Application Security Platform

I use Semgrep  mainly for its software composition analysis capabilities to identify vulnerabilities in dependencies used in our applications. Every time a new feature is developed or a new version of an application is released, it is run against Semgrep  using our CI/CD pipelines to identify any new vulnerabilities.

The best part of Semgrep is its ease of integration with CI/CD pipelines and how it is a developer-friendly tool. The interface is really focused on presenting developers what needs to be done, what vulnerabilities have been found, and what packages are affected. Whenever a developer enters the application, they do not need much context because it is really clear what needs to be done based on what the application shows.

Semgrep removes a lot of stress from the product security team since there is now an automated way of checking for vulnerabilities in our software. It has reduced manual work and saved a lot of time since containers no longer need to be manually checked with Semgrep, and we do not even need to check whenever there is a new version. In our automated pipelines, every time there is a new version, the containers get scanned and if something critical or high is detected, we are automatically notified.

Semgrep is scalable and works well across multiple repositories and projects, especially when integrated with CI/CD pipelines as is our case.

The coverage of Semgrep could be a bit better, as there are other tools that are more specialized in other areas of security. Semgrep as an SCA  tool is adequate, but if you want to use some other parts of it, you get a high price tag. More advanced dependency analysis features in the SCA  part and deeper vulnerability databases would be beneficial.

Semgrep is mostly used because it is considered an industry standard, and many of our customers use Semgrep, so they expect us to use it as well. However, as a tool it is really complex to maintain and to use, and it has a huge price tag.

I have used Semgrep for one year.

There have been no stability issues.

There have been no scalability issues.

Customer support is really good and there is also strong community support.

Trivy  was previously used, and the switch to Semgrep was made basically because it is the tool that our customers expect us to use.

The setup was quite straightforward and the pricing model is quite flexible. The setup at the beginning was quick, and our pipelines were managed to be running easy enough and fast enough.

Although there are no metrics available, an improvement in efficiency has been seen since manual labor is not required as much as before. This can be translated to being able to do the same amount of work with less technicians.

Semgrep is considered an alternate solution to other tools.

The first thing you need to do is to integrate Semgrep with your CI/CD pipelines and once they are running, invest time in reading documentation and getting yourself familiar with all of the products offered and all of the capabilities available. Semgrep was found through the peer link navigator that was provided via a LinkedIn message. The overall review rating for this product is 6 out of 10.

I have been working with Semgrep  for almost a year, approximately six to eight months on and off. In my current organization, I have a strong experience for SAST  solution POCs, and I have conducted POCs for Semgrep , Checkmarx, Snyk , and SonarQube  to evaluate SAST  capabilities.

Our primary use case for Semgrep is to identify static code vulnerabilities and SAST vulnerabilities. Every other organization or vendor claims to offer this capability, but Semgrep is built differently compared to all these traditional tools. I have almost a decade of experience using various SAST tools, and Semgrep not only looks at particular code but understands the entire code to get context around whether an issue is real or not through context analysis.

One of the primary use case for us is also the shift-left approach, which means improving our developer experience. Our developers do not want to wait until they commit changes to GitHub  or build it. They want synchronous feedback directly within their IDE . Semgrep provides an IDE  integration and also supports MCP gateway. Additionally, secrets scanning is another important use case for us.

The seamless integration of Semgrep into our existing platform is what I really appreciate. It is very easy, I was able to integrate and onboard it in just 10 to 15 minutes. This is in stark contrast to dealing with different SAST tools about integration across thousands of repos.

Another great feature is that Semgrep greatly reduces the noise compared to other SAST tools. After scanning through the codebase and understanding it, Semgrep has a capability called AI analysis or AI triage. When you triage with AI, it gathers context around the finding and reduces the noise about 80 to 90 percent of the time, asking you to focus only on findings that really matter.

Another excellent experience I had with Semgrep is when there was a finding that AI was not able to correctly diagnose or identify whether it was an actual finding or not. It reported it as a vulnerability, but when I verified it as a security engineer, I determined it was not a vulnerability in our case because we have compensatory controls in place. When I indicate this, Semgrep asks if it can apply the same logic to other similar findings. With a single click, it reduces a lot of noise for me, saving a huge amount of my time and effort.

The results are also impressive. Most solutions identify a static query like raw SQL and simply say there is a SQL injection that is critical. Semgrep, however, looks into the query file and understands the context. It recognizes that this is a SQL query without any user input or database migration script, and it assigns appropriate risk. This intelligent capability of Semgrep is what impressed me.

Semgrep will easily fit into the ecosystem you are building or the ecosystem you are working with. It is going to increase the developer experience in terms of how easily developers are able to understand the findings. It will also increase the security posture because developers are easily able to understand and fix those findings. Overall, the application security posture and the relationship between the development community and the security engineering will improve because Semgrep integrates so seamlessly and functions very smoothly.

I have consistently observed that their scan time is an issue for mono repos. Sometimes with their AI-based scanning, when you triage that scan, the scan never completes or finishes(, which makes it difficult. Another consistent issue is that whenever you have a new repo to onboard to the platform, the tool ideally should detect the master branch by default. However, sometimes the tool fails to identify it and will never scan it unless manually somebody looks into it and fixes the issue. Although their support team is really good, this issue was present six or eight months ago during the POC and is still present now. If it is affecting multiple customers, it should be prioritized and fixed.

I would say that their integration aspects could have been improved. I see a lot of different security solutions that provide flexibility to the security teams based on Jira  project, team divisions, Slack, and all those can be very much easily customized. Semgrep needs to work on the enhancement of their notification capabilities. Currently, they are working on identifying business logic vulnerabilities or privilege escalation vulnerabilities by looking at the code, and they should continue to focus on and improve this effort.

Regarding stability, whenever you have a mono-repo which is a very large repository, the scan never finishes or the scan never kicks in. At that time, you have to reach out to the support team and ask them to expand the resources in the back end to fix it. This is an issue I keep seeing often on that platform.

I have been working with Semgrep on and off for almost a year, approximately six to eight months.

I have consistently observed that their scan time is an issue. Sometimes with their AI-based scanning, when you triage that scan, the scan never completes or finishes, which makes it difficult. Another consistent issue is that whenever you have a new repo to onboard to the platform, the tool ideally should detect the master branch by default. However, if there is no master branch or default branch, the tool fails to identify it and will never scan it unless manually somebody looks into it and fixes the issue. Although their support team is really good, this issue was present six or eight months ago during the POC and is still present now. If it is affecting multiple customers, it should be prioritized and fixed.

I would say that their integration aspects could have been improved. I see a lot of different security solutions that provide flexibility to the security teams based on Jira  project, team divisions, Slack, and all those can be very much easily customized. Semgrep needs to work on the enhancement of their notification capabilities. Currently, they are working on identifying business logic vulnerabilities or privilege escalation vulnerabilities by looking at the code, and they should continue to focus on and improve this effort.

Regarding stability, whenever you have a mono-repo which is a very large repository, the scan never finishes or the scan never kicks in. At that time, you have to reach out to the support team and ask them to expand the resources in the back end to fix it. This is an issue I keep seeing often on that platform.

It is very easy to scale. When you say scaling, that means the number of users or organizations you need to onboard. I was able to control it from 10 repositories or 10 services to thousands of repositories in a couple of minutes very simply. They could potentially add some enhancements, but the platform is very much easily scalable.

You should primarily focus on what your use case is and why you are moving out. If you are moving out just from the perspective of cost, I do not think Semgrep is the best solution for you. However, if you are looking for value for investment and want to have the complete visibility into your code with less noise, if you are not just looking for a SAST but are really looking for actionable results and want to improve your developer experience and feedback, then you should go for Semgrep. In my organization, it is not only me who selects the solution; I bring in developers from junior and senior levels of all experience and ask them to take a hands-on experience and give me feedback. If you want to improve the developer experience, then go for Semgrep.

Compared to other competitors in the market, the AI-backed capability is the biggest strength of Semgrep. The seamless integration is another major advantage because I have done it for a few other solutions, some of which are extremely difficult and some are okay, but the Semgrep integration with the code repository was the smoothest. The quality of results and reduction in noise are also strengths compared to other competitors. Semgrep also has a great strength in the number of rule sets they have compared to all other vendors. While all other vendors have very limited numbers even though they claim to be enterprise, their community edition itself has close to 4,000 rules and the enterprise edition has around 20,000 rules. That is a really strong advantage.

As for limitations, I would say that Semgrep currently just supports Jira and Slack for integrations. They should expand to different integrations like ServiceNow  and other CNAP and CSPM solutions where all results can be brought into one place.

I would rate this review an 8 out of 10.