semgrep: Lightweight static analysis for many languages
10 months ago
- #code-security
- #static-analysis
- #developer-tools
- Semgrep is a fast, open-source, static analysis tool for code, supporting 30+ languages.
- Semgrep Community Edition has limitations in security contexts; the Semgrep AppSec Platform is recommended for security purposes.
- Semgrep AppSec Platform offers improved analysis, AI post-processing, and customizable policies.
- Semgrep supports local analysis, with code never uploaded by default.
- Semgrep Code supports over 30 languages, and Semgrep Supply Chain supports 12 languages across 15 package managers.
- New users are recommended to start with the Semgrep AppSec Platform for a visual interface and demo project.
- Semgrep CLI can be installed via Homebrew, pip, or Docker, and includes features like Semgrep Supply Chain and Pro rules.
- The Semgrep ecosystem includes Community Edition, AppSec Platform, Code (SAST), Supply Chain (SSC), Secrets scanning, and Assistant (AI).
- Semgrep rules resemble the code being analyzed, avoiding complex syntax trees or DSLs.
- Semgrep is used by companies like GitLab, Dropbox, and Slack, and is developed by Semgrep, Inc.