Skip to main content
  • Semgrep Supply Chain
  • Semgrep OSS Engine
  • Team & Enterprise Tier

Supported languages

This document provides information about supported languages and language maturity definitions for the following products:

  • Semgrep OSS Engine
  • Semgrep Supply Chain
  • Semgrep Pro Engine

Semgrep OSS Engine

Semgrep OSS Engine offers a fast static analysis solution for finding bugs and enforcing code standards.

Language maturity

Semgrep supports 30+ languages.

GA ✅Beta 🐛Experimental 🚧
C#RustBash
GoC
JavaC++
JavaScriptCairo
JSONClojure
JSXDart
KotlinDockerfile
PHPElixir
PythonHTML
RubyJsonnet
ScalaJulia
TerraformLisp
TSXLua
TypeScriptOCaml
R
Scheme
Solidity
Swift
YAML
XML
Generic (ERB, Jinja, etc.)
  • Experimental: experimental support with many known bugs.
    • Looking for dedicated users to help us improve these languages.
    • Expect limited support responses, as these languages will be lowest priority.
    • Semgrep Playground and Semgrep Editor support may be limited for these languages.
  • Beta: supported language with known bugs.
    • Looking for beta users to report bugs and rapidly iterate with our team.
    • Expect best-effort support responses when there are no higher priority requests being handled.
  • GA: production-level support with few known bugs.
    • Looking for bug reports and feedback from users.
    • Expect timely and thorough support responses, generally within 24 hours.

Maturity definitions

Language maturity factors

Language maturity is determined by 3 factors in the Semgrep ecosystem:

Parse rate
How well Semgrep OSS Engine can parse code in a given language.
Feature support
What Semgrep features are implemented for a given language.
Ruleset count
Number of Semgrep rule groupings in Semgrep Registry.

Levels of maturity

Semgrep OSS Engine defines 3 maturity levels:

Experimental
Experimental languages support the following:
  • Syntax
  • Ellipsis operator
  • Basic metavariable functionality
Beta
Beta languages support the following:
  • All features supported in Experimental
  • Complete metavariable support
  • Metavariable equality
Generally available
Generally available languages support all advanced features such as the following:
  • All features supported in Beta
  • Regexp
  • Equivalence
  • Deep expression operator
  • Types and typing

Each of these maturity levels are combined with a threshold of the language maturity factors. When a language meets the maturity threshold for each of the factors, it’s moved into that maturity level.

The following thresholds define each maturity level:

  • Experimental
    • Parse rate: 90%+
    • Rules: 0+
    • Features:
      • concrete_syntax
      • deep_exprstmt
      • dots_args
      • dots_nested_stmts
      • dots_stmts
      • dots_string
      • metavar_arg
      • metavar_call
      • metavar_equality_var
  • Beta
    • Parse rate: 99%+
    • Rules: 5+
    • Features:
      • All items in Experimental
      • metavar_class_def
      • metavar_func_def
      • metavar_cond
      • metavar_equality_expr
      • metavar_equality_stmt
      • metavar_import
      • metavar_stmt
  • Generally Available (GA)
    • Parse rate: 99.9%+
    • Rules: 10+
    • Features:
      • All items in Beta
      • deep_expr_operator
      • dots_method_chaining
      • equivalence_constant_propagation
      • equivalence_naming_import (language dependent)
      • metavar_anno (language dependent)
      • metavar_key_value
      • metavar_typed (language dependent)
      • metavar_ellipsis_args
      • regexp_string

Visit the cheat sheet generation script and associated semgrep-core test files to learn more about each feature:

Feature and product maturity levels
  • The detailed specifications given above apply only to language support. Language maturity levels differ from feature and product maturity levels.
  • Semgrep features and products documented as experimental, beta, or GA generally follow the definitions in a Software release life cycle.

Language parse rates

See Parse rates by language.

Semgrep Supply Chain

Detect recently discovered security vulnerabilities in your codebase's open-source dependencies using Semgrep Supply Chain. Leverage Semgrep's code-scanning capabilities to run high-signal rules that determine a vulnerability's reachability. Semgrep Supply Chain evaluates dependencies based on their version and use in your codebase.

Semgrep Supply Chain parses lockfiles for dependencies, then scans your codebase for reachable findings based on the lockfiles. Some languages, such as Java, have several lockfiles, depending on your repository's package manager. For some languages, such as JavaScript and Python, a manifest file is also parsed.

General Availability

This table provides information about fully supported (generally available or GA) languages, specific package managers, and their lockfiles in Semgrep Supply Chain:

LanguageSupported package managersLockfileScans transitive dependencies*Identifies transitive dependencies†Rule coverage for CVEs/GHSAs‡
GoGo modules (go mod)go.mod✔️ Yes✔️ YesMay 2022
JavaScript / TypeScriptnpm (Node.js)package-lock.json✔️ Yes✔️ YesMay 2022
Yarn, Yarn 2, Yarn 3yarn.lock✔️ Yes✔️ Yes
Pythonpiprequirements.txt†† (generated by e.g. pip freeze)✔️ Yes❌ NoMay 2022
pip-toolsrequirements.txt✔️ Yes✔️ Yes
PipenvPipfile.lock✔️ Yes✔️ Yes
Poetrypoetry.lock✔️ Yes✔️ Yes
RubyRubyGemsGemfile.lock✔️ Yes✔️ YesMay 2022
JavaGradlegradle.lockfile✔️ Yes✔️ YesMay 2022
MavenMaven-generated dependency tree (See Setting up SSC scans for Apache Maven for instructions.)✔️ Yes✔️ Yes

*Semgrep Supply Chain scans transitive dependencies but does not perform reachability analysis on them.
Refers to functionality in Semgrep Cloud Platform to indicate through a badge if a package is a transitive or direct dependency. This does not affect reachability analysis for any language.
The month and year that Semgrep Supply Chain has begun writing rules to detect vulnerabilities listed in GHSA and the CVE program.
††Semgrep Supply Chain supports requirements.txt when it is used as a lockfile. This means that requirements.txt must be set to exact versions (pinned dependencies) and the file must be generated automatically.

Transitivity support

For more information on transitivity, see Transitive dependencies and reachability analysis.

Beta

Semgrep Supply Chain has no languages in Beta status.

Maturity levels

Semgrep Supply Chain has two maturity levels:

  • General Availability (GA)
  • Beta

Their differences are outlined in the following table:

FeatureGABeta
Number of rules10+1+
Semgrep, Inc. rule-writing supportQuickly release new rules for all critical and high vulnerabilities based on the latest security advisories.No commitment for new rules based on the latest security advisories.
Semgrep OSS Engine language supportSemgrep OSS Engine support is GA.Semgrep OSS Engine support is at least Beta.

Semgrep Pro Engine

Go beyond single file analysis to detect vulnerabilities across files and functions, using Semgrep Pro Engine. By design, Semgrep open-source software (OSS) Engine can only analyze interactions within a single function. This limited scope makes Semgrep OSS fast and easy to integrate into developer workflows. Semgrep Pro Engine gives security teams the option to tradeoff speed for better results and deeper analysis.

Semgrep Pro Engine includes interfile analysis and interprocedural analysis, which finds vulnerabilities that aren't detectable with Semgrep OSS. By analyzing interactions across files and across functions, Semgrep Pro Engine can reduce noise, uncover new vulnerabilities, and make results easier to understand. Build trust with your developers by only showing them high-confidence results that are easy to fix.

Semgrep Pro Engine is a proprietary extension of Semgrep OSS. Just like Semgrep OSS, Semgrep Pro Engine runs on raw source code and it doesn't require compiled code for its analysis.

Semgrep Pro Engine supports the following languages:

LanguageSupport levelAnalysis type
All GA supported languages listed in Semgrep OSS EngineGAInterprocedural
ApexExperimentalInterprocedural
GoBetaInterfile
JavaBetaInterfile
JavaScriptBetaInterfile
KotlinExperimentalInterfile
TypeScriptBetaInterfile
info
  • To install and run Semgrep Pro Engine, see Semgrep Pro Engine overview for more information.
  • All languages that have interfile analysis support by default also provide interprocedural analysis by default. However, languages that provide only interprocedural analysis do not provide interfile analysis.

Known limitations of Semgrep Pro Engine

CommonJS

Currently Semgrep Pro Engine does not handle specific cases of CommmonJS where you define a function and assign it to an export later, Semgrep Pro Engine does not track the code below:

function get_user() {
return get_user_input("example")
}

module.exports = get_user

Regressions in Semgrep Pro

For interfile analysis, Semgrep Pro Engine resolves names differently than Semgrep OSS. Consequently, rules with interfile: true may produce different results than Semgrep OSS Engine. Some instances could be regarded as regressions, if you encounter them please file a bug report. When you need to report a bug in Semgrep Pro Engine, go through support@semgrep.com. You can also contact us through Semgrep Community Slack group.


Find what you needed in this doc? Join the Semgrep Community Slack group to ask the maintainers and the community if you need help.