Skip to content
Home SAST Tools Semgrep
Semgrep

Semgrep

Category: SAST
License: LGPL-2.1 (OSS CLI) / Commercial (Platform)
GitHub (13400★)
Visit Website →
Suphi Cankurt
Suphi Cankurt
AppSec Enthusiast
Updated February 15, 2026
3 min read
Key Takeaways
  • Open-source SAST engine scanning 30+ languages with custom rule support
  • Free OSS CLI (LGPL-2.1) plus commercial Pro Engine for cross-file dataflow analysis
  • Write rules in a pattern syntax that mirrors source code — no query language to learn
  • Used by Dropbox, Figma, Snowflake; 13,400+ GitHub stars

Semgrep is a SAST tool that finds bugs and security vulnerabilities using pattern-matching rules that look like the code you’re scanning. The open-source CLI supports 30+ languages and has over 13,400 GitHub stars. The company (formerly Return to Corp) also runs a commercial AppSec platform with SAST, SCA, and secrets detection.

The rule syntax is the main differentiator. Instead of writing abstract regex or custom DSLs, you write rules that resemble the source code you want to match. Custom rule creation takes minutes, not hours. The community registry has 2,000+ rules, and the commercial platform adds 20,000+ proprietary ones.

Semgrep AppSec Platform dashboard showing security scan orchestration and findings overview

What is Semgrep?

Semgrep started as an open-source pattern-matching engine and grew into a full AppSec platform. The OSS CLI is licensed under LGPL-2.1 and does single-file static analysis. The commercial platform adds cross-file dataflow analysis, SCA, secrets detection, and AI-powered triage on top.

30+ Languages
Covers Apex, Bash, C, C++, C#, Go, Java, JavaScript, TypeScript, Python, Ruby, Rust, Kotlin, PHP, Swift, Scala, Terraform, Dockerfile, and more. A generic mode handles unsupported formats.
Code-Like Rules
Rules resemble the source code they match. No regex or custom DSLs to learn. The community registry has 2,000+ rules and the platform adds 20,000+ proprietary ones.
10-Second Scans
Median CI scan time is 10 seconds. Runs locally by default. Code never leaves your machine unless you opt into the cloud platform.

Key features

Semgrep Code (SAST)

The open-source engine does single-file analysis. The Pro Engine adds cross-file and cross-function dataflow, which cuts false positives significantly. According to Semgrep’s published benchmarks, the Pro Engine reduces false positives in high/critical findings by up to 98%. NIST’s Software Assurance Metrics and Tool Evaluation (SAMATE) project has recognized the value of tools that combine pattern matching with dataflow analysis for reducing false positive rates.

Semgrep cross-file dataflow analysis tracing user input from a Python view through session variables to a Jinja2 template

# Install
brew install semgrep

# Run with auto config (uses recommended rules)
semgrep --config=auto .

# Run with a specific rule from the registry
semgrep --config=p/ci .
Pattern-matching rules
To find insecure YAML loading in Python, you write a rule that looks like yaml.load(...) rather than a regex. Developers can write and review security rules without learning a separate language.

Semgrep bot posting a security finding as a GitHub pull request comment with code diff and remediation guidance

Semgrep Supply Chain (SCA)

Checks open-source dependencies for known vulnerabilities, then uses reachability analysis to determine whether your code actually calls the vulnerable function. CVEs in dependencies you import but never invoke get filtered out.

Semgrep Secrets

Scans source code for hardcoded credentials, API keys, and tokens. Goes beyond regex pattern matching by using semantic analysis to reduce false positives from test fixtures and example strings.

Semgrep Assistant

An AI layer that triages findings and suggests fixes. It adds context to each finding, explaining what the vulnerability is and how to remediate it, so developers don’t have to research every rule ID themselves.

Installation

MethodCommand
Homebrewbrew install semgrep
pippython3 -m pip install semgrep
Dockerdocker run --rm -v "${PWD}:/src" semgrep/semgrep semgrep --config=auto

Getting started

1
Install Semgrep — Use brew install semgrep, pip install semgrep, or Docker. The CLI is a single binary with no dependencies.
2
Run your first scan — Run semgrep --config=auto . in your project directory. This pulls the recommended ruleset and finishes in seconds.
3
Write a custom rule — Create a YAML file with a pattern that looks like the code you want to find. Test it interactively at semgrep.dev/editor.
4
Add to CI — Run semgrep ci in your pipeline. Official configs exist for GitHub Actions, GitLab CI, Jenkins, Buildkite, and CircleCI.

When to use Semgrep

The open-source CLI is a good fit for individual developers and small teams that want fast SAST they can extend with custom rules. The commercial platform adds dashboards, team management, the Pro Engine for cross-file dataflow, and SCA for organizations that need more coverage.

Used by Lyft, Dropbox, Snowflake, HashiCorp, Trail of Bits, GitLab, and Figma. For a detailed comparison with other tools, see our guides on Semgrep alternatives and Semgrep vs CodeQL.

Best for
Teams that want fast static analysis with custom rules they can write in minutes. The OSS CLI is free; the platform adds cross-file dataflow and SCA for larger organizations.

Frequently Asked Questions

What is Semgrep?
Semgrep is a static analysis tool that finds bugs and security vulnerabilities using pattern-matching rules. The open-source CLI supports 30+ languages and is licensed under LGPL-2.1. The commercial platform adds SAST with cross-file dataflow (Pro Engine), SCA with reachability analysis, and secrets detection.
Is Semgrep free?
The open-source CLI is free and includes access to 2,000+ community rules. The commercial Semgrep AppSec Platform, which adds the Pro Engine, 20,000+ proprietary rules, team dashboards, and CI/CD management, requires a paid plan.
How fast is Semgrep?
Median CI scan time is 10 seconds according to the Semgrep website. The tool runs locally by default and code is never uploaded unless you opt into the cloud platform.
What languages does Semgrep support?
Semgrep supports 30+ languages including Python, JavaScript, TypeScript, Go, Java, C, C++, C#, Ruby, Rust, Kotlin, PHP, Swift, Scala, Terraform, Dockerfile, and more. It also has a generic mode for unsupported languages using ERB, Jinja, and similar templates.
How does Semgrep compare to SonarQube?
Semgrep is faster to set up and its rule syntax is easier to learn, since rules look like the code you want to match. SonarQube covers broader code quality analysis beyond security, including code smell detection and technical debt tracking.
How we review tools Suggest an edit

Other SAST Tools

Bandit
Bandit

Open-Source Python Scanner

Codacy
Codacy

40+ Languages with AI Code Protection

detect-secrets
detect-secrets

Baseline secret management

Gitleaks
Gitleaks

Git secret scanner

SonarLint
SonarLint

Real-time IDE analysis

Coverity
Coverity

Deep Analysis for Complex Codebases

See all SAST tools

Complement with SCA

Pair static analysis with dependency scanning for broader coverage.

AN
Anchore

SBOM-First Container Security Platform

Anchore Grype
Anchore Grype

Fast Container Vulnerability Scanner

See all SCA tools

Learn More

What is SAST? What is DAST? What is IAST? What is RASP? SAST vs DAST vs IAST SAST vs SCA

Explore our Application Security Testing resource hub

Compare Semgrep

Semgrep vs CodeQL Semgrep vs Snyk Code SonarQube vs Semgrep Semgrep vs Checkmarx
Semgrep Alternatives