Skip to main content
    Semgrep themed logoSemgrep themed logo

    Semgrep docs

    Find bugs and reachable dependency vulnerabilities in code. Enforce your code standards on every commit.

    Scan with Semgrep AppSec Platform

    Deploy static application security testing (SAST), software composition analysis (SCA), and secrets scans from one platform.

    Get started

    Run your first Semgrep scan.

    Deploy Semgrep

    Deploy Semgrep to your organization quickly and at scale.

    Triage and remediate

    Triage and remediate findings; fine-tune guardrails for developers.

    Write rules

    Enforce your organization’s coding standards with custom rules.

    Supported languages

    ProductLanguages
    Semgrep CodeGenerally available (GA)
    C and C++ • C# • Generic • Go • Java • JavaScript • JSON • Kotlin • Python • TypeScript • Ruby • Rust • JSX • PHP • Scala • Swift • Terraform

    Beta
    APEX • Elixir

    Experimental
    Bash • Cairo • Circom • Clojure • Dart • Dockerfile • Hack • HTML • Jsonnet • Julia • Lisp • Lua • Move on Aptos • Move on Sui • OCaml• R • Scheme • Solidity • YAML • XML
    Semgrep Supply ChainGenerally available reachability
    C# • Go • Java • JavaScript and TypeScript • Kotlin • PHP • Python • Ruby • Scala • Swift

    Languages without support for reachability analysis
    Dart • Elixir • Rust
    Semgrep SecretsLanguage-agnostic; can detect 630+ types of credentials or keys.

    See the Supported languages documentation for more details.

    January 2026 release notes summary

    • Semgrep AppSec Platform's Findings page displays more descriptive rule group names, and the Finding Details page displays more descriptive rule names. For example, sequelize-express is now SQL injection in Sequelize with Express.
    • CLI:
      • Improved the performance of scan planning by reducing the cost of re-hashing Target objects. Semgrep's performance improvement on scans of large projects is proportional to the number of files in the project.
      • In --debug mode, Semgrep warns you if you attempt to run a parallel scan with a larger value for -j/--jobs than the number of CPUs Semgrep has detected as available for use.
      • Semgrep now provides a suggested starting value for -j/--jobs.
      • semgrep login now supports the use of --force, which ignores existing tokens and starts a new login session.
    • Supply Chain's reachability analysis now covers all critical and high severity CVEs from supported sources starting in 2017 across all supported languages.
    • Supply Chain now supports Gradle lockfiles of the form gradle*.lockfile. Previously, only files with the exact name gradle.lockfile were supported.
    • Supply Chain's dependency search now allows you to search for one or more packages using:
      • The name of the package
      • An exact version number
      • A range of version numbers
    • Members can now create suggested memories for Assistant when triaging findings in Semgrep AppSec Platform. Previously, only admins could do so.

    See the latest release notes

    Not finding what you need in this doc? Ask questions in our Community Slack group, or see Support for other ways to get help.