Shift left with fast static analysis

Modern security teams are “paving the road” for developers — enforcing code guardrails on every commit. r2c’s Semgrep can eliminate vulnerability classes organization-wide. Scale your security team with lightweight static analysis.

Demo of Semgrep in use
Teams using Semgrep

Great teams run Semgrep 🎉

logo
Enforce security on every commit

Semgrep is a fast, open-source, static analysis tool that excels at expressing code standards — without complicated queries — and surfacing bugs early in the development flow. Precise rules look like the code you’re searching; no more traversing abstract syntax trees or wrestling with regexes.

Start right away with 900+ rules and SaaS infrastructure to get fast results in your editor, at commit-time, or in CI.

Easily write custom rules

When off-the-shelf rules aren’t enough, quickly and intuitively write custom rules to express your unique code standards.
Rules look like the code you’re searching. For example, rules for Go look like Go. Find function calls, class or method definitions, and more without having to understand abstract syntax trees or wrestle with regexes.

In 5 minutes my team was able to write a rule that finds all unauthenticated routes.

Jonathan Werrett

 | @werrett

Head of Information Security, Fitbit

This Semgrep pattern
Matches this source code
exec("ls");

exec(some_var);

exec (foo);

exec (
     bar
);

// exec(foo)

console.log("exec(bar)");
Semgrep’s syntax awareness goes beyond grep text-based matching.

inline GH PR comments

Prevent bugs that matter, immediately

Semgrep’s registry has 900+ open-source rules covering security, correctness, and performance bugs. Don’t DIY unless you want to.
Semgrep runs fast, presenting results that matter immediately in your workflow. Rules are tested over thousands of projects and improved by an amazing OSS community, OWASP members, and r2c.

As the CTO of a rapidly growing software security company, making our own development secure is critical to our business. Semgrep picks the right rules for us and runs them quickly in the right place. And I can still write custom rules to catch specific issues unique to our code.

Jean-Baptiste Aviat

 | @JbAviat

Co-founder & CTO, Sqreen

Scale your security

Semgrep Community and Semgrep Team provide SaaS infrastructure for operating a modern AppSec program — enforcing security on every commit and shifting left. They enable you to:
  • Centrally define code standards for your projects
  • See results where you already work: GitHub, GitLab, Slack, Jira, VS Code, and more
  • Monitor the impact of your standards on security
  • Host private rules

Semgrep reduced our security review load by pinpointing code we actually care about in our monolithic repos. Now we can guide developers towards writing more secure code without direct involvement from the security team.

Jasvir Nagra

 | @jasvir

Security Engineer, Dropbox

Semgrep bridges a gap between fast and accurate tooling that hadn’t been possible with the traditional approach to code scanning.

Chris Rioux

 | @christienrioux

Co-founder, Veracode

A product is only as good as its developers: the r2c team consistently provides incredibly responsive and rapid support. Semgrep is the code validation/enforcement tool you need — you just do not realize it yet!

Michael Sorens

 | @msorens

Sr. Software Engineer, Chef

I just want to re-iterate that there's almost zero time between thinking ‘I should find code that looks like this’ and having a check that finds code that looks like that.

Damian Gryski

 | @dgryski

Gopher