Sold by: Semgrep, Inc.Â
Application Security Testing
Overview
Semgrep is a highly customizable application security platform built for security engineers and developers. Semgrep scans first and third-party code to find security issues unique to an organization, with an emphasis on surfacing actionable, low-noise, and developer friendly results at lightning speed.
Semgrep's focus on confidence rating and reachability means that security teams can feel comfortable engaging developers directly in their workflows (e.g surfacing findings in PR comments), and Semgrep integrates seamlessly with CI and SCM tooling to automate these policies.
With Semgrep, security teams can shift left and scale their programs with zero impact on developer velocity. With 3400+ out-of-the-box rules and the ability to easily create custom rules, Semgrep accelerates the time it takes to implement and scale a best-in-class AppSec program - all while adding value from Day 1.
Highlights
- Lightning fast code scanning that detects security vulnerabilities in 30+ languages with results prioritized for remediation
- Reachability analysis of known vulnerabilities in used 3rd party software components make results actionable for developers
- Easy-to-write custom rules to augment detection of security vulnerabilities, enforce coding standards, and improve code quality
Details
Sold by
Delivery method
Deployed on AWS
Unlock automation with AI agent solutions
Fast-track AI initiatives with agents, tools, and solutions from AWS Partners.
Features and programs
Financing for AWS Marketplace purchases
AWS Marketplace now accepts line of credit payments through the PNC Vendor Finance program. This program is available to select AWS customers in the US, excluding NV, NC, ND, TN, & VT.
Pricing
Pricing is based on the duration and terms of your contract with the vendor, and additional usage. You pay upfront or in installments according to your contract terms with the vendor. This entitles you to a specified quantity of use for the contract duration. Usage-based pricing is in effect for overages or additional usage not covered in the contract. These charges are applied on top of the contract price. If you choose not to renew or replace your contract before the contract end date, access to your entitlements will expire.
Additional AWS infrastructure costs may apply. Use the AWS Pricing Calculator to estimate your infrastructure costs.
Dimension | Description | Cost/12 months |
|---|---|---|
Code (SAST) | Pro Engine + Pro Rules + Cloud Platform | $480.00 |
Supply Chain (SCA) | Reachability + Dependency Search + License Compliance + Cloud Platform | $480.00 |
Secrets | Secrets Scanning | $720.00 |
Dimension | Cost/user/hour |
|---|---|
Additional SAST Users | $0.05 |
Additional SCA Users | $0.05 |
Additional Secrets Users | $0.08 |
Vendor refund policy
No refunds
Legal
Vendor terms and conditions
Upon subscribing to this product, you must acknowledge and agree to the terms and conditions outlined in the vendor's End User License Agreement (EULA)Â .
Content disclaimer
Vendors are responsible for their product descriptions and other product content. AWS does not warrant that vendors' product descriptions or other product content are accurate, complete, reliable, current, or error-free.
Delivery details
Software as a Service (SaaS)
SaaS delivers cloud-based software applications directly to customers over the internet. You can access these applications through a subscription model. You will pay recurring monthly usage fees through your AWS bill, while AWS handles deployment and infrastructure management, ensuring scalability, reliability, and seamless integration with other AWS services.
Support
Vendor support
AWS infrastructure support
AWS Support is a one-on-one, fast-response support channel that is staffed 24x7x365 with experienced and technical support engineers. The service helps customers of all sizes and technical abilities to successfully utilize the products and features provided by Amazon Web Services.
Updated weekly
By Semgrep, Inc.
By Checkmarx
By Mend.io
Top
25
In Continuous Integration and Continuous Delivery
Top
10
In Testing
Top
25
In Generative AI
Sentiment is AI generated from actual customer reviews on AWS and G2
Functionality
Ease of use
Customer service
Cost effectiveness
Positive reviews
Mixed reviews
Negative reviews
AI generated from product descriptions
Code Analysis
"Static code scanning capability across 30+ programming languages with comprehensive vulnerability detection"
Vulnerability Detection
"Reachability analysis of known vulnerabilities in third-party software components with prioritized remediation"
Rule Customization
"Extensible rule creation mechanism for detecting security vulnerabilities and enforcing coding standards"
Security Integration
"Seamless integration with continuous integration and source code management toolchains"
Multi-Language Support
"Native scanning capabilities supporting multiple programming languages with consistent analysis approach"
Static Application Security Testing
Flexible solution capable of identifying vulnerabilities across 25+ programming languages and frameworks
Software Composition Analysis
Comprehensive scanning of open source software and third-party libraries to identify and prioritize potential vulnerabilities and license risks
Infrastructure as Code Analysis
Detection of security misconfigurations in infrastructure templates to prevent potential deployment errors and security risks
Multi-Scan Integration
Single event trigger for simultaneous scanning of source code, dependencies, and infrastructure templates with centralized result aggregation
Vulnerability Detection Mechanism
Advanced scanning of uncompiled code with targeted re-scanning of new or modified code segments for efficient threat identification
Static Code Analysis
AI-powered static code analysis with rapid scanning at code generation and deep repository-level analysis
Open Source Security
Comprehensive open source security coverage with detection, prioritization, and automated remediation capabilities
Container Security
End-to-end container security including image scanning, reachability analysis, secret detection, and Kubernetes integration
AI Component Governance
Comprehensive inventory, risk insights, policy enforcement, and threat simulation for AI components and models
Dependency Management
Automated dependency updates and vulnerability reduction across distributed development environments
Standard contract
No
No
No
Customer reviews
0 ratings
0 AWS reviews
|
37 external reviews
Star ratings include only reviews from verified AWS customers. External reviews can also include a star rating, but star ratings from external reviews are not averaged in with the AWS customer star ratings.
Mahmoud H.
I think Semgrep is a must have for every Software Company
Reviewed on Sep 16, 2025
Review provided by G2
What do you like best about the product?
The fact that it can scan dependencies and has so many rules configured on the spot, with a very friendly and easy to use UI for the SemGrep pro.
What do you dislike about the product?
I think what semgrep needs is a feature that summarizes the overall security standing of a repository/project. And to allow the user to be able to tell the platform the links between different repos/ if there are any.
What problems is the product solving and how is that benefiting you?
I am a security official in a company with over 300 repos. The fact that semgrep can seamlessly scan all lines of code with each change is amazing for me. It makes my work so much easier.
Computer Software
Enhancing Security with Semgrep
Reviewed on Sep 12, 2025
Review provided by G2
What do you like best about the product?
Since it runs fast and integrates directly into CI/CD, my team can surface issues early — from insecure function use to misconfigured patterns — before they ever hit production.
What do you dislike about the product?
Filter limitations and changing some settings at the global level using UI. Having more advanced filtering and project-level controls would make it easier to manage findings across different environments, prioritize risks.
What problems is the product solving and how is that benefiting you?
The biggest benefit for us is automation and consistency. By integrating Semgrep into CI/CD pipelines, I can enforce secure coding practices at scale and ensure that every pull request is checked for common vulnerabilities. This reduces reliance on manual reviews, lowers the chance of critical bugs slipping into production, and frees me up to focus on more complex security work like pentesting and cloud security design.
Computer Software
Hands-off setup could not be easier
Reviewed on Sep 09, 2025
Review provided by G2
What do you like best about the product?
Very little had to be done on our end to set up managed scans for the entire GitHub organization. Aside from Semgrep staff adjusting things to get a scan to complete, or large codebase was running SAST scans in a few days.
Github PR comments show users what to do, and AI can classify many reports correctly as not needing mitigation.
Github PR comments show users what to do, and AI can classify many reports correctly as not needing mitigation.
What do you dislike about the product?
Semgrep's features are designed around preventing new problems from being introduced in pull requests, but those same features are not available for issues found on trunk branches - these have to be dealt with manually.
What problems is the product solving and how is that benefiting you?
Identifying potential security flaws in existing code as part of compliance for security certifications.
Siddhesh J.
Fast and positive results
Reviewed on Sep 08, 2025
Review provided by G2
What do you like best about the product?
There are multiple things which is great in the SemGrep tool, 1st easy integration with GSM and CI-CD pipeline, 2nd is easy terminal based code scan which save lot of time and intergration if Code is small.
What do you dislike about the product?
Not specific as such, since everything is good in right price.
What problems is the product solving and how is that benefiting you?
compare to other tools, it is giving better, faster and accurate results in output, also tool suggestion and fix feature would be helpful for long lengthy code.
Ivo M.
Fast, reliable, and developer-friendly static analysis tool
Reviewed on Sep 05, 2025
Review provided by G2
What do you like best about the product?
Semgrep is lightweight, very fast compared to traditional SAST tools, and integrates smoothly into CI/CD pipelines. I like that it has a strong rule ecosystem (community and Pro rules), and the ability to write custom rules makes it flexible for different coding standards and compliance needs. The dashboard provides great visibility into security findings and code quality issues, helping developers fix problems quickly without slowing them down.
What do you dislike about the product?
The initial setup for more advanced use cases can be tricky, especially when fine-tuning custom rules or managing large rule sets across multiple projects. Sometimes, there are false positives that require manual triage, and the learning curve for rule writing is a bit steep for newcomers. I would also like to see deeper integrations with more enterprise security platforms out-of-the-box.
What problems is the product solving and how is that benefiting you?
Semgrep helps us detect security vulnerabilities and coding issues early in the development lifecycle. It makes it easier to enforce secure coding standards across multiple teams without adding heavy friction to the developers’ workflow. By integrating directly into CI/CD pipelines, it reduces time-to-detection and prevents risky code from reaching production. This has improved both the security posture and the consistency of our applications while lowering the manual effort needed for code reviews.