Skip to main content
    Semgrep themed logoSemgrep themed logo

    Semgrep docs

    Find bugs and reachable dependency vulnerabilities in code. Enforce your code standards on every commit.

    Scan with Semgrep AppSec Platform

    Deploy static application security testing (SAST), software composition analysis (SCA), and secrets scans from one platform.

    Get started

    Run your first Semgrep scan.

    Deploy Semgrep

    Deploy Semgrep to your organization quickly and at scale.

    Triage and remediate

    Triage and remediate findings; fine-tune guardrails for developers.

    Write rules

    Enforce your organization’s coding standards with custom rules.

    Supported languages

    ProductLanguages
    Semgrep CodeGenerally available (GA)
    C and C++ • C# • Generic • Go • Java • JavaScript • JSON • Kotlin • Python • TypeScript • Ruby • Rust • JSX • PHP • Scala • Swift • Terraform

    Beta
    APEX • Elixir

    Experimental
    Bash • Cairo • Circom • Clojure • Dart • Dockerfile • Hack • HTML • Jsonnet • Julia • Lisp • Lua • Move on Aptos • Move on Sui • OCaml• R • Scheme • Solidity • YAML • XML
    Semgrep Supply ChainGenerally available reachability
    C# • Go • Java • JavaScript and TypeScript • Kotlin • PHP • Python • Ruby • Rust • Scala • Swift

    Languages without support for reachability analysis
    Dart • Elixir
    Semgrep SecretsLanguage-agnostic; can detect 630+ types of credentials or keys.

    See Supported languages for more details.

    April 2026 release notes summary

    • Added the ability to manually run full scans for the non-default or non-primary branches using Semgrep Managed Scans, as well as the ability to retry Semgrep Managed Scans that failed or didn't complete.
    • The interfile analysis engine has been redesigned to improve performance. These improvements change how findings are generated, which might result in additional true positives and fewer false positives.
    • Semgrep Playground is now mobile-friendly.
    • The Finding Details page now displays the reason why a finding was ignored at the top. Users no longer need to go to the Activity section to see this information.
    • Added Supply Chain reachability coverage for Rust.
    • Added dependency path information to SBOM exports and the /issues API endpoint.
    • Findings of critical or high severity with high or medium confidence identified during diff-aware scans are now included in autotriage analysis.

    See the latest release notes

    Not finding what you need in this doc? Ask questions in our Community Slack group, or see Support for other ways to get help.