Semgrep: Static analysis tool for multiple languages
Pattern-based code scanner for 30+ languages.
Learn more about Semgrep
# .github/workflows/semgrep.yml name: Semgrep Security Scan on: pull_request: branches: [main, develop] push: branches: [main] jobs: semgrep: name: Security Analysis runs-on: ubuntu-latest container: image: returntocorp/semgrep steps: - uses: actions/checkout@v3 - name: Run Semgrep with custom rules run: | semgrep scan \ --config=auto \ --config=.semgrep/custom-rules.yml \ --json \ --output=semgrep-results.json \ --error \ --sarif > semgrep.sarif - name: Upload SARIF results uses: github/codeql-action/upload-sarif@v2 if: always() with: sarif_file: semgrep.sarif - name: Check for blocking issues run: | if [ -f semgrep-results.json ]; then ERROR_COUNT=$(jq '.results | length' semgrep-results.json) if [ "$ERROR_COUNT" -gt 0 ]; then echo "Found $ERROR_COUNT security issues!" exit 1 fi fi
Pattern syntax resembles code
Rules are written using patterns that look like the target language's source code, reducing the learning curve compared to regex-based or AST-focused approaches. This allows developers to express semantic searches without specialized syntax.
Multi-language support
The tool analyzes code across 30+ languages from a single rule engine, including compiled languages like C and Go, dynamic languages like Python and JavaScript, and configuration formats like YAML and Dockerfile.
Local-first analysis model
By default, Semgrep processes code locally without uploading to external services, allowing integration into offline environments and CI/CD systems with minimal infrastructure changes. The Community Edition performs single-file or single-function analysis, while the AppSec Platform adds cross-file and cross-function capabilities.
# custom-rules.yml
rules:
- id: hardcoded-password
pattern: password = "..."
message: Hardcoded password detected
severity: ERROR
languages: [python]
# Python code to scan
from semgrep import semgrep_main
results = semgrep_main.main(
config=["auto"],
targets=["src/"],
output_format="json"
)Adds progress indicators for CI scans and fixes several logging and packaging issues
- –Added progress indicators for symbol analysis calculation and upload during CI scans
- –bumped glom to at least version 23.3, which includes a fix to a SyntaxWarning
- –Semgrep no longer prints info log lines from semgrep-core RPC calls when --trace is passed and --debug isn't
- –Fixed the README not appearing in built wheels
Migrates to uv package management and adds OAuth requirement for MCP server connections
- –Connecting to the Semgrep MCP server via streamableHttp now requires OAuth
- –Migrated from pipenv to uv for ./cli package management
- –pro: Improved virtual method resolution in Scala
- –Supply Chain Analysis: fixed version range matching for NPM packages with versions containing a prerelease identifier
Improves parallel scan performance warnings and enhances Java/Scala method resolution
- –Added a warning in --debug mode when a user runs a parallel scan with a larger
- –Upload symbol analysis on a per-subproject basis during supply chain scans
- –The MCP server no longer supports SSE transport
- –pro: Improved virtual method resolution in Java
- –pro: Improved virtual method resolution in Scala
See how people are using Semgrep
Related Repositories
Discover similar tools and frameworks used by developers
Grype
Detect vulnerabilities in container images and filesystems.
uBO Lite
Manifest V3 content blocker using declarative rules without persistent background processes.
BloodHound Legacy
Deprecated Active Directory security tool that used graph theory to identify attack paths. Replaced by BloodHound CE.
CyberChef
Browser-based data transformation tool with chainable operations.
FingerprintJS
Client-side JavaScript library for browser fingerprinting and visitor identification.