Upgrade your Semgrep OSS experience

Semgrep Pro Engine

Advanced code analysis for detecting vulnerabilities across files + support for enterprise languages

Analyze code across files

Pro Engine uses advanced dataflow analysis to reduce the number of false positives and discover new true positives across files.

Interfile analysis is available for Golang, Java and JavaScript/TypeScript.

Analyze code across function boundaries

Pro Engine provides interprocedural analysis, including dataflow analysis methods such as taint analysis, constant propagation, and typed metavariables.

Interprocedural analysis is available for all languages supported by Semgrep and is currently experimental.

Support for enterprise languages

In addition to all the languages supported by Semgrep OSS Engine, Pro Engine also supports enterprise languages such as Apex.

Finds deep issue, more accurately

  • Reduces false positives: dataflow analysis features such as taint-tracking find whether, for instance, tainted user input may reach an unsafe SQL statement via a long chain of function calls

  • Discovers more true positives: advanced code analysis helps find more complex vulnerabilities across files and procedures


Works without compiled code

  • Easily scan your code and avoid rollout and management headaches

  • Scan more rapidly than other advanced analysis tools


Easily write rules

  • Rule syntax is very similar to the source code itself -> no need to understand abstract syntax trees or learn a new domain-specific language

  • For interfile analysis, Golang, Java, JavaScript, and TypeScript are supported

  • For interprocedural analysis, 30+ languages are supported

Semgrep OSS EngineSemgrep Pro EngineClick here to see the results with Semgrep Pro Engine

Please click on Semgrep OSS Engine and then on Semgrep Pro Engine to see the difference in results.

Semgrep RuleRule Icon
  pattern: return 1;
  message: Found return value of   1
  - java
Code Box Image
foo.javaRule File Icon
import bar.Foo
class Bar {
  static final int CST = 1;
  int bar_trivial() {
 //Semgrep OSS will catch this:
return 1;
int bar_simple() {
//Semgrep OSS will catch this:
return CST;
int bar_intrafile() {
/*Semgrep OSS won’t catch this but Pro Engine will:*/
return Foo.CST;
bar.javaRule File Icon
public class Foo {
  final static int
CST = 1;

Semgrep Code

Get Started With Semgrep Code