Semgrep AppSec Platform

Delivering high-signal results, the platform unifies management of SAST, SCA, and secrets scans across an organization. Sold separately or bundled, all products include:

  • simplified rollout, even across hundreds of repos
  • unified view of results with AI prioritization
  • fine-grained policy management

Semgrep Code

$40
per contributor per month

Features

  • Cross-file analysis
  • Pro rules
  • Semgrep Assistant (AI)
Sign up: first 10 contributors free

Semgrep Supply Chain

$40
per contributor per month

Features

  • Dataflow reachability analysis
  • License compliance
  • Dependency search + SBOM
Sign up: first 10 contributors free

Semgrep Secrets

$20
per contributor per month

Features

  • Secret validation
  • Semantic analysis
  • Entropy analysis
Book a Semgrep Secrets demo

Need something custom?

Ask us about our Enterprise tier, including customized support plans and feature development.

Talk to a human

Frequently asked questions

A contributor is someone who made a commit to your organization's private repository scanned by Semgrep in the past month.

Many of us were security consultants in our previous roles! To inquire about using Semgrep in your consulting work, contact us.

Yes, and we love startups! To get access to special pricing, contact us!

No. Semgrep runs either locally or fully in your CI pipeline, and your source code never leaves your computer or your CI environment. Only meta-data related to Semgrep runs (see docs) are sent to Semgrep's service.

If you opt-in to Semgrep Assistant, Semgrep’s automated recommendations for triage and code remediation assisted by GPT-4, the Semgrep Assistant feature submits part of the file that has a finding in it to OpenAI for processing by a GPT model. OpenAI is not allowed to use the submitted code for training their models.

If you opt-in to Semgrep managed scanning, allowing onboarding of repositories and their scanning without the need for per-project provisioning, then Semgrep’s service clones your repository at the beginning of every scan. Once the scan completes, the clone is destroyed and is not persisted anywhere.

Users in the Team and Enterprise tier for Semgrep can publish rules to the Semgrep Registry as Private rules that are not visible to others outside their organization. The private rules enable you to hide code-sensitive information or legal requirements that prevent you from using a public registry.

Pro rules are proprietary rules written by our security research team with the goal to provide a set of supported rules with improved coverage (across languages and vulnerability types), leveraging the latest Semgrep features, and providing high-confidence results.

"Had my first go at using @semgrep and quite like it. The capability of using base reference so it only reports on the diff from last commit is brilliant to keep it relevant to what is being worked on."

@madplatt
via Twitter / X

"Consantly reminded at how awesome @r2cdev's Semgrep is. From 0 to "check for missing authorisation logic" in about 15 mins."

@xntrik
via Twitter / X

"I am about to codify two years of institutional knowledge in a matter of weeks with audit rules and inner joins."

@lapt0r
via Twitter / X

"If you haven’t tried Semgrep out yet you really need to. Also *really* deep dive with it. Despite some of its rougher edges, it’s an insanely powerful code exploration tool."

@d0nutptr
via Twitter / X

">Use semgrep once
>Write DevSecOps expert on your personal website
>Profit"

@MortoOnTech
via Twitter / X