Fast static analysis with rules that look like the code itself
- Stars15.5k
- Forks966
- Open Issues872
LGPL-2.1
- OCaml
- Python
- Standard ML
About Semgrep
Semgrep is a fast, open source static analysis engine. Its defining idea is that rules look like the source code you already write, so a pattern such as the buggy snippet you want to ban matches without wrestling with abstract syntax trees or regex. It runs in an IDE, as a pre-commit check, or in CI/CD.
Semgrep supports more than 30 languages and analyzes code locally by default, so source is never uploaded. The open source Community Edition reasons within a single function or file, which is enough to enforce coding standards and catch many bugs.
For deeper security work, Semgrep Inc offers the AppSec Platform, which adds cross-file and cross-function analysis, data-flow reachability, AI-assisted triage, and policy controls. The CLI installs through Homebrew, pipx, uv, or Docker.
Key features
- Rules written as source-code patterns
- Runs in IDE, pre-commit, and CI/CD
- Local scans by default, code never uploaded
- Supports more than 30 languages
- Paid platform adds cross-file and cross-function analysis
Details
- First released
- 2019
- Platforms
- CLI · Docker · IDE
- Deployment
- self-hostable · docker · offline
- Languages
- 30+
- Origins
- Semgrep Inc
- Latest release
- v1.166.0