• Semgrep Supply Chain
• Semgrep
• Community Tier
• Team & Enterprise Tier

Supported languages

This document provides information about supported languages and language maturity definitions for the following products:

• Semgrep
• Semgrep Supply Chain
• DeepSemgrep

Semgrep

Semgrep is a fast, open source, static analysis engine for finding bugs and enforcing code standards.

Language maturity

Semgrep supports 30+ languages.

GA ✅	Beta 🐛	Experimental 🚧
C#	Kotlin	Bash
Go		C
Java		C++
JavaScript		Clojure
JSON		Dart
JSX		Dockerfile
PHP		Elixir
Python		HTML
Ruby		Jsonnet
Scala		Lisp
Terraform		Lua
TSX		OCaml
TypeScript		R
		Rust
		Scheme
		Solidity
		Swift
		YAML
		XML
		Generic (ERB, Jinja, etc.)

• Experimental: experimental support with many known bugs.
  • Looking for dedicated users to help us improve these languages.
  • Expect limited support responses, as these languages will be lowest priority.
• Beta: supported language with known bugs.
  • Looking for beta users to report bugs and rapidly iterate with our team.
  • Expect best-effort support responses when there are no higher priority requests being handled.
• GA: production-level support with few known bugs.
  • Looking for bug reports and feedback from users.
  • Expect timely and thorough support responses, generally within 24 hours.

Maturity definitions

Language maturity factors

Language maturity is determined by 3 factors in the Semgrep ecosystem:

Parse rate

How well Semgrep can parse code in a given language.

Feature support

What Semgrep features are implemented for a given language.

Ruleset count

Number of Semgrep rule groupings in Semgrep Registry.

Levels of maturity

Semgrep defines 3 maturity levels:

Experimental

Experimental languages support the following:

• Syntax
• Ellipsis operator
• Basic metavariable functionality

Beta

Beta languages support the following:

• All features supported in Experimental
• Complete metavariable support
• Metavariable equality

Generally available

Generally available languages support all advanced features such as the following:

• All features supported in Beta
• Regexp
• Equivalence
• Deep expression operator
• Types and typing

Each of these maturity levels are combined with a threshold of the language maturity factors. When a language meets the maturity threshold for each of the factors, it’s moved into that maturity level.

The following thresholds define each maturity level:

• Experimental
  • Parse rate: 90%+
  • Rules: 0+
  • Features:
    • concrete_syntax
    • deep_exprstmt
    • dots_args
    • dots_nested_stmts
    • dots_stmts
    • dots_string
    • metavar_arg
    • metavar_call
    • metavar_equality_var
• Beta
  • Parse rate: 99%+
  • Rules: 5+
  • Features:
    • All items in Experimental
    • metavar_class_def
    • metavar_func_def
    • metavar_cond
    • metavar_equality_expr
    • metavar_equality_stmt
    • metavar_import
    • metavar_stmt
• Generally Available (GA)
  • Parse rate: 99.9%+
  • Rules: 10+
  • Features:
    • All items in Beta
    • deep_expr_operator
    • dots_method_chaining
    • equivalence_constant_propagation
    • equivalence_naming_import (language dependent)
    • metavar_anno (language dependent)
    • metavar_key_value
    • metavar_typed (language dependent)
    • metavar_ellipsis_args
    • regexp_string

Visit the cheat sheet generation script and associated semgrep-core test files to learn more about each feature:

• Generation script
• semgrep-core test files

Feature and product maturity levels

• The detailed specifications given above apply only to language support. Language maturity levels differ from feature and product maturity levels.
• Semgrep features and products documented as experimental, beta, or GA generally follow the definitions in a Software release life cycle.

Language parse rates

See Parse rates by language.

Semgrep Supply Chain

Detect recently discovered security vulnerabilities in your codebase's open-source dependencies using Semgrep Supply Chain. Leverage Semgrep's code-scanning capabilities to run high-signal rules that determine a vulnerability's reachability. Semgrep Supply Chain evaluates dependencies based on their version and use in your codebase.

Semgrep Supply Chain parses lockfiles for dependencies, then scans your codebase for reachable findings based on the lockfiles. Some languages, such as Java, have several lockfiles, depending on your repository's package manager. For some languages, such as JavaScript and Python, a manifest file is also parsed.

General Availability

This table provides information about fully supported (generally available or GA) languages, specific package managers, and their lockfiles in Semgrep Supply Chain:

Language	Supported package managers	Lockfile	Scans transitive dependencies*	Identifies transitive dependencies
Go	Go modules (go mod)	go.sum	✔️ Yes	❌ No
JavaScript / TypeScript	npm (Node.js)	package-lock.json	✔️ Yes	✔️ Yes
	Yarn, Yarn 2, Yarn 3	yarn.lock	✔️ Yes	✔️ Yes
Python	pip	Pipfile.lock (generated by pipenv)	✔️ Yes	✔️ Yes
		requirements.txt†, requirements.in (generated by pip-tools, pipreqs, and so on).	✔️ Yes	✔️ Yes
	Poetry	poetry.lock	✔️ Yes	✔️ Yes
Ruby	RubyGems	Gemfile.lock	✔️ Yes	✔️ Yes

*Semgrep Supply Chain scans transitive dependencies but does not perform reachability analysis on them.
†Semgrep Supply Chain supports requirements.txt when it is used as a lockfile. This means that requirements.txt must be set to exact versions (pinned dependencies) and the file is generated automatically.

Transitivity support

For more information on transitivity, see Transitive dependencies and reachability analysis.

Beta

This table provides information about the beta level of support for languages, specific package managers, and their lockfiles in Semgrep Supply Chain:

Language	Supported package managers	Lockfile	Scans transitive dependencies	Identifies transitive dependencies
Java	Gradle	gradle.lockfile	✔️ Yes	✔️ Yes
	Maven	Maven-generated dependency tree*	✔️ Yes	✔️ Yes

*Semgrep Supply Chain requires a Maven-generated dependency tree. See Setting up SSC scans for Apache Maven for instructions to generate a dependency tree.

Maturity levels

Semgrep Supply Chain has two maturity levels:

• General Availability (GA)
• Beta

Their differences are outlined in the following table:

Feature	GA	Beta
Number of rules	10+	1+
r2c rule-writing support	Quickly release new rules for all critical and high vulnerabilities based on the latest security advisories.	No commitment for new rules based on the latest security advisories.
Semgrep engine language support	Semgrep engine support is GA.	Semgrep engine support is at least Beta.

DeepSemgrep

Improve your scan results for entire codebases with interfile coding paradigms using DeepSemgrep instead of Semgrep's regular intrafile (within-a-single-file) approach. DeepSemgrep empowers you to easily scan whole repositories that have object-oriented programming paradigms with classes in different files to find vulnerabilities in your code. DeepSemgrep is a proprietary extension of free and open source Semgrep which leverages global analysis tools, and uses the same rules as Semgrep.

Beta support

DeepSemgrep offers beta support for the following languages:

• Java
• JavaScript
• TypeScript

---

Find what you needed in this doc? Join the Semgrep Community Slack group to ask the maintainers and the community if you need help.