Semgrep AppSec vs. Semgrep OSS

Get findings that are 5x more precise than OSS, with 2x more coverage spanning dependencies and hardcoded secrets.

  • Detect more true positives and less false positives across SAST, SCA, and Secrets

  • Make fix-rate the north star metric of your AppSec program with features that make remediation seamless and intuitive.

  • Confidently bring the right issues to the right developers at scale, so you can shift left without slowing them down.

pro + oss

Semgrep AppSec reduced false positives by 25% and uncovered 2.5x more true positives compared to OSS

- Fortune 500 customer comparing Semgrep and OSS in production

Core analysis

OSS

Developed to be as lightweight as possible, OSS is designed to only analyze dataflow within the boundaries of a single function.

Capabilities

OSS

  • Lightweight, single-function SAST for individual developers and use cases with a high tolerance for false positives (security audits, penetration tests)

Coverage (engine)

OSS

Coverage (rules)

OSS

  • OSS languages are community-supported, meaning Semgrep does not actively develop or maintain rules. Some languages include basic (non Pro) rules authored by Semgrep

    *Check the registry and filter out Pro rules to see OSS rule coverage by language.

Accuracy

OSS

  • Single-function analysis generates false positives and limits context/dataflow analysis for findings

  • Basic and community-written rules supported by OSS are designed for audits and ad-hoc scans - they don't optimize for accuracy or developer actionability

Developer experience

OSS

  • No features that impact the developer experience or how developers interact with findings

Ease of Customization

A highly customized instance of Semgrep is the best code security solution available to the public.

  • The Semgrep AppSec Platform makes generating, testing, and deploying custom rules accessible to all - even an AppSec team of one.

  • For both out-of-the-box and custom rules, Semgrep AppSec gives you precise control over which issues are surfaced to developers and how they're surfaced.

Rule and Workflow Diagram

Tool consolidation with no tradeoff

Security teams need aggregated, actionable data - but developers want the most precise tool in each category.

  • Semgrep gives your engineers best-in-breed tooling across SAST, SCA, and secrets scanning, for 30+ languages.

  • Since all Semgrep products are powered by the same core analysis engine, there's only one platform and dataset needed to gain insights and make improvements.

Jessica Grider Quote

Supports 30+ frameworks and technologies

Python Logojava iconGo-logoRuby LogoJS-logoTypescript-logoPHP ThumbnailC++C++bitbucket logoJenkins logoCircle CI logo

Quick FAQ

Semgrep OSS is a lightweight and fast program analysis tool backed by community rules.

Semgrep OSS is suited for those that need to scan large amounts of code on an ad-hoc/one-time basis, with a high tolerance for false positives.

For example, consultants, security auditors, and pentesters may find Semgrep OSS suitable for their needs, and easy to implement into their existing workflows.

  • Analysis capabilities: Semgrep OSS is limited to single-file and single-function analysis. Pro Engine analyzes data flow across files and functions to uncover more true positives and less false positives.

  • Pro rules: Semgrep AppSec uses proprietary, high-confidence rules written by our research team that leverage cross-file and cross-function capabilities. Pro rules are written to generate minimal noise, so findings can be surfaced to developers without inundating them with false positives.

Semgrep AppSec is for security teams that need to shift left and scale their SAST, SCA, and Secrets coverage, but struggle to do so due to false positives and noise.

Semgrep AppSec integrates seamlessly into existing developer workflows, provides more accurate results, and has features like Assistant and PR comments that profoundly improve triage and remediation processes (for developers and security engineers alike).

  • Integration into CI and development flows: Products in the Semgrep AppSec platform are portable and fast like OSS, but include features that go beyond scan results to help security teams and developers triage and remediate issues before they hit main.

  • Control over the developer experience: Semgrep AppSec gives teams granular control over which issues are surfaced to developers and how they are surfaced. This lets AppSec teams shift left at their own pace, without risking their reputations.

  • Semgrep Assistant: Semgrep Assistant uses AI to speed up and reduce the cognitive load required during triage and remediation workflows (Auto-fix, auto-triage, etc).

  • Seamless integration into developer workflows: Semgrep AppSec can automatically surface findings to developers via PR comments, Jira tickets, etc - but only if security teams are confident in a rule's accuracy.