Fast, open-source static analysis tool for finding security vulnerabilities and bugs in code.
Semgrep is a fast, open-source static analysis engine that enables security engineers and developers to write custom rules that find bugs, security vulnerabilities, and anti-patterns in code across 30+ programming languages. Unlike traditional SAST tools that rely on vendor-defined rule libraries, Semgrep's syntax closely mirrors the source code being analyzed, making it easy to write and understand custom rules without deep compiler knowledge. Semgrep Code provides a curated library of high-signal security rules maintained by the Semgrep research team, while Semgrep Supply Chain scans open-source dependencies for reachable vulnerabilities. Semgrep Secrets detects API keys and credentials in code. The platform integrates natively into CI/CD pipelines and developer IDEs, enabling shift-left security that catches vulnerabilities before they reach production. Companies like Dropbox, Figma, and Snowflake use Semgrep to run security checks at scale.