Products
- Semgrep Code
  Find and fix the issues that matter in your code (SAST)
- Semgrep Supply Chain
  Find and fix reachable dependency vulnerabilities (SCA)
- Semgrep Secrets
  Find and fix hardcoded secrets with semantic analysis
- Semgrep Assistant
  Get triage and code fix recommendations from AI
- Semgrep AppSec Platform
  Automate, manage, and enforce security across your organization
- Semgrep Pro Engine
  Find more true positives and fewer false positives with dataflow analysis
- Product Updates
  Stay up to date on changes to the Semgrep platform, big and small
Solutions
- Secure Vibe Coding
  Secure your code, no matter who (or what) writes it.
- Software supply chain security
  Mitigate software supply chain risks
- Static application security testing
  Increase security while accelerating development
- OWASP Top 10
  Prevent the most critical web application security risks
- Secure Guardrails
  Protect Your Code with Secure Guardrails
- Fintech
  Mitigate software supply chain risks
- SaaS & Cloud
  Increase security while accelerating development
Resources
- Docs
  Want to read all the docs? Start here
- Blog
  Get the latest news about Semgrep
- ROI Calculator
  See how Semgrep can save you time and money
- Community Slack
  Join the friendly Slack group to ask questions or share feedback
- Events
  Join us at a Semgrep Event!
- Case Studies
  See why users love Semgrep
- Video Library
  View our library of on-demand webinars
Company
- About
  The Semgrep story & values
- Careers
  Join the team!
- Partners
  Become a Semgrep partner
Pricing
Sign in
Product support
Contact us
Book demo Try for free

OPEN SOURCE

Semgrep Community Edition

Trusted by Security Engineers

Built for developers

SAST ENGINE

30+

supported programming languages

Community Rules

3000+

customizable open source rules

Cross-Platform Support

macOS Windows Linux

Install Semgrep and scan on macOS

Run security scans locally on macOS by installing the Semgrep CLI using brew. You'll have access to community rules without requiring a login.

When you are ready for more rules or need more coverage create a free account.

Getting Started Guide

$ brew install semgrep

$ semgrep --config=auto

Install Semgrep and scan on Windows

Run security scans locally on Windows using Semgrep CLI by using python to install. You'll have access to community rules without requiring a login.

Can be used with PowerShell, Windows Subsystem for Linux, or anywhere you can run Python.

Getting Started Guide

$ python3 -m pip install semgrep

$ semgrep --config=auto

Install Semgrep and scan on Linux

Run security scans locally on Linux distributions using Semgrep CLI by using python. You'll have access to community rules without requiring a login.

You can use Semgrep CE in a Docker container too by running docker pull semgrep/semgrep.

Getting Started Guide

$ python3 -m pip install semgrep

$ semgrep --config=auto

Learn from our open source community champions

Join Community Slack →

SEMGREP COMMUNITY EDITION

Essential for Application Security

Comprehensive interoperability and customization

How does Semgrep CE work?

Source Code

Semgrep CE can review source code on your local filesystem or pulled from your software configuration management system. The programming languages used in your code base will be recognized automatically. This is effective because static analysis reviews source code prior to compile or runtime.

Scan Your Code

Semgrep CE is a deterministic rules engine trained to analyze programming language syntax. Semgrep Rules are downloaded from the Semgrep Registry to evaluate source code for patterns of what insecure code looks like.

The earlier in the development process you scan the easier it is for teams to catch security anti-patterns.

Triage the Findings

Semgrep CE provides output to a terminal or in a data format for review such as SARIF or JSON. These findings identify lines of code that match the pattern defined by the security rules with remediation advice to resolve the vulnerability.

Write your own rules or use advanced rules from Semgrep Code to take advantage of Pro engine features that improve results and further reduce false positives.

🦠 Secure your source code from Injection, RCE, XSS, IDOR, SSRF, SQLi, XEE, and other common vulnerabilities.

Learn about secure coding →

SEMGREP COMMUNITY EDITION

Easy to get started

Powerful enough for security researchers

Given the same source code as input, Semgrep CE produces the same output. This deterministic behavior makes Semgrep beginner-friendly. You don't need a PhD in program analysis and abstract syntax trees to use Semgrep CE. Start by keeping the easy things easy, learn the foundations of secure software development. As needs evolve, create custom rules and workflows to support your team's needs.

EDUCATE

Foundations

Share security foundations with your team so everybody knows how to code securely.

Visit Learning Guides

TRUST

Accuracy

False positives erode trust in application security tools. We prioritize semantic accuracy.

Read the Open Source Blog

AUTOMATE

Workflow

DevOps ready with IDE, CI/CD, and hooks for building custom integrations into development workflows.

Check the Docs

What's New with Semgrep CE

300+ Releases

13.1k GitHub Stars

FALL 2025

Learn about the Fall 2025 releases with highlights including:

Windows Support
Multicore
MCP Server
and more

0.4.0

sgrep

2020

0.36.0

Release Notes

2021

0.78.0

Release Notes

2022

1.3.0

Release Notes

2023

1.54.2

Release Notes

2024

1.102.0

Release Notes

2025

2.0.0

Private Beta

2026

Open source under LGPL 2.1 license.

View source on GitHub →

ENTERPRISE

Graduate to the Semgrep AppSec Platform

Reasons you should consider upgrading from Semgrep CE to Semgrep AppSec Platform:
✔️ Add Supply Chain and Secrets detection
✔️ Even better false positive handling
✔️ Managed scanning to offload operations
✔️ Dashboard and reporting capabilities
✔️ More comprehensive security rules coverage
✔️ AI Assistant with remediation guidance
✔️ AI Memories for policies
✔️ Award winning support