Semgrep is a fast, open-source, static analysis tool that excels at expressing code standards — without complicated queries — and surfacing bugs early in the development flow. Precise rules look like the code you’re searching; no more traversing abstract syntax trees or wrestling with regexes.
Start right away with 900+ rules and SaaS infrastructure to get fast results in your editor, at commit-time, or in CI.
Co-author, OWASP ASVS standard
The evolution of bug hunting is currently happening and it’s pretty damn cool. We’ve become accustomed to clunky monolithic tools that add friction and cost a fortune, but amongst these dinosaurs has risen Semgrep and it’s really showing people how you too can be a lean mean fighting bug hunting machine.
Semgrep offers an intuitive rule engine interface that I haven’t seen in any other static code analysis tool…Other tools are often poorly documented and difficult to write, understand, and maintain. Semgrep makes it easy to rewrite complex matchers into one or two simple rules that are easy to maintain by almost all engineers.
Founder & Chief Technologist, we45
I’ve fallen in love with an awesome tool recently, called Semgrep. It’s a lightweight static analysis tool for many languages. Along with Github’s CodeQL, it is — in my opinion — the future of AppSec and DevSecOps.
Cloud Security Architect, Snowflake
I love that Semgrep lets Snowflake software engineers write rules to enforce security standards and requirements. Snowflake is all about empowering software engineers to express domain specific security requirements themselves. With Semgrep, each team can assert their security requirements easily and continuously, enabling us to scale and re-use this capability across the entire org.
In 5 minutes my team was able to write a rule that finds all unauthenticated routes.
Jonathan Werrett| @werrett
Head of Information Security, Fitbit
exec("ls");exec(some_var);exec (foo);exec (
As the CTO of a rapidly growing software security company, making our own development secure is critical to our business. Semgrep picks the right rules for us and runs them quickly in the right place. And I can still write custom rules to catch specific issues unique to our code.
Jean-Baptiste Aviat| @JbAviat
Co-founder & CTO, Sqreen
Semgrep reduced our security review load by pinpointing code we actually care about in our monolithic repos. Now we can guide developers towards writing more secure code without direct involvement from the security team.
Jasvir Nagra| @jasvir
Security Engineer, Dropbox
Semgrep bridges a gap between fast and accurate tooling that hadn’t been possible with the traditional approach to code scanning.
Chris Rioux| @christienrioux
A product is only as good as its developers: the r2c team consistently provides incredibly responsive and rapid support. Semgrep is the code validation/enforcement tool you need — you just do not realize it yet!
Michael Sorens| @msorens
Sr. Software Engineer, Chef
I just want to re-iterate that there's almost zero time between thinking ‘I should find code that looks like this’ and having a check that finds code that looks like that.
Damian Gryski| @dgryski