Sold by: Semgrep, Inc.Â
Overview
Semgrep is a highly customizable application security platform built for security engineers and developers. Semgrep scans first and third-party code to find security issues unique to an organization, with an emphasis on surfacing actionable, low-noise, and developer friendly results at lightning speed.
Semgrep's focus on confidence rating and reachability means that security teams can feel comfortable engaging developers directly in their workflows (e.g surfacing findings in PR comments), and Semgrep integrates seamlessly with CI and SCM tooling to automate these policies.
With Semgrep, security teams can shift left and scale their programs with zero impact on developer velocity. With 3400+ out-of-the-box rules and the ability to easily create custom rules, Semgrep accelerates the time it takes to implement and scale a best-in-class AppSec program - all while adding value from Day 1.
Highlights
- Lightning fast code scanning that detects security vulnerabilities in 30+ languages with results prioritized for remediation
- Reachability analysis of known vulnerabilities in used 3rd party software components make results actionable for developers
- Easy-to-write custom rules to augment detection of security vulnerabilities, enforce coding standards, and improve code quality
Details
Sold by
Delivery method
Deployed on AWS
Unlock automation with AI agent solutions
Fast-track AI initiatives with agents, tools, and solutions from AWS Partners.
Features and programs
Financing for AWS Marketplace purchases
AWS Marketplace now accepts line of credit payments through the PNC Vendor Finance program. This program is available to select AWS customers in the US, excluding NV, NC, ND, TN, & VT.
Pricing
Pricing is based on the duration and terms of your contract with the vendor, and additional usage. You pay upfront or in installments according to your contract terms with the vendor. This entitles you to a specified quantity of use for the contract duration. Usage-based pricing is in effect for overages or additional usage not covered in the contract. These charges are applied on top of the contract price. If you choose not to renew or replace your contract before the contract end date, access to your entitlements will expire.
Additional AWS infrastructure costs may apply. Use the AWS Pricing Calculator to estimate your infrastructure costs.
Dimension | Description | Cost/12 months |
|---|---|---|
Code (SAST) | Pro Engine + Pro Rules + Cloud Platform | $480.00 |
Supply Chain (SCA) | Reachability + Dependency Search + License Compliance + Cloud Platform | $480.00 |
Secrets | Secrets Scanning | $720.00 |
Dimension | Cost/user/hour |
|---|---|
Additional SAST Users | $0.05 |
Additional SCA Users | $0.05 |
Additional Secrets Users | $0.08 |
Vendor refund policy
No refunds
Legal
Vendor terms and conditions
Upon subscribing to this product, you must acknowledge and agree to the terms and conditions outlined in the vendor's End User License Agreement (EULA)Â .
Content disclaimer
Vendors are responsible for their product descriptions and other product content. AWS does not warrant that vendors' product descriptions or other product content are accurate, complete, reliable, current, or error-free.
Delivery details
Software as a Service (SaaS)
SaaS delivers cloud-based software applications directly to customers over the internet. You can access these applications through a subscription model. You will pay recurring monthly usage fees through your AWS bill, while AWS handles deployment and infrastructure management, ensuring scalability, reliability, and seamless integration with other AWS services.
Support
Vendor support
AWS infrastructure support
AWS Support is a one-on-one, fast-response support channel that is staffed 24x7x365 with experienced and technical support engineers. The service helps customers of all sizes and technical abilities to successfully utilize the products and features provided by Amazon Web Services.
Updated weekly
By Semgrep, Inc.
By Checkmarx
By Mend.io
Top
25
In Continuous Integration and Continuous Delivery
Top
10
In Testing
Top
25
In Generative AI
Sentiment is AI generated from actual customer reviews on AWS and G2
Functionality
Ease of use
Customer service
Cost effectiveness
Positive reviews
Mixed reviews
Negative reviews
AI generated from product descriptions
Code Analysis
"Static code scanning capability across 30+ programming languages with comprehensive vulnerability detection"
Vulnerability Detection
"Reachability analysis of known vulnerabilities in third-party software components with prioritized remediation"
Rule Customization
"Extensible rule creation mechanism for detecting security vulnerabilities and enforcing coding standards"
Security Integration
"Seamless integration with continuous integration and source code management toolchains"
Multi-Language Support
"Native scanning capabilities supporting multiple programming languages with consistent analysis approach"
Static Application Security Testing
Comprehensive vulnerability scanning for custom code across 25+ programming languages and frameworks
Software Composition Analysis
Automated identification and prioritization of risks in open source software and third-party library dependencies
Infrastructure as Code Analysis
Detection of security misconfigurations in infrastructure template deployments before production
Multi-Scan Integration
Single event trigger for simultaneous scanning of source code, dependencies, and infrastructure templates
Vulnerability Detection
Ability to identify and analyze hundreds of potential security weaknesses in uncompiled source code
Static Application Security Testing
AI-tuned scanning at code generation with deep static analysis, identifying vulnerabilities across AI-generated and human-written code
Open Source Security Management
Comprehensive detection, prioritization, and automated remediation of open source component vulnerabilities
Container Security
End-to-end container security with image scanning, reachability analysis, secret detection, infrastructure-as-code scanning, and native Kubernetes integration
AI Component Governance
Inventory and risk assessment of AI components including models, agents, RAGs, with policy enforcement and Shadow AI detection
Threat Simulation
Proactive AI Red Teaming for simulating and identifying potential security risks in AI-powered applications
Standard contract
No
No
No
Customer reviews
0 ratings
0 AWS reviews
|
51 external reviews
Star ratings include only reviews from verified AWS customers. External reviews can also include a star rating, but star ratings from external reviews are not averaged in with the AWS customer star ratings.
Avneesh J.
Effortless Code Scanning—Much Easier Than Our Old Tool
Reviewed on Oct 28, 2025
Review provided by G2
What do you like best about the product?
It's a very user-friendly tool for scanning code repositories, and I find it much easier to use compared to our previous Checkmarx scan.
Its quiet easy to integrate with our existing code repository and can also be filtered based on the need.
Its quiet easy to integrate with our existing code repository and can also be filtered based on the need.
What do you dislike about the product?
Since we have only recently started using this tool, there is nothing we dislike about it so far.
What problems is the product solving and how is that benefiting you?
Its helping to find out the vulnerability with open-source softwares and implemented in our pipelines for code deployment has helped us a lot to proactively finding out the vulnerability before reaching of any environment.
Manufacturing
Excellent Tool for Code Quality and Security.
Reviewed on Oct 22, 2025
Review provided by G2
What do you like best about the product?
It is a good tool to identify the issues and security in code which can impact the quality and security.
What do you dislike about the product?
The UI is not as efficient. Also code setup creates some issues.
What problems is the product solving and how is that benefiting you?
This product is excellent when it comes to handling. I am quite satisfied with how well it manages tasks.
Manufacturing
Powerful, Customizable Static Analysis with Fast Scans—Some Learning Curve and Tuning Needed
Reviewed on Oct 22, 2025
Review provided by G2
What do you like best about the product?
Semgrep is a static analysis tool that enables developers to create custom rules using an intuitive pattern-matching syntax, which closely mirrors the code being reviewed. It offers support for a variety of programming languages, including Python, JavaScript, Java, and Go, among others. With Semgrep, users can identify security vulnerabilities, address code quality concerns, and enforce coding standards effectively. Many developers value its seamless integration with CI/CD pipelines, the ability to run scans locally during development, and the flexibility to craft rules tailored to their organization's codebase. The tool is known for its rapid scanning capabilities and lower false positive rates when compared to more traditional static analysis solutions. Additionally, Semgrep is available in both open-source and commercial versions, with advanced features such as centralized rule management and options for team collaboration.
What do you dislike about the product?
Static analysis tools can present certain limitations, such as generating false positives that must be manually reviewed. They may also struggle to identify complex runtime vulnerabilities or logic flaws that only become apparent during execution. Maintaining and tuning rules to keep up with evolving codebases is an ongoing requirement. Some users note that creating custom rules involves a learning curve, particularly when mastering the pattern-matching syntax. Comprehensive scans of large codebases can also affect CI/CD pipeline performance. While these tools are strong in pattern matching, they might overlook context-dependent vulnerabilities that require more advanced semantic analysis. As a result, teams often need to dedicate time to configuring rules in order to minimize noise and prioritize findings relevant to their specific technology stack.
What problems is the product solving and how is that benefiting you?
It lacks the option to manually trigger a code scan, specifically for static scans.
Manufacturing
Fast, Accurate, and Seamless Integration with GitHub
Reviewed on Oct 22, 2025
Review provided by G2
What do you like best about the product?
The feedback is fast and actionable, which makes it easy to address issues quickly. I also appreciate the reduced number of false positives, as it saves time and effort. Integration with GitHub and Actions is seamless, making the workflow smooth. The accuracy is high, and the support for a wide range of languages is another strong point.
What do you dislike about the product?
Semgrep is quite narrowly focused, concentrating primarily on security and lacking built-in scanning capabilities for other important areas such as secrets detection, infrastructure as code, or container security. There is also a learning curve to consider; crafting effective and custom rules demands a certain level of expertise, which can be particularly challenging when dealing with more complex vulnerabilities. Additionally, Semgrep on its own provides limited context, so without supplementary tools, it can be difficult to determine if a vulnerability is truly exploitable or reachable at runtime. This limitation can make it harder to properly prioritize issues.
What problems is the product solving and how is that benefiting you?
Semgrep helps assisting developers and security teams in identifying bugs, vulnerabilities, and enforcing coding standards. It analyzes source code to detect patterns that correspond to predefined rules, which makes it valuable for code reviews, security audits, and maintaining overall code quality. Semgrep will be our new default SAST tool as we begin to phase out the current tool which is outdated and cumbersome to use.
Mohammad A.
Great Experience, But UI Could Be More User-Friendly
Reviewed on Oct 22, 2025
Review provided by G2
What do you like best about the product?
Semgrep is one of the super easy and most lightweight tools for detecting security vulnerabilities in our codebase. It also enables us to scan our local repositories and can be integrated with our CI/CD pipeline to provide continuous code scanning. We prefer using it with almost all of our applications to feel more confident.
What do you dislike about the product?
There isn't much to complain about, but I do think the user interface could be cleaner and more user-friendly.
What problems is the product solving and how is that benefiting you?
The platform offers vulnerability scanning and helps keep applications free of bugs. It also provides automated code scanning through the CI/CD pipeline and supports scanning for multiple programming languages.