+
- Features:
- All items in Experimental
metavar_class_def
metavar_func_def
metavar_cond
metavar_equality_expr
metavar_equality_stmt
metavar_import
metavar_stmt
- Generally Available (GA)
- Parse rate: 99.9%+
- Rules: 10+
- Features:
- All items in Beta
deep_expr_operator
dots_method_chaining
equivalence_constant_propagation
equivalence_naming_import
(language dependent)metavar_anno
(language dependent)metavar_key_value
metavar_typed
(language dependent)metavar_ellipsis_args
regexp_string
Visit the cheat sheet generation script and associated semgrep-core test files to learn more about each feature:
- The detailed specifications given above apply only to language support. Language maturity levels differ from feature and product maturity levels.
- Semgrep features and products documented as experimental, beta, or GA generally follow the definitions in a Software release life cycle.
Language parse rates
Semgrep Supply Chain
Detect recently discovered security vulnerabilities in your codebase's open-source dependencies using Semgrep Supply Chain. Leverage Semgrep's code-scanning capabilities to run high-signal rules that determine a vulnerability's reachability. Semgrep Supply Chain evaluates dependencies based on their version and use in your codebase.
Semgrep Supply Chain parses lockfiles for dependencies, then scans your codebase for reachable findings based on the lockfiles. Some languages, such as Java, have several lockfiles, depending on your repository's package manager. For some languages, such as JavaScript and Python, a manifest file is also parsed.
General Availability
This table provides information about fully supported (generally available or GA) languages, specific package managers, and their lockfiles in Semgrep Supply Chain:
Language | Supported package managers | Lockfile | Scans transitive dependencies* | Identifies transitive dependencies |
---|---|---|---|---|
Go | Go modules (go mod ) | go.sum | ✔️ Yes | ❌ No |
JavaScript / TypeScript | npm (Node.js) | package-lock.json | ✔️ Yes | ✔️ Yes |
Yarn, Yarn 2, Yarn 3 | yarn.lock | ✔️ Yes | ✔️ Yes | |
Python | pip | Pipfile.lock (generated by pipenv ) | ✔️ Yes | ✔️ Yes |
requirements.txt †, requirements.in (generated by pip-tools , pipreqs , and so on). | ✔️ Yes | ✔️ Yes | ||
Poetry | poetry.lock | ✔️ Yes | ✔️ Yes | |
Ruby | RubyGems | Gemfile.lock | ✔️ Yes | ✔️ Yes |
*Semgrep Supply Chain scans transitive dependencies but does not perform reachability analysis on them.
†Semgrep Supply Chain supports requirements.txt
when it is used as a lockfile. This means that requirements.txt
must be set to exact versions (pinned dependencies) and the file is generated automatically.
For more information on transitivity, see Transitive dependencies and reachability analysis.
Beta
This table provides information about the beta level of support for languages, specific package managers, and their lockfiles in Semgrep Supply Chain:
Language | Supported package managers | Lockfile | Scans transitive dependencies | Identifies transitive dependencies |
---|---|---|---|---|
Java | Gradle | gradle.lockfile | ✔️ Yes | ✔️ Yes |
Maven | Maven-generated dependency tree* | ✔️ Yes | ✔️ Yes |
*Semgrep Supply Chain requires a Maven-generated dependency tree. See Setting up SSC scans for Apache Maven for instructions to generate a dependency tree.
Maturity levels
Semgrep Supply Chain has two maturity levels:
- General Availability (GA)
- Beta
Their differences are outlined in the following table:
Feature | GA | Beta |
Number of rules | 10+ | 1+ |
r2c rule-writing support | Quickly release new rules for all critical and high vulnerabilities based on the latest security advisories. | No commitment for new rules based on the latest security advisories. |
Semgrep engine language support | Semgrep engine support is GA. | Semgrep engine support is at least Beta. |
DeepSemgrep
Improve your scan results for entire codebases with interfile coding paradigms using DeepSemgrep instead of Semgrep's regular intrafile (within-a-single-file) approach. DeepSemgrep empowers you to easily scan whole repositories that have object-oriented programming paradigms with classes in different files to find vulnerabilities in your code. DeepSemgrep is a proprietary extension of free and open source Semgrep which leverages global analysis tools, and uses the same rules as Semgrep.
Beta support
DeepSemgrep offers beta support for the following languages:
- Java
- JavaScript
- TypeScript
Find what you needed in this doc? Join the Semgrep Community Slack group to ask the maintainers and the community if you need help.