Skip to main content
  • Semgrep Supply Chain
  • Semgrep OSS Engine
  • Team & Enterprise Tier

Supported languages

This document provides information about supported languages and language maturity definitions for the following products:

  • Semgrep Code
  • Semgrep Supply Chain

Semgrep Code

Secure your code quickly and continuously by scanning with Semgrep Code, our SAST (Static Application Security Testing) product, powered by Semgrep OSS Engine and Semgrep Pro Engine. The Semgrep OSS Engine is the foundation of Semgrep, it's our open-source engine, designed for fast code analysis. The Semgrep Pro Engine is designed for advanced code analysis, designed to catch complex vulnerabilities and reduce false positives. Use Semgrep Code to quickly find and fix vulnerabilities in your code base.

Language maturity

Semgrep Code supports over 30 languages and counting! 🚀

LanguageSemgrep OSS EngineSemgrep Pro Engine (cross-function)Semgrep Pro Engine (cross-file)
GoGAGAGA
JavaGAGAGA
JavaScriptGAGAGA
TypeScriptGAGAGA
KotlinGAGABeta
C#GAGA--
RubyGAGA--
JSXGAGA--
PHPGAGA--
PythonGAGA--
ScalaGAGA--
JSONGA----
TerraformGA----
ApexPro Engine OnlyBeta--
RustGAExperimental--
GenericGA----
SwiftBeta----
BashExperimental----
CExperimental----
C++Experimental----
CairoExperimental----
ClojureExperimental----
DartExperimental----
DockerfileExperimental----
ElixirExperimental----
HTMLExperimental----
JsonnetExperimental----
JuliaExperimental----
LispExperimental----
LuaExperimental----
OcamlExperimental----
RExperimental----
SchemeExperimental----
SolidityExperimental----
YAMLExperimental----
XMLExperimental----

If you'd like to request a language not shown here, please create an issue on the Semgrep GitHub repo.

Maturity levels

Language maturity factors (Pro Engine)

Semgrep Pro Engine has two maturity levels:

  • Generally available (GA)
  • Beta

Generally Available: Receives highest quality support from the Semgrep team. Reported issues are resolved promptly and timelines for fixes are communicated to customers within 2 weeks.

Beta: Supported by the Semgrep team. Reported issues are tracked and prioritized to be fixed after GA languages.

Language maturity factors (OSS Engine)

Semgrep OSS Engine has three maturity levels:

  • Generally available (GA)
  • Beta
  • Experimental

Their differences are outlined in the following table:

FeatureGABetaExperimental
Parse Rate99%+95%+90%+
Number of rules10+5+0+
Semgrep syntaxRegexp, equivalence, deep expression operators, types and typing. All features supported in Beta.Complete metavariable support, metavariable equality. All features supported in Experimental.Syntax, ellipsis operator, basic metavariable functionality.

More information

Visit the cheat sheet generation script and associated semgrep-core test files to learn more about each feature:

Visit the Semgrep public language dashboard to see the parse rates for each language

Semgrep Supply Chain

Detect recently discovered security vulnerabilities in your codebase's open-source dependencies using Semgrep Supply Chain. Leverage Semgrep's code-scanning capabilities to run high-signal rules that determine a vulnerability's reachability. Semgrep Supply Chain evaluates dependencies based on their version and use in your codebase.

Semgrep Supply Chain parses lockfiles for dependencies, then scans your codebase for reachable findings based on the lockfiles. Some languages, such as Java, have several lockfiles, depending on your repository's package manager. For some languages, such as JavaScript and Python, a manifest file is also parsed.

LanguageSupported package managersLockfileReachability support level‡Time period of rule coverage for CVEs/GHSAs
GoGo modules (go mod)go.modGASince May 2022
JavaScript / TypeScriptnpm (Node.js)package-lock.jsonGA
Yarn, Yarn 2, Yarn 3yarn.lockGA
pnpmpnpm-lock.yamlGA
Pythonpiprequirements.txt†† (generated by e.g. pip freeze)GA
pip-toolsrequirements.txtGA
PipenvPipfile.lockGA
Poetrypoetry.lockGA
RubyRubyGemsGemfile.lockGA
JavaGradlegradle.lockfileGA
MavenMaven-generated dependency tree (See Setting up SSC scans for Apache Maven for instructions.)GA
C#NuGetpackages.lock.jsonBeta
RustCargocargo.lockLockfile-only
PHPComposercomposer.lockLockfile-only

*Semgrep Supply Chain scans transitive dependencies for all supported languages but does not perform reachability analysis on transitive dependencies.
‡Reachability support level refers to the level of support for reachability analysis for the language. At the minimum, Semgrep Supply Chain uses lockfile-only rules, which check a package's version against versions with known vulnerabilities.
††Semgrep Supply Chain supports requirements.txt when it is used as a lockfile. This means that requirements.txt must be set to exact versions (pinned dependencies) and the file must be generated automatically.

info
  • Semgrep ingests CVEs and security advisories from sources such as GitHub Security Advisory to ensure effective rule coverage.
  • Semgrep, Inc. processes new CVEs and security advisories at least daily to perform the following:
    • Generation of new rules for new security advisories.
    • Updating of rules based on changes to prior security advisories.
Transitivity support

For more information on transitivity, see Transitive dependencies and reachability analysis.

Maturity levels

Semgrep Supply Chain has two maturity levels:

  • General Availability (GA)
  • Beta

Their differences are outlined in the following table:

FeatureGABeta
Number of reachability rules10+1+
Semgrep, Inc. rule-writing supportQuickly release new rules for all critical and high vulnerabilities based on the latest security advisories.No commitment for new rules based on the latest security advisories.
Semgrep OSS Engine language supportSemgrep OSS Engine support is GA.Semgrep OSS Engine support is at least Beta.
Feature and product maturity levels
  • The detailed specifications previously provided apply only to language support. Language maturity levels differ from feature and product maturity levels.
  • Semgrep features and products documented as experimental, beta, or GA generally follow the definitions in a Software release life cycle.

Known limitations of Semgrep Pro Engine

CommonJS

Currently Semgrep Pro Engine does not handle specific cases of CommmonJS where you define a function and assign it to an export later, Semgrep Pro Engine does not track the code below:

function get_user() {
return get_user_input("example")
}

module.exports = get_user

Regressions in Semgrep Pro

For cross-file (interfile) analysis, Semgrep Pro Engine resolves names differently than Semgrep OSS. Consequently, rules with interfile: true may produce different results than Semgrep OSS Engine. Some instances could be regarded as regressions; if you encounter them, please file a bug report. When you need to report a bug in Semgrep Pro Engine, go through support@semgrep.com. You can also contact us through Semgrep Community Slack group.


Find what you needed in this doc? Join the Semgrep Community Slack group to ask the maintainers and the community if you need help, or check out other ways to get help.