- Semgrep Supply Chain
- Semgrep OSS Engine
- Team & Enterprise Tier
Supported languages
This document provides information about supported languages and language maturity definitions for the following products:
- Semgrep OSS Engine
- Semgrep Supply Chain
- Semgrep Pro Engine
Semgrep OSS Engine
Semgrep OSS Engine offers a fast static analysis solution for finding bugs and enforcing code standards.
Language maturity
Semgrep supports 30+ languages.
| GA ✅ | Beta 🐛 | Experimental 🚧 |
|---|---|---|
| C# | Rust | Bash |
| Go | C | |
| Java | C++ | |
| JavaScript | Cairo | |
| JSON | Clojure | |
| JSX | Dart | |
| Kotlin | Dockerfile | |
| PHP | Elixir | |
| Python | HTML | |
| Ruby | Jsonnet | |
| Scala | Julia | |
| Terraform | Lisp | |
| TSX | Lua | |
| TypeScript | OCaml | |
| R | ||
| Scheme | ||
| Solidity | ||
| Swift | ||
| YAML | ||
| XML | ||
| Generic (ERB, Jinja, etc.) |
- Experimental: experimental support with many known bugs.
- Looking for dedicated users to help us improve these languages.
- Expect limited support responses, as these languages will be lowest priority.
- Semgrep Playground and Semgrep Editor support may be limited for these languages.
- Beta: supported language with known bugs.
- Looking for beta users to report bugs and rapidly iterate with our team.
- Expect best-effort support responses when there are no higher priority requests being handled.
- GA: production-level support with few known bugs.
- Looking for bug reports and feedback from users.
- Expect timely and thorough support responses, generally within 24 hours.
Maturity definitions
Language maturity factors
Language maturity is determined by 3 factors in the Semgrep ecosystem:
- Parse rate
- How well Semgrep OSS Engine can parse code in a given language.
- Feature support
- What Semgrep features are implemented for a given language.
- Ruleset count
- Number of Semgrep rule groupings in Semgrep Registry.
Levels of maturity
Semgrep OSS Engine defines 3 maturity levels:
- Experimental
- Experimental languages support the following:
- Syntax
- Ellipsis operator
- Basic metavariable functionality
- Beta
- Beta languages support the following:
- All features supported in Experimental
- Complete metavariable support
- Metavariable equality
- Generally available
- Generally available languages support all advanced features such as the following:
- All features supported in Beta
- Regexp
- Equivalence
- Deep expression operator
- Types and typing
Each of these maturity levels are combined with a threshold of the language maturity factors. When a language meets the maturity threshold for each of the factors, it’s moved into that maturity level.
The following thresholds define each maturity level:
- Experimental
- Parse rate: 90%+
- Rules: 0+
- Features:
concrete_syntaxdeep_exprstmtdots_argsdots_nested_stmtsdots_stmtsdots_stringmetavar_argmetavar_callmetavar_equality_var
- Beta
- Parse rate: 99%+
- Rules: 5+
- Features:
- All items in Experimental
metavar_class_defmetavar_func_defmetavar_condmetavar_equality_exprmetavar_equality_stmtmetavar_importmetavar_stmt
- Generally Available (GA)
- Parse rate: 99.9%+
- Rules: 10+
- Features:
- All items in Beta
deep_expr_operatordots_method_chainingequivalence_constant_propagationequivalence_naming_import(language dependent)metavar_anno(language dependent)metavar_key_valuemetavar_typed(language dependent)metavar_ellipsis_argsregexp_string
Visit the cheat sheet generation script and associated semgrep-core test files to learn more about each feature:
- The detailed specifications given above apply only to language support. Language maturity levels differ from feature and product maturity levels.
- Semgrep features and products documented as experimental, beta, or GA generally follow the definitions in a Software release life cycle.
Language parse rates
Semgrep Supply Chain
Detect recently discovered security vulnerabilities in your codebase's open-source dependencies using Semgrep Supply Chain. Leverage Semgrep's code-scanning capabilities to run high-signal rules that determine a vulnerability's reachability. Semgrep Supply Chain evaluates dependencies based on their version and use in your codebase.
Semgrep Supply Chain parses lockfiles for dependencies, then scans your codebase for reachable findings based on the lockfiles. Some languages, such as Java, have several lockfiles, depending on your repository's package manager. For some languages, such as JavaScript and Python, a manifest file is also parsed.
General Availability
This table provides information about fully supported (generally available or GA) languages, specific package managers, and their lockfiles in Semgrep Supply Chain:
| Language | Supported package managers | Lockfile | Scans transitive dependencies* | Identifies transitive dependencies† | Rule coverage for CVEs/GHSAs‡ |
|---|---|---|---|---|---|
| Go | Go modules (go mod) | go.mod | ✔️ Yes | ✔️ Yes | May 2022 |
| JavaScript / TypeScript | npm (Node.js) | package-lock.json | ✔️ Yes | ✔️ Yes | May 2022 |
| Yarn, Yarn 2, Yarn 3 | yarn.lock | ✔️ Yes | ✔️ Yes | ||
| Python | pip | requirements.txt†† (generated by e.g. pip freeze) | ✔️ Yes | ❌ No | May 2022 |
| pip-tools | requirements.txt | ✔️ Yes | ✔️ Yes | ||
| Pipenv | Pipfile.lock | ✔️ Yes | ✔️ Yes | ||
| Poetry | poetry.lock | ✔️ Yes | ✔️ Yes | ||
| Ruby | RubyGems | Gemfile.lock | ✔️ Yes | ✔️ Yes | May 2022 |
| Java | Gradle | gradle.lockfile | ✔️ Yes | ✔️ Yes | May 2022 |
| Maven | Maven-generated dependency tree (See Setting up SSC scans for Apache Maven for instructions.) | ✔️ Yes | ✔️ Yes |
*Semgrep Supply Chain scans transitive dependencies but does not perform reachability analysis on them.
†Refers to functionality in Semgrep Cloud Platform to indicate through a badge if a package is a transitive or direct dependency. This does not affect reachability analysis for any language.
‡The month and year that Semgrep Supply Chain has begun writing rules to detect vulnerabilities listed in GHSA and the CVE program.
††Semgrep Supply Chain supports requirements.txt when it is used as a lockfile. This means that requirements.txt must be set to exact versions (pinned dependencies) and the file must be generated automatically.
For more information on transitivity, see Transitive dependencies and reachability analysis.
Beta
Semgrep Supply Chain has no languages in Beta status.
Maturity levels
Semgrep Supply Chain has two maturity levels:
- General Availability (GA)
- Beta
Their differences are outlined in the following table:
| Feature | GA | Beta |
| Number of rules | 10+ | 1+ |
| Semgrep, Inc. rule-writing support | Quickly release new rules for all critical and high vulnerabilities based on the latest security advisories. | No commitment for new rules based on the latest security advisories. |
| Semgrep OSS Engine language support | Semgrep OSS Engine support is GA. | Semgrep OSS Engine support is at least Beta. |
Semgrep Pro Engine
Go beyond single file analysis to detect vulnerabilities across files and functions, using Semgrep Pro Engine. By design, Semgrep open-source software (OSS) Engine can only analyze interactions within a single function. This limited scope makes Semgrep OSS fast and easy to integrate into developer workflows. Semgrep Pro Engine gives security teams the option to tradeoff speed for better results and deeper analysis.
Semgrep Pro Engine includes interfile analysis and interprocedural analysis, which finds vulnerabilities that aren't detectable with Semgrep OSS. By analyzing interactions across files and across functions, Semgrep Pro Engine can reduce noise, uncover new vulnerabilities, and make results easier to understand. Build trust with your developers by only showing them high-confidence results that are easy to fix.
Semgrep Pro Engine is a proprietary extension of Semgrep OSS. Just like Semgrep OSS, Semgrep Pro Engine runs on raw source code and it doesn't require compiled code for its analysis.
Semgrep Pro Engine supports the following languages:
| Language | Support level | Analysis type |
|---|---|---|
| All GA supported languages listed in Semgrep OSS Engine | GA | Interprocedural |
| Apex | Experimental | Interprocedural |
| Go | Beta | Interfile |
| Java | Beta | Interfile |
| JavaScript | Beta | Interfile |
| Kotlin | Experimental | Interfile |
| TypeScript | Beta | Interfile |
- To install and run Semgrep Pro Engine, see Semgrep Pro Engine overview for more information.
- All languages that have interfile analysis support by default also provide interprocedural analysis by default. However, languages that provide only interprocedural analysis do not provide interfile analysis.
Known limitations of Semgrep Pro Engine
CommonJS
Currently Semgrep Pro Engine does not handle specific cases of CommmonJS where you define a function and assign it to an export later, Semgrep Pro Engine does not track the code below:
function get_user() {
return get_user_input("example")
}
module.exports = get_user
Regressions in Semgrep Pro
For interfile analysis, Semgrep Pro Engine resolves names differently than Semgrep OSS. Consequently, rules with interfile: true may produce different results than Semgrep OSS Engine. Some instances could be regarded as regressions, if you encounter them please file a bug report. When you need to report a bug in Semgrep Pro Engine, go through support@semgrep.com. You can also contact us through Semgrep Community Slack group.
Find what you needed in this doc? Join the Semgrep Community Slack group to ask the maintainers and the community if you need help.