Semgrep

Semgrep delivers a developer-friendly application security platform that combines an open-source local SAST engine with a paid AppSec platform for teams and enterprises. It supports static code analysis, supply-chain (SCA) checks, and semantic secrets detection, and includes an AI Assistant for triage and remediation guidance. Semgrep runs locally via a CLI or as a managed platform and integrates with CI/CD and developer tools to surface findings in native workflows.

• Open-source Community Edition — use the CLI to run local SAST scans, access community rules, and export findings in SARIF/JSON to integrate with CI systems.
• Teams & Enterprise tiers — subscribe to team or enterprise plans for Pro rules, cross-file analysis, managed scanning, dashboards, RBAC and SSO; contact sales for custom enterprise pricing.
• Semgrep Assistant (AI) — AI-assisted triage, remediation guidance, auto-triage and auto-fix capabilities, and AI Memories to codify policy context for better results.
• Rule Registry & Pro Engine — share and reuse rules from the registry; upgrade for dataflow/reachability analysis to reduce false positives.
• Developer integrations — integrate with GitHub/GitLab/Bitbucket, CI systems, IDEs (VS Code, JetBrains), Slack, Jira, and REST APIs to surface findings where developers work.

Getting started: install the Semgrep CLI to scan code locally or sign up for the Semgrep AppSec Platform to onboard repositories, enable Pro rules and the Assistant, and connect CI/CD and SCM integrations.