Upgrade your Semgrep OSS experience

Semgrep Pro Engine

Advanced code analysis for detecting vulnerabilities across files + support for enterprise languages

Analyze code across files

Pro Engine uses advanced dataflow analysis to reduce the number of false positives and discover new true positives across files.

Interfile analysis is available for Java and JavaScript/TypeScript.

Analyze code across function boundaries

Pro Engine provides interprocedural analysis, including dataflow analysis methods such as taint analysis, constant propagation, and typed metavariables.

Interprocedural analysis is available for all languages supported by Semgrep and is currently experimental.

Support for enterprise languages

In addition to all the languages supported by Semgrep OSS Engine, Pro Engine also supports enterprise languages such as Apex.

Finds deep issue, more accurately

  • Reduces false positives: dataflow analysis features such as taint-tracking find whether, for instance, tainted user input may reach an unsafe SQL statement via a long chain of function calls

  • Discovers more true positives: advanced code analysis helps find more complex vulnerabilities across files and procedures


interfile-dataflow

Works without compiled code

  • Easily scan your code and avoid rollout and management headaches

  • Scan more rapidly than other advanced analysis tools

scan-code-alt

Easily write rules

  • Rule syntax is very similar to the source code itself -> no need to understand abstract syntax trees or learn a new domain-specific language

  • For interfile analysis, Java, JavaScript, and TypeScript are supported

  • For interprocedural analysis, 30+ languages are supported

interfile-example

Learn more on the Semgrep blog

Need for speed: static analysis version

Brandon WuBrandon Wu

Powerfully autofixing code with Semgrep's new AST-based approach

Nat MoteNat Mote

Keep your rules simple with symbolic propagation

Iago AbalIago Abal

A deep dive into Semgrep Supply Chain

Kurt BobergKurt Boberg

Need for speed: static analysis version

Brandon WuBrandon Wu

Powerfully autofixing code with Semgrep's new AST-based approach

Nat MoteNat Mote

Keep your rules simple with symbolic propagation

Iago AbalIago Abal

A deep dive into Semgrep Supply Chain

Kurt BobergKurt Boberg

Need for speed: static analysis version

Brandon WuBrandon Wu

Powerfully autofixing code with Semgrep's new AST-based approach

Nat MoteNat Mote

Keep your rules simple with symbolic propagation

Iago AbalIago Abal

A deep dive into Semgrep Supply Chain

Kurt BobergKurt Boberg

Semgrep Code

Get Started With Semgrep Code