Home IconSemgrep Pro Engine

Upgrade your Semgrep OSS experience

Semgrep Pro Engine

Advanced code analysis for detecting vulnerabilities across files + support for enterprise languages

Analyze code across files

Pro Engine uses advanced dataflow analysis to reduce the number of false positives and discover new true positives across files.

Interfile analysis is available for Golang, Java and JavaScript/TypeScript.

Analyze code across function boundaries

Pro Engine provides interprocedural analysis, including dataflow analysis methods such as taint analysis, constant propagation, and typed metavariables.

Interprocedural analysis is available for all languages supported by Semgrep and is currently experimental.

Support for enterprise languages

In addition to all the languages supported by Semgrep OSS Engine, Pro Engine also supports enterprise languages such as Apex.

apex icon

Finds deep issue, more accurately

  • Reduces false positives: dataflow analysis features such as taint-tracking find whether, for instance, tainted user input may reach an unsafe SQL statement via a long chain of function calls

  • Discovers more true positives: advanced code analysis helps find more complex vulnerabilities across files and procedures


interfile-dataflow

Works without compiled code

  • Easily scan your code and avoid rollout and management headaches

  • Scan more rapidly than other advanced analysis tools

scan-code-alt

Easily write rules

  • Rule syntax is very similar to the source code itself -> no need to understand abstract syntax trees or learn a new domain-specific language

  • For interfile analysis, Golang, Java, JavaScript, and TypeScript are supported

  • For interprocedural analysis, 30+ languages are supported

interfile-example
Semgrep OSS EngineSemgrep Pro EngineClick here to see the results with Semgrep Pro Engine

Please click on Semgrep OSS Engine and then on Semgrep Pro Engine to see the difference in results.

Semgrep RuleRule Icon
rules:
  pattern: return 1;
  message: Found return value of   1
  languages:
  - java
Code Box Image
foo.javaRule File Icon
import bar.Foo
class Bar {
  static final int CST = 1;
  int bar_trivial() {
 //Semgrep OSS will catch this:
return 1;
    }
int bar_simple() {
//Semgrep OSS will catch this:
return CST;
  }
int bar_intrafile() {
/*Semgrep OSS won’t catch this but Pro Engine will:*/
return Foo.CST;
  }
}
bar.javaRule File Icon
public class Foo {
  final static int
CST = 1;
  }

Learn more on the Semgrep blog

Need for speed: static analysis version

Brandon WuBrandon Wu

Powerfully autofixing code with Semgrep's new AST-based approach

Nat MoteNat Mote

Keep your rules simple with symbolic propagation

Iago AbalIago Abal

A deep dive into Semgrep Supply Chain

Kurt BobergKurt Boberg

Need for speed: static analysis version

Brandon WuBrandon Wu

Powerfully autofixing code with Semgrep's new AST-based approach

Nat MoteNat Mote

Keep your rules simple with symbolic propagation

Iago AbalIago Abal

A deep dive into Semgrep Supply Chain

Kurt BobergKurt Boberg

Need for speed: static analysis version

Brandon WuBrandon Wu

Powerfully autofixing code with Semgrep's new AST-based approach

Nat MoteNat Mote

Keep your rules simple with symbolic propagation

Iago AbalIago Abal

A deep dive into Semgrep Supply Chain

Kurt BobergKurt Boberg

Semgrep Code

Get Started With Semgrep Code

Semgrep Logo

Code analysis at ludicrous speed

Products

Semgrep Code
Semgrep Supply Chain
Semgrep Cloud Platform
Semgrep Pro Engine

Community

Blog

Resources

Docs
ROI Calculator
Pricing
Getting Started With Semgrep
Registry
Playground
Book a demo
Help Center

Company

About
Careers
Contact us
Twitter-logo-greenSlack-logo-greenGitHub-logo-greenYoutube-logo-green

© 2023 Semgrep, Inc. Semgrep is a registered trademark of Semgrep, Inc.

TermsPrivacy