High-velocity SAST and supply chain security platform powered by Semgrep Assistant. Uses AI Memories to auto-triage findings with 96% accuracy and generate context-aware autofix code patches tailored to your codebase style. The open-source engine drives community adoption while the cloud platform adds management, reporting, and CI/CD blocking policies.
Semgrep is a SAST and SCA platform. The SAST engine uses abstract syntax tree pattern matching rather than text matching, making patterns language-aware. Scans run in seconds on typical PR diffs, fast enough to gate every PR without blocking the merge queue.
Semgrep Assistant adds AI triage using AI Memories — a model built from historical accepted and dismissed findings on the codebase. The Assistant classifies new findings as true or false positive at approximately 96% accuracy and generates code-level autofix patches that match the codebase's conventions.
Semgrep Supply Chain adds dependency vulnerability detection with reachability analysis: it traces whether a CVE in a dependency is reachable from an actual call site in the application code, filtering out findings with no exploitable path. The rule set includes 5,000+ community rules in a readable YAML format, plus support for custom rules using the same syntax. The OSS engine and community rules are free; the cloud platform (Team and Enterprise) adds centralized policy management, AI Assistant, and autofix.
Key Features
AST-based pattern matching SAST engine: matches code structure rather than text strings, making patterns language-aware and resistant to trivial obfuscation — runs in seconds per PR rather than minutes
Semgrep Assistant AI triage with AI Memories: classifies findings as true or false positive using patterns learned from your codebase's accepted and dismissed findings — reduces manual triage volume by approximately 72%
Autofix patches: generates inline code-level fixes for flagged issues as PR diff comments, allowing developers to apply the fix with one click rather than looking up the remediation pattern separately
Semgrep Supply Chain (SCA) with reachability: traces whether a dependency CVE is reachable from an actual call site in the application code — only surfaces vulnerabilities with an exploitable path, not all transitive dependencies
5,000+ community rules plus custom YAML rule authoring: patterns are readable, auditable, and shareable without specialized AppSec tooling — teams write rules for internal APIs and frameworks in the same syntax as community rules
Sub-30-second CI runtime: fast enough to run on every PR without blocking the merge queue; native integrations with GitHub Actions, GitLab CI, Jenkins, and Bitbucket Pipelines
Integrations
4 total
scm
GitHubGitLab
messaging
Slack
ci / cd
Terraform
Pricing
4 tiers
Free
Free
Free tier: Unlimited public repositories, Semgrep Code + Supply Chain standard rules, Semgrep Assistant AI triage, community support
Secrets Detection (Add-on)
$15/seat/mo
Per seat/month; semantic and entropy analysis, secret validation, pre-commit hooks
Team
$40/seat/yr
Per contributor/month; unlimited private repos, cross-file taint analysis, Pro rules, PR comments, Slack/Jira integration
Enterprise
Contact sales
Custom pricing; SSO/SAML, SCIM, audit logs, custom policies, dedicated support
