CodexSpot
S

Semgrep

Open-source static analysis for finding bugs and enforcing security policies at code review speed

SecurityCliWebFreemium

Overview

Semgrep is an open-source static analysis tool that uses a pattern-matching syntax closely resembling the source language it scans. Security and engineering teams write custom rules to detect application-specific vulnerabilities, anti-patterns, and policy violations. Semgrep OSS is free, and Semgrep AppSec Platform adds managed rule sets, supply chain scanning, and CI/CD orchestration.

Use Cases

  • Finding security vulnerabilities like SQL injection, XSS, and path traversal in application code
  • Enforcing custom coding standards and architectural rules across a codebase
  • Detecting use of deprecated or banned functions and APIs
  • Scanning open-source dependencies for known vulnerabilities (Semgrep Supply Chain)
  • Running lightweight code review checks as part of CI/CD without full compilation
  • Writing organization-specific rules to catch recurring bug patterns

Features

  • Source-language pattern matching syntax
  • Multi-language support (Python, JavaScript, Go, Java, Ruby, and more)
  • Open-source rule engine
  • Managed rulesets from Semgrep Registry
  • Supply chain vulnerability scanning
  • CI/CD integration
  • Findings dashboard (Semgrep AppSec Platform)
  • Custom rule authoring
  • Dataflow analysis for taint tracking
  • Sarif output for integration with security tools

Integrations

GitHubGitLabBitbucketGitHub ActionsJenkinsCircleCIAzure DevOpsVS CodeSlackDefect Dojo

Getting Started

  1. 1Install Semgrep with `pip install semgrep` or `brew install semgrep`
  2. 2Run `semgrep --config auto .` to scan your project using automatically selected community rules
  3. 3Browse the Semgrep Registry at semgrep.dev/r to find rules for your language and framework
  4. 4Write a custom rule in a YAML file using Semgrep's pattern syntax and test it with `semgrep --config my-rule.yaml .`
  5. 5Add Semgrep to your CI/CD pipeline using the official GitHub Action or CLI invocation

Practical Notes

  • The open-source CLI is free with no usage limits; the managed AppSec Platform is freemium with limits on the free tier
  • Rule quality varies in the community registry — review findings critically before marking them as false positives
  • Semgrep does not execute code so it can produce false positives; taint analysis reduces these but adds analysis time
  • Very large monorepos may require incremental scanning configuration to avoid long CI run times

This listing is for informational purposes only. CodexSpot is not affiliated with Semgrep.