- Semgrep Supply Chain
- Community Tier
- Team & Enterprise Tier
This document provides information about supported languages and language maturity definitions for the following products:
- Semgrep Supply Chain
Semgrep is a fast, open source, static analysis engine for finding bugs and enforcing code standards.
Semgrep supports 30+ languages.
|GA ✅||Beta 🐛||Experimental 🚧|
|Generic (ERB, Jinja, etc.)|
- Experimental: experimental support with many known bugs.
- Looking for dedicated users to help us improve these languages.
- Expect limited support responses, as these languages will be lowest priority.
- Beta: supported language with known bugs.
- Looking for beta users to report bugs and rapidly iterate with our team.
- Expect best-effort support responses when there are no higher priority requests being handled.
- GA: production-level support with few known bugs.
- Looking for bug reports and feedback from users.
- Expect timely and thorough support responses, generally within 24 hours.
Language maturity factors
Language maturity is determined by 3 factors in the Semgrep ecosystem:
- Parse rate
- How well Semgrep can parse code in a given language.
- Feature support
- What Semgrep features are implemented for a given language.
- Ruleset count
- Number of Semgrep rule groupings in Semgrep Registry.
Levels of maturity
Semgrep defines 3 maturity levels:
- Experimental languages support the following:
- Ellipsis operator
- Basic metavariable functionality
- Beta languages support the following:
- All features supported in Experimental
- Complete metavariable support
- Metavariable equality
- Generally available
- Generally available languages support all advanced features such as the following:
- All features supported in Beta
- Deep expression operator
- Types and typing
Each of these maturity levels are combined with a threshold of the language maturity factors. When a language meets the maturity threshold for each of the factors, it’s moved into that maturity level.
The following thresholds define each maturity level:
- Parse rate: 90%+
- Rules: 0+
- Parse rate: 99%+
- Rules: 5+
- All items in Experimental
- Generally Available (GA)
- Parse rate: 99.9%+
- Rules: 10+
- All items in Beta
Visit the cheat sheet generation script and associated semgrep-core test files to learn more about each feature:
- The detailed specifications given above apply only to language support. Language maturity levels differ from feature and product maturity levels.
- Semgrep features and products documented as experimental, beta, or GA generally follow the definitions in a Software release life cycle.
Language parse rates
Semgrep Supply Chain
Detect recently discovered security vulnerabilities in your codebase's open-source dependencies using Semgrep Supply Chain. Leverage Semgrep's code-scanning capabilities to run high-signal rules that determine a vulnerability's reachability. Semgrep Supply Chain evaluates dependencies based on their version and use in your codebase.
This table provides information about fully supported (generally available or GA) languages, specific package managers, and their lockfiles in Semgrep Supply Chain:
|Language||Supported package managers||Lockfile||Scans transitive dependencies*||Identifies transitive dependencies|
|Go||Go modules (||✔️ Yes||❌ No|
|Yarn, Yarn 2, Yarn 3||✔️ Yes||✔️ Yes|
|Python||pip||✔️ Yes||✔️ Yes|
|✔️ Yes||✔️ Yes|
|Poetry||✔️ Yes||✔️ Yes|
|Ruby||RubyGems||✔️ Yes||✔️ Yes|
*Semgrep Supply Chain scans transitive dependencies but does not perform reachability analysis on them.
†Semgrep Supply Chain supports
requirements.txt when it is used as a lockfile. This means that
requirements.txt must be set to exact versions (pinned dependencies) and the file is generated automatically.
For more information on transitivity, see Transitive dependencies and reachability analysis.
This table provides information about the beta level of support for languages, specific package managers, and their lockfiles in Semgrep Supply Chain:
|Language||Supported package managers||Lockfile||Scans transitive dependencies||Identifies transitive dependencies|
|Java||Gradle||✔️ Yes||✔️ Yes|
|Maven||Maven-generated dependency tree*||✔️ Yes||✔️ Yes|
*Semgrep Supply Chain requires a Maven-generated dependency tree. See Setting up SSC scans for Apache Maven for instructions to generate a dependency tree.
Semgrep Supply Chain has two maturity levels:
- General Availability (GA)
Their differences are outlined in the following table:
|Number of rules||10+||1+|
|r2c rule-writing support||Quickly release new rules for all critical and high vulnerabilities based on the latest security advisories.||No commitment for new rules based on the latest security advisories.|
|Semgrep engine language support||Semgrep engine support is GA.||Semgrep engine support is at least Beta.|
Improve your scan results for entire codebases with interfile coding paradigms using DeepSemgrep instead of Semgrep's regular intrafile (within-a-single-file) approach. DeepSemgrep empowers you to easily scan whole repositories that have object-oriented programming paradigms with classes in different files to find vulnerabilities in your code. DeepSemgrep is a proprietary extension of free and open source Semgrep which leverages global analysis tools, and uses the same rules as Semgrep.
DeepSemgrep offers beta support for the following languages:
Find what you needed in this doc? Join the Semgrep Community Slack group to ask the maintainers and the community if you need help.