Semgrep: Static analysis tool for multiple languages
Pattern-based code scanner for 30+ languages.
Learn more about semgrep
# .github/workflows/semgrep.yml name: Semgrep Security Scan on: pull_request: branches: [main, develop] push: branches: [main] jobs: semgrep: name: Security Analysis runs-on: ubuntu-latest container: image: returntocorp/semgrep steps: - uses: actions/checkout@v3 - name: Run Semgrep with custom rules run: | semgrep scan \ --config=auto \ --config=.semgrep/custom-rules.yml \ --json \ --output=semgrep-results.json \ --error \ --sarif > semgrep.sarif - name: Upload SARIF results uses: github/codeql-action/upload-sarif@v2 if: always() with: sarif_file: semgrep.sarif - name: Check for blocking issues run: | if [ -f semgrep-results.json ]; then ERROR_COUNT=$(jq '.results | length' semgrep-results.json) if [ "$ERROR_COUNT" -gt 0 ]; then echo "Found $ERROR_COUNT security issues!" exit 1 fi fi
Pattern syntax resembles code
Rules are written using patterns that look like the target language's source code, reducing the learning curve compared to regex-based or AST-focused approaches. This allows developers to express semantic searches without specialized syntax.
Multi-language support
The tool analyzes code across 30+ languages from a single rule engine, including compiled languages like C and Go, dynamic languages like Python and JavaScript, and configuration formats like YAML and Dockerfile.
Local-first analysis model
By default, Semgrep processes code locally without uploading to external services, allowing integration into offline environments and CI/CD systems with minimal infrastructure changes. The Community Edition performs single-file or single-function analysis, while the AppSec Platform adds cross-file and cross-function capabilities.
# custom-rules.yml
rules:
- id: hardcoded-password
pattern: password = "..."
message: Hardcoded password detected
severity: ERROR
languages: [python]
# Python code to scan
from semgrep import semgrep_main
results = semgrep_main.main(
config=["auto"],
targets=["src/"],
output_format="json"
)Switches to multicore OCaml domains for parallel scans by default; legacy fork-join requires --x-parmap flag (--x-eio deprecated).
- –Use --x-parmap to revert to legacy fork-join parallelism if multicore domains cause issues in your environment.
- –Goroutines now participate in taint tracking as regular function calls, improving Go dataflow analysis coverage.
Fixes rule parsing regression from 1.139.0 that caused exit code 7 errors; improves Scala taint tracking and Supply Chain lockfile handling.
- –Upgrade if you hit exit code 7 after 1.139.0—rule parsing now reverted to prior behavior to restore stability.
- –Pass `--allow-local-builds` to resolve build.gradle.kts files; UV lockfiles now parse editable dependencies correctly.
Fixes implicit return detection in Ruby and Scala, adds http4s pattern support, and resolves an eio multicore crash.
- –Upgrade if you scan Ruby or Scala code with implicit returns; string interpolation now correctly matches.
- –Use `$M -> ... / $X / ...` patterns for http4s routing in Scala (pro feature).
See how people are using semgrep
Top in Security
Related Repositories
Discover similar tools and frameworks used by developers
DOMPurify
DOM-based XSS sanitizer using native browser parsing.
openssl
C-based cryptographic library implementing TLS, DTLS, and QUIC protocols.
httpx
Fast HTTP probing with response metadata extraction.
DVWA
PHP/MariaDB training platform for web security exploitation practice.
gitleaks
Regex-based secret scanner for git repositories.