Skip to main content
    Semgrep themed logoSemgrep themed logo

    Semgrep docs

    Find bugs and reachable dependency vulnerabilities in code. Enforce your code standards on every commit.

    Scan with Semgrep AppSec Platform

    Deploy static application security testing (SAST), software composition analysis (SCA), and secrets scans from one platform.

    Get started

    Run your first Semgrep scan.

    Deploy Semgrep

    Deploy Semgrep to your organization quickly and at scale.

    Triage and remediate

    Triage and remediate findings; fine-tune guardrails for developers.

    Write rules

    Create custom rules to enforce your organization's coding standards.

    Supported languages

    ProductLanguages
    Semgrep CodeGenerally available (GA)
    C and C++ • C# • Generic • Go • Java • JavaScript • JSON • Kotlin • Python • TypeScript • Ruby • Rust • JSX • PHP • Scala • Swift • Terraform

    Beta
    APEX • Elixir

    Experimental
    Bash • Cairo • Circom • Clojure • Dart • Dockerfile • Hack • HTML • Jsonnet • Julia • Lisp • Lua • Move on Aptos • Move on Sui • OCaml• R • Scheme • Solidity • YAML • XML
    Semgrep Supply ChainGenerally available reachability
    C# • Go • Java • JavaScript and TypeScript • Kotlin • PHP • Python • Ruby • Scala • Swift

    Languages without support for reachability analysis
    Dart • Elixir • Rust
    Semgrep SecretsLanguage-agnostic; can detect 630+ types of credentials or keys.

    See the Supported languages documentation for more details.

    May 2025 release notes summary

    • Java and Kotlin: Projects can now be scanned without lockfiles through Semgrep Managed Scans.
    • Assistant Memories v2 is now in public beta:
      • Managing memories in Semgrep AppSec Platform now occurs under Rules & Policies, not Settings.
      • Semgrep AppSec Platform displays data on the scope and impact of memories, including the number of findings affected and which findings affected
      • Assistant now provides suggested memories, which are those that Assistant has generated based on your past triage actions. You can view these memories at any time in Semgrep AppSec Platform by navigating to Rules & Policies > Assistant Memories > Suggested. For each suggestion, you can choose one of the following actions:
        • Activate the suggested memory to inform Assistant's future advice.
        • Edit the memory, then activate it.
        • Delete the memory.
    • Improved the Supply Chain UX in various pages:
      • If the finding has a function call that proves the finding is reachable, this function call is highlighted in the code in the finding's Details page.
      • Added context in PR comments as to why a finding is reachable, under the section Why this is reachable. This alerts developers to the impact of a reachable finding.
      • Improved how filters are presented in the Supply Chain > Vulnerabilities page.
      • Unreachable findings are hidden by default from the findings list.
    • Improved performance of Semgrep Secret scans due to back-end updates.

    See the latest release notes

    Not finding what you need in this doc? Ask questions in our Community Slack group, or see Support for other ways to get help.