- Semgrep Supply Chain
- Semgrep OSS Engine
- Team & Enterprise Tier
Supported languages
This document provides information about supported languages and language maturity definitions for the following products:
- Semgrep Code
- Semgrep Supply Chain
Semgrep Code
Secure your code quickly and continuously by scanning with Semgrep Code, our SAST (Static Application Security Testing) product, powered by Semgrep OSS Engine and Semgrep Pro Engine. The Semgrep OSS Engine is the foundation of Semgrep, it's our open-source engine, designed for fast code analysis. The Semgrep Pro Engine is designed for advanced code analysis, designed to catch complex vulnerabilities and reduce false positives. Use Semgrep Code to quickly find and fix vulnerabilities in your code base.
Language maturity
Semgrep Code supports over 30 languages and counting! 🚀
| Language | Semgrep OSS Engine | Semgrep Pro Engine (cross-function) | Semgrep Pro Engine (cross-file) |
|---|---|---|---|
| Go | GA | GA | GA |
| Java | GA | GA | GA |
| JavaScript | GA | GA | GA |
| TypeScript | GA | GA | GA |
| Kotlin | GA | GA | Beta |
| C# | GA | GA | -- |
| Ruby | GA | GA | -- |
| JSX | GA | GA | -- |
| PHP | GA | GA | -- |
| Python | GA | GA | -- |
| Scala | GA | GA | -- |
| JSON | GA | -- | -- |
| Terraform | GA | -- | -- |
| Apex | Pro Engine Only | Beta | -- |
| Rust | GA | Experimental | -- |
| Generic | GA | -- | -- |
| Swift | Beta | -- | -- |
| Bash | Experimental | -- | -- |
| C | Experimental | -- | -- |
| C++ | Experimental | -- | -- |
| Cairo | Experimental | -- | -- |
| Clojure | Experimental | -- | -- |
| Dart | Experimental | -- | -- |
| Dockerfile | Experimental | -- | -- |
| Elixir | Experimental | -- | -- |
| HTML | Experimental | -- | -- |
| Jsonnet | Experimental | -- | -- |
| Julia | Experimental | -- | -- |
| Lisp | Experimental | -- | -- |
| Lua | Experimental | -- | -- |
| Ocaml | Experimental | -- | -- |
| R | Experimental | -- | -- |
| Scheme | Experimental | -- | -- |
| Solidity | Experimental | -- | -- |
| YAML | Experimental | -- | -- |
| XML | Experimental | -- | -- |
If you'd like to request a language not shown here, please create an issue on the Semgrep GitHub repo.
Maturity levels
Language maturity factors (Pro Engine)
Semgrep Pro Engine has two maturity levels:
- Generally available (GA)
- Beta
Generally Available: Receives highest quality support from the Semgrep team. Reported issues are resolved promptly and timelines for fixes are communicated to customers within 2 weeks.
Beta: Supported by the Semgrep team. Reported issues are tracked and prioritized to be fixed after GA languages.
Language maturity factors (OSS Engine)
Semgrep OSS Engine has three maturity levels:
- Generally available (GA)
- Beta
- Experimental
Their differences are outlined in the following table:
| Feature | GA | Beta | Experimental |
|---|---|---|---|
| Parse Rate | 99%+ | 95%+ | 90%+ |
| Number of rules | 10+ | 5+ | 0+ |
| Semgrep syntax | Regexp, equivalence, deep expression operators, types and typing. All features supported in Beta. | Complete metavariable support, metavariable equality. All features supported in Experimental. | Syntax, ellipsis operator, basic metavariable functionality. |
More information
Visit the cheat sheet generation script and associated semgrep-core test files to learn more about each feature:
Visit the Semgrep public language dashboard to see the parse rates for each language
Semgrep Supply Chain
Detect recently discovered security vulnerabilities in your codebase's open-source dependencies using Semgrep Supply Chain. Leverage Semgrep's code-scanning capabilities to run high-signal rules that determine a vulnerability's reachability. Semgrep Supply Chain evaluates dependencies based on their version and use in your codebase.
Semgrep Supply Chain parses lockfiles for dependencies, then scans your codebase for reachable findings based on the lockfiles. Some languages, such as Java, have several lockfiles, depending on your repository's package manager. For some languages, such as JavaScript and Python, a manifest file is also parsed.
| Language | Supported package managers | Lockfile | Reachability support level‡ | Time period of rule coverage for CVEs/GHSAs |
|---|---|---|---|---|
| Go | Go modules (go mod) | go.mod | GA | Since May 2022 |
| JavaScript / TypeScript | npm (Node.js) | package-lock.json | GA | |
| Yarn, Yarn 2, Yarn 3 | yarn.lock | GA | ||
| pnpm | pnpm-lock.yaml | GA | ||
| Python | pip | requirements.txt†† (generated by e.g. pip freeze) | GA | |
| pip-tools | requirements.txt | GA | ||
| Pipenv | Pipfile.lock | GA | ||
| Poetry | poetry.lock | GA | ||
| Ruby | RubyGems | Gemfile.lock | GA | |
| Java | Gradle | gradle.lockfile | GA | |
| Maven | Maven-generated dependency tree (See Setting up SSC scans for Apache Maven for instructions.) | GA | ||
| C# | NuGet | packages.lock.json | Beta | |
| Rust | Cargo | cargo.lock | Lockfile-only | |
| PHP | Composer | composer.lock | Lockfile-only |
*Semgrep Supply Chain scans transitive dependencies for all supported languages but does not perform reachability analysis on transitive dependencies.
‡Reachability support level refers to the level of support for reachability analysis for the language. At the minimum, Semgrep Supply Chain uses lockfile-only rules, which check a package's version against versions with known vulnerabilities.
††Semgrep Supply Chain supports requirements.txt when it is used as a lockfile. This means that requirements.txt must be set to exact versions (pinned dependencies) and the file must be generated automatically.
- Semgrep ingests CVEs and security advisories from sources such as GitHub Security Advisory to ensure effective rule coverage.
- Semgrep, Inc. processes new CVEs and security advisories at least daily to perform the following:
- Generation of new rules for new security advisories.
- Updating of rules based on changes to prior security advisories.
For more information on transitivity, see Transitive dependencies and reachability analysis.
Maturity levels
Semgrep Supply Chain has two maturity levels:
- General Availability (GA)
- Beta
Their differences are outlined in the following table:
| Feature | GA | Beta |
| Number of reachability rules | 10+ | 1+ |
| Semgrep, Inc. rule-writing support | Quickly release new rules for all critical and high vulnerabilities based on the latest security advisories. | No commitment for new rules based on the latest security advisories. |
| Semgrep OSS Engine language support | Semgrep OSS Engine support is GA. | Semgrep OSS Engine support is at least Beta. |
- The detailed specifications previously provided apply only to language support. Language maturity levels differ from feature and product maturity levels.
- Semgrep features and products documented as experimental, beta, or GA generally follow the definitions in a Software release life cycle.
Known limitations of Semgrep Pro Engine
CommonJS
Currently Semgrep Pro Engine does not handle specific cases of CommmonJS where you define a function and assign it to an export later, Semgrep Pro Engine does not track the code below:
function get_user() {
return get_user_input("example")
}
module.exports = get_user
Regressions in Semgrep Pro
For cross-file (interfile) analysis, Semgrep Pro Engine resolves names differently than Semgrep OSS. Consequently, rules with interfile: true may produce different results than Semgrep OSS Engine. Some instances could be regarded as regressions; if you encounter them, please file a bug report. When you need to report a bug in Semgrep Pro Engine, go through support@semgrep.com. You can also contact us through Semgrep Community Slack group.
Find what you needed in this doc? Join the Semgrep Community Slack group to ask the maintainers and the community if you need help, or check out other ways to get help.