overview
What is Semgrep?
Semgrep is a static analysis tool developed by Semgrep (company) that enables developers and organizations to find and fix security issues and vulnerabilities in code. It combines static analysis with multimodal AI detection to uncover OWASP risks, business logic flaws, and IDORs that traditional scanners often miss. Semgrep functions as a static application security testing (SAST) tool, a software composition analysis (SCA) tool, and a secrets detection tool. Its core strength lies in its ability to parse source code into an Abstract Syntax Tree (AST), enabling it to understand code structure and detect issues that span multiple lines or files. Semgrep supports over 30 programming languages, including Python, JavaScript, Go, Java, PHP, Ruby, C#, Rust, Scala, Swift, and Terraform, with new languages added regularly. It integrates seamlessly into CI/CD pipelines (GitHub Actions, GitLab CI, CircleCI, Jenkins), IDEs, and can run as a pre-commit check.