Works with Semgrep Pro Engine

Pro rules

Greatly reduce false positives while increasing scan coverage for critical vulnerability types. Bring findings directly to developers with confidence.


Improved coverage and developer-oriented results

  • Semgrep Pro rules are written to minimize false positives so findings can be presented to developers in their workflows, avoiding lengthy triage sessions.

  • Pro rules provide high-confidence results by leveraging cross-file and cross-funtion dataflow analysis.

  • High confidence rules use features like taint tracking with sources, sinks, propagators, and sanitizers curated by our Security Research team.

commit a change

Rules for popular languages and frameworks:

Find injection vulnerabilities

More than 100 high-accuracy rules to find injection vulnerabilities in Java, PHP, JavaScript, Kotlin, Rust, and Swift.

Browse rules for detecting injection vulnerabilities

Discover malicious deserialization mechanisms

60+ rules supporting 14 Python libraries/frameworks and 3 commonly used Java libraries, both standalone or in combination with Java Servlets and the Spring Framework.

See rules for deserialization

Detect XXE vulnerabilities

Detect XML external entity issues with support for common Java libraries and classes, to identify the many different ways they can be insecurely configured and used.

Learn more about Java XML security

Continuously monitored and updated

  • Rules are continuously updated by our Security Research team based on rule performance and user feedback.

  • Compared to Community rules, Pro rules provide better coverage for Java, JavaScript, TypeScript, Python, PHP, Ruby, C#, Swift, and Go.

  • Pro rule coverage for languages is continuously expanded by our Security Research team.


Customize and manage rules at scale

  • Rule syntax is intuitive and similar to source code so there's no need to learn new domain-specific languages to make tweaks.

  • Get a top-down view of fix and ignore rates to optimize rule policies and behaviors (monitor, comment, or blocking).

Learn about Semgrep Cloud Platform
code rule management

Fix the issues that matter with Pro rules + Pro Engine

Semgrep helps organizations shift left without the developer productivity tax

Book a demoLearn More about Pro Engineright-arrow-white.svg