Semgrep
Static application security testing and AppSec platform that provides SAST, SCA, and secrets detection with AI-assisted triage, a rules registry, CLI/CI integration, and IDE plugins.
At a Glance
About Semgrep
Semgrep delivers a developer-friendly application security platform that combines an open-source local SAST engine with a paid AppSec platform for teams and enterprises. It supports static code analysis, supply-chain (SCA) checks, and semantic secrets detection, and includes an AI Assistant for triage and remediation guidance. Semgrep runs locally via a CLI or as a managed platform and integrates with CI/CD and developer tools to surface findings in native workflows.
- Open-source Community Edition — use the CLI to run local SAST scans, access community rules, and export findings in SARIF/JSON to integrate with CI systems.
- Teams & Enterprise tiers — subscribe to team or enterprise plans for Pro rules, cross-file analysis, managed scanning, dashboards, RBAC and SSO; contact sales for custom enterprise pricing.
- Semgrep Assistant (AI) — AI-assisted triage, remediation guidance, auto-triage and auto-fix capabilities, and AI Memories to codify policy context for better results.
- Rule Registry & Pro Engine — share and reuse rules from the registry; upgrade for dataflow/reachability analysis to reduce false positives.
- Developer integrations — integrate with GitHub/GitLab/Bitbucket, CI systems, IDEs (VS Code, JetBrains), Slack, Jira, and REST APIs to surface findings where developers work.
Getting started: install the Semgrep CLI to scan code locally or sign up for the Semgrep AppSec Platform to onboard repositories, enable Pro rules and the Assistant, and connect CI/CD and SCM integrations.
Community Discussions
Be the first to start a conversation about Semgrep
Share your experience with Semgrep, ask questions, or help others learn from your insights.
Pricing
Community Edition
Open-source local SAST engine for individual developers and projects.
- Open-source SAST engine (LGPL 2.1)
- Community-managed rules and registry
- CLI for local scans and CI integration
- Cross-platform support: macOS, Windows, Linux
- SARIF/JSON output and rule authoring
Teams
Extensible AppSec for growing teams; pricing is per contributor and starts at $40/month per contributor.
- Pro rules and cross-file analysis
- Semgrep Assistant (AI) for triage and fixes
- Managed scanning, dashboards, and policy engine
- Single sign-on (SSO) and role-based access control (RBAC)
Enterprise
Custom pricing and deployment options for large organizations; contact sales for details.
- Everything in Teams plus dedicated account manager and white-glove onboarding
- Volume pricing, roadmap access, and feature prioritization
- Extended support and SLAs
Capabilities
Key Features
- Open-source CLI SAST engine (Semgrep CE)
- Supply-chain scanning (SCA) and secrets detection
- AI-assisted triage and remediation with Semgrep Assistant
- Pro Engine with cross-file and dataflow/reachability analysis
- Registry of community and private rules
- CI/CD and SCM integrations with SARIF/JSON output
- IDE plugins for VS Code and JetBrains
- Managed AppSec Platform with dashboards, policies, and RBAC
Integrations
Demo Video
