Skip to main content
  • Semgrep Supply Chain
  • Semgrep
  • Community Tier
  • Team & Enterprise Tier

Supported languages

This document provides information about supported languages and language maturity definitions for the following products:

  • Semgrep
  • Semgrep Supply Chain
  • DeepSemgrep

Semgrep​

Semgrep is a fast, open source, static analysis engine for finding bugs and enforcing code standards.

Language maturity​

Semgrep supports 30+ languages.

GA ✅Beta 🐛Experimental 🚧
C#KotlinBash
GoC
JavaC++
JavaScriptClojure
JSONDart
JSXDockerfile
PHPElixir
PythonHTML
RubyJsonnet
ScalaLisp
TerraformLua
TSXOCaml
TypeScriptR
Rust
Scheme
Solidity
Swift
YAML
XML
Generic (ERB, Jinja, etc.)
  • Experimental: experimental support with many known bugs.
    • Looking for dedicated users to help us improve these languages.
    • Expect limited support responses, as these languages will be lowest priority.
  • Beta: supported language with known bugs.
    • Looking for beta users to report bugs and rapidly iterate with our team.
    • Expect best-effort support responses when there are no higher priority requests being handled.
  • GA: production-level support with few known bugs.
    • Looking for bug reports and feedback from users.
    • Expect timely and thorough support responses, generally within 24 hours.

Maturity definitions​

Language maturity factors​

Language maturity is determined by 3 factors in the Semgrep ecosystem:

Parse rate
How well Semgrep can parse code in a given language.
Feature support
What Semgrep features are implemented for a given language.
Ruleset count
Number of Semgrep rule groupings in Semgrep Registry.

Levels of maturity​

Semgrep defines 3 maturity levels:

Experimental
Experimental languages support the following:
  • Syntax
  • Ellipsis operator
  • Basic metavariable functionality
Beta
Beta languages support the following:
  • All features supported in Experimental
  • Complete metavariable support
  • Metavariable equality
Generally available
Generally available languages support all advanced features such as the following:
  • All features supported in Beta
  • Regexp
  • Equivalence
  • Deep expression operator
  • Types and typing

Each of these maturity levels are combined with a threshold of the language maturity factors. When a language meets the maturity threshold for each of the factors, it’s moved into that maturity level.

The following thresholds define each maturity level:

  • Experimental
    • Parse rate: 90%+
    • Rules: 0+
    • Features:
      • concrete_syntax
      • deep_exprstmt
      • dots_args
      • dots_nested_stmts
      • dots_stmts
      • dots_string
      • metavar_arg
      • metavar_call
      • metavar_equality_var
  • Beta
    • Parse rate: 99%+
    • Rules: 5+
    • Features:
      • All items in Experimental
      • metavar_class_def
      • metavar_func_def
      • metavar_cond
      • metavar_equality_expr
      • metavar_equality_stmt
      • metavar_import
      • metavar_stmt
  • Generally Available (GA)
    • Parse rate: 99.9%+
    • Rules: 10+
    • Features:
      • All items in Beta
      • deep_expr_operator
      • dots_method_chaining
      • equivalence_constant_propagation
      • equivalence_naming_import (language dependent)
      • metavar_anno (language dependent)
      • metavar_key_value
      • metavar_typed (language dependent)
      • metavar_ellipsis_args
      • regexp_string

Visit the cheat sheet generation script and associated semgrep-core test files to learn more about each feature:

Feature and product maturity levels
  • The detailed specifications given above apply only to language support. Language maturity levels differ from feature and product maturity levels.
  • Semgrep features and products documented as experimental, beta, or GA generally follow the definitions in a Software release life cycle.

Language parse rates​

See Parse rates by language.

Semgrep Supply Chain​

Detect recently discovered security vulnerabilities in your codebase's open-source dependencies using Semgrep Supply Chain. Leverage Semgrep's code-scanning capabilities to run high-signal rules that determine a vulnerability's reachability. Semgrep Supply Chain evaluates dependencies based on their version and use in your codebase.

Semgrep Supply Chain parses lockfiles for dependencies, then scans your codebase for reachable findings based on the lockfiles. Some languages, such as Java, have several lockfiles, depending on your repository's package manager. For some languages, such as JavaScript and Python, a manifest file is also parsed.

General Availability​

This table provides information about fully supported (generally available or GA) languages, specific package managers, and their lockfiles in Semgrep Supply Chain:

LanguageSupported package managersLockfileScans transitive dependencies*Identifies transitive dependencies
GoGo modules (go mod)go.sum✔️ Yes❌ No
JavaScript / TypeScriptnpm (Node.js)package-lock.json✔️ Yes✔️ Yes
Yarn, Yarn 2, Yarn 3yarn.lock✔️ Yes✔️ Yes
PythonpipPipfile.lock (generated by pipenv)✔️ Yes✔️ Yes
requirements.txt†, requirements.in (generated by pip-tools, pipreqs, and so on).✔️ Yes✔️ Yes
Poetrypoetry.lock✔️ Yes✔️ Yes
RubyRubyGemsGemfile.lock✔️ Yes✔️ Yes

*Semgrep Supply Chain scans transitive dependencies but does not perform reachability analysis on them.
†Semgrep Supply Chain supports requirements.txt when it is used as a lockfile. This means that requirements.txt must be set to exact versions (pinned dependencies) and the file is generated automatically.

Transitivity support

For more information on transitivity, see Transitive dependencies and reachability analysis.

Beta​

This table provides information about the beta level of support for languages, specific package managers, and their lockfiles in Semgrep Supply Chain:

LanguageSupported package managersLockfileScans transitive dependenciesIdentifies transitive dependencies
JavaGradlegradle.lockfile✔️ Yes✔️ Yes
MavenMaven-generated dependency tree*✔️ Yes✔️ Yes

*Semgrep Supply Chain requires a Maven-generated dependency tree. See Setting up SSC scans for Apache Maven for instructions to generate a dependency tree.

Maturity levels​

Semgrep Supply Chain has two maturity levels:

  • General Availability (GA)
  • Beta

Their differences are outlined in the following table:

FeatureGABeta
Number of rules10+1+
r2c rule-writing supportQuickly release new rules for all critical and high vulnerabilities based on the latest security advisories.No commitment for new rules based on the latest security advisories.
Semgrep engine language supportSemgrep engine support is GA.Semgrep engine support is at least Beta.

DeepSemgrep​

Improve your scan results for entire codebases with interfile coding paradigms using DeepSemgrep instead of Semgrep's regular intrafile (within-a-single-file) approach. DeepSemgrep empowers you to easily scan whole repositories that have object-oriented programming paradigms with classes in different files to find vulnerabilities in your code. DeepSemgrep is a proprietary extension of free and open source Semgrep which leverages global analysis tools, and uses the same rules as Semgrep.

Beta support​

DeepSemgrep offers beta support for the following languages:

  • Java
  • JavaScript
  • TypeScript

Find what you needed in this doc? Join the Semgrep Community Slack group to ask the maintainers and the community if you need help.