Application Security Platform
Fast, Easy-to-Customize Rules That Catch Security and Code-Quality Issues Early
Early detection has transformed our code reviews and makes our development process faster
What is our primary use case?
My primary use case for Semgrep is for day-to-day code scanning and code reviewing during development, focusing on vulnerability detection. I am also migrating this tool into our CI/CD pipeline.
The primary objective is to scan code, detect vulnerabilities, and integrate into CI/CD pipelines during the coding phase before deployment to production so we can identify all issues in the development phase.
I currently use Semgrep for our development process, CI/CD pipeline, and vulnerability detection, and it is a very good product.
What is most valuable?
In my current situation, when I work on any features or products, I find issues during my development phase while writing code. I can detect issues in a very early phase, which allows us to prevent forwarding them to production.
This is very helpful for our development phase and it is very fast for our development process. I can save more time for developing and reviewing code, which makes it very helpful for our organization.
Regarding Semgrep, I find it to be very user-friendly, easy to understand, and easy to integrate with any working tool. We use VS Code, and it integrates seamlessly with it. Additionally, I set up the CI/CD pipeline for the development phase, and it works well for all our needs.
In my opinion, the best features Semgrep offers are for security vulnerability detection. I can find any vulnerabilities during my development phase, which helps my work and has many time-saving features.
Whenever I use Semgrep, I have integrated it seamlessly into my experience. It integrates when I work with the development phase and the deployment model, allowing me to detect any security issues. I can detect these issues early and fix them as soon as possible, eliminating the need for manual line-by-line code checks. It quickly scans all the code and detects issues, saving me significant time.
It can help my team very quickly, especially with large-scale projects. In my team, we use Semgrep, which is more efficient for coding purposes, time-saving, and quickly detects issues. I can say that weekly I save about six to seven hours because of this, making it very time-saving and fostering faster development for my team's products and environment.
What needs improvement?
I wish there were a bit more improvement in AI features, such as integrating some AI capabilities, so it can be more convenient and useful for users.
For how long have I used the solution?
I have been using Semgrep since last year.
What do I think about the stability of the solution?
Semgrep is very stable; since I have been using it, I have not experienced any downtime.
What do I think about the scalability of the solution?
Semgrep is highly scalable. It handles small projects well, and it is very useful for any large-scale project as well. It can be used by any organization for any project.
How are customer service and support?
Customer support and services for Semgrep are very reliable and good. Many times when I have had troubleshooting needs, I find most solutions in the documentation, so the support and customer service team is excellent.
Which solution did I use previously and why did I switch?
Previously, I used the SonarQube solution but switched to Semgrep because Semgrep works faster and the code scannability is very good compared to SonarQube.
What was our ROI?
The return on investment is very evident. I can say it saves us time related to coding and also saves money, making it a very reliable tool for our organization with great features.
What's my experience with pricing, setup cost, and licensing?
For pricing and setup cost, Semgrep is very reliable for any type of organization, whether small or large. It offers very reasonable pricing and costs.
Which other solutions did I evaluate?
I did not evaluate other options before choosing Semgrep.
What other advice do I have?
I would not want to see anything changed.
My advice for others considering Semgrep is that it is a very good product and a great tool to use. It has a very user-friendly environment and it is very time-saving, as I mentioned earlier. I do not have any additional thoughts about Semgrep. My overall review rating for Semgrep is nine out of ten.
Which deployment model are you using for this solution?
If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?
Automated security checks have transformed code reviews and save hours every development week
What is our primary use case?
My main use case is to perform SAST, static application security testing. I have been using it for the last 10 months. Initially, I was planning to use it just for the code review part so that developers can get secure code. However, it can also be integrated in CI/CD pipelines and other tools, which makes it robust.
I deployed Semgrep with my development team in their IDEs, such as VS Code and other notebook tools that my developers use. Semgrep helps to identify code-level issues, such as the possibility of SQL injection, XSS, or hard-coded values. It initially triggers alerts and shows which aspects are not correct and need correction.
What is most valuable?
First, it is very easy to use. It has customization features that allow me to customize it to find particular types of vulnerabilities that I am looking for. There is scanning efficiency which allows for rapid issue detection early in the development process. The customizable rule engine is the best thing because I can customize it according to my needs.
I can customize my rules according to my needs. The YAML file is easy to write. A person with good basic knowledge of coding can generate custom rules particular to the type of vulnerability they are targeting. Therefore, it is customizable.
The feature is easy to use, saves a lot of time, and is streamlined in nature. That is the best aspect.
It has helped my code review part significantly. It saves around two to three hours per day of going through each line of code to find mistakes and identify issues that are present at the code level. Code review is a tedious task for any security engineer or developer to do, so it helps tremendously while reviewing code.
By avoiding these tedious tasks, my team gets to focus on other important tasks that are required. Sometimes there are urgent tasks that need to be done before code reviews can be completed. The time I save is utilized elsewhere, which effectively benefits my team.
What needs improvement?
Semgrep can be improved by making it more user-friendly. There are tools in the market, such as Aqua Security, that have features worth utilizing. However, there are some comprehensive scanning capabilities which I feel Semgrep lacks. For code-level review, it is very good.
For how long have I used the solution?
I have been using Semgrep for around nine to 10 months for detection of security flaws in the code.
What do I think about the stability of the solution?
It is stable in nature.
What do I think about the scalability of the solution?
It is also good. I can scale it for small to large-scale teams. I can use it with a small number of people or a large-sized team.
How are customer service and support?
Customer support is good because I have not needed much customer support until now, which is very good. I think that is a good part. Their documentation and community are very active, so most of the time when problems occur, I get a solution.
Which solution did I use previously and why did I switch?
I have used SonarQube. However, the results of Semgrep are much better. I compared them both, so I switched to Semgrep only, and it works very well. I do not have to pay any licensing fee or anything like that. It has been good to work with Semgrep.
I evaluated a tool such as SonarQube, which is in the market and is also open-source. However, the results provided by Semgrep are much more effective and efficient with fewer false positives. The number of true positives is higher, which effectively saves time from checking whether false positives are right or wrong.
How was the initial setup?
The accuracy I would rate at 85 to 90%. Sometimes it gives false positives, but compared to its peers, it is better.
What about the implementation team?
At a team level, I can say that per day I save around two hours, which can result in eight hours a week. Monthly, I save around 30 to 35 hours because of this.
What was our ROI?
The best case is that it solves a lot of things, and for the vulnerabilities that will arise in the future, I solve them at the initial stage.
What's my experience with pricing, setup cost, and licensing?
It is basically open-source, so the cost to set up is no cost.
Which other solutions did I evaluate?
If you are looking for an open-source tool that can perform SAST in your environment and you are a technical person with a team that can grasp new technologies in a short period of time, then you can use Semgrep directly to perform SAST and code reviews at the development level. Early detection of security issues and bugs can be fixed.
What other advice do I have?
It streamlines with the governance and compliance of the country where the company operates. It follows GDPR guidelines and EU guidelines. In India, I follow certain guidelines, so it also passes that criteria to go through those guidelines and follow the restrictions and suggestions provided at a national level.
Code scans have accelerated remediation and keep development focused on security
What is our primary use case?
My main use case for Semgrep is as a SAST tool. Since I work with code directly, I use it to scan the code for vulnerabilities and relay information to developers so they can address any issues. This approach ensures I maintain a security focus as a DevOps person, which is crucial.
Semgrep fits into my workflow by allowing me to scan code and ensure there are no breaches before running it in containers.
What is most valuable?
The best feature of Semgrep is its ability to highlight high priority issues during scanning, making it critical for developers to address these vulnerabilities promptly. This seamless process enhances efficiency and expedites issue resolution within our systems.
I find Semgrep's user-friendliness valuable, allowing me to run scans easily with simple commands, which clearly indicate vulnerabilities and their priority levels, effectively meeting my needs.
When receiving high-priority findings, I act as a DevOps person who incorporates security into my culture by notifying developers about issues I find and urging them to check the code. I advocate that all developers have Semgrep installed on their laptops, ensuring they avoid pushing vulnerable code.
The impact of Semgrep on my organization includes the recommendation I made as an external consultant to incorporate it into projects. It is easy for developers to use and helps monitor our security posture by scanning code before production pushes.
Since implementing Semgrep, I have noticed significant outcomes. For example, I can resolve vulnerabilities that previously took four days in under a day, saving both time and money, thus enhancing our return on investment.
What needs improvement?
Semgrep needs ongoing improvements, and gathering user feedback will help enhance its effectiveness and provide better solutions globally.
I suggest improving documentation and integrating agentic AI to help users get quicker answers to security problems when scanning.
For how long have I used the solution?
That first use was in 2022, so that is about four years now, and I continue to use Semgrep on my MacBook, finding it very useful, and I still recommend it to developers.
What do I think about the stability of the solution?
Semgrep is absolutely stable.
What do I think about the scalability of the solution?
Semgrep's scalability is impressive, being designed as cloud-native and cloud-agnostic, making it easy to integrate and grow within any environment without concern for crashes.
How are customer service and support?
I have not contacted Semgrep's customer service because their documentation usually provides solutions for my inquiries.
Which solution did I use previously and why did I switch?
I have not used any solution prior to Semgrep.
How was the initial setup?
I find Semgrep's pricing and setup reasonable and recommended its installation for developers to facilitate code scanning and avoid vulnerabilities.
What was our ROI?
The return on investment from using Semgrep is evident as I save time and money. For example, tasks that previously took days are completed in significantly less time, enabling faster business responses and improved profit margins.
Which other solutions did I evaluate?
I did not evaluate other options before choosing Semgrep. I found it through an online review and decided to try it based on that.
What other advice do I have?
My advice for others considering Semgrep is to adopt it, as it stands out in the open-source market and shows solid growth. You can trust it based on its innovative developments.
I believe Semgrep will scale effectively with the rise of agentic AI and security needs, leading to broader adoption among companies. Sharing wins at open-source conferences will help demonstrate its potential impact.
I rate this review an 8.
Benchmarking security testing has shaped our tool evaluations but still needs fewer false positives
What is our primary use case?
I have used Semgrep more as a testing and a POC tool. So, there is no consistent usage of Semgrep, but I have used the tool multiple times for POC purposes.
As a DevSecOps Security Engineer, my main use case for Semgrep when I do use it for POCs or testing is to deal with SAST, secret scanning, and types of testing, white-box testing, AppSec, and those types of activities. Semgrep is a tool for that. Hence, when we perform POCs and try to understand what it is providing for such different types of scanning, Semgrep turns out to be useful in setting benchmarks.
How has it helped my organization?
Even if we mainly use Semgrep for POCs, it has positively impacted our organization. So when we are in the process of identifying new tools or trying to understand how to improve our existing tools, that is where Semgrep comes in handy.
As a result of using Semgrep, it helped us compare tools more effectively. It helped us understand what are the expected must-haves of a tool in this domain. That way, other tools that were not even offering these were easily left out because Semgrep is an open-source tool, and when we are trying to acquire paid tools, it is almost definite they should be offering capabilities at least that an open-source tool is offering.
What is most valuable?
Semgrep flourishes with the SAST, secret scanning, and Software Composition Analysis types of scanning. That is where Semgrep shines. With SCA, it helps find vulnerabilities, SAST weaknesses, and secrets. These are three existing services that are there in my enterprise, and we have other tools that perform the same. Semgrep, as I said, helps us benchmark that while running POCs.
The Software Composition Analysis is the most valuable feature in Semgrep.
What needs improvement?
As we use Semgrep for secret scanning, I know it is an open-source tool. Oftentimes, that leads to the refinement of the engine, but oftentimes Semgrep ends up flagging a lot of false positive values. If the name of a variable or any text in the code has the word secret in it, then it flags it as a secret violation or as a secret finding, which may not be the case. It might just be a false positive. It might just be a variable called secret but may not contain a value that is actually secret information.
Of course, there are a bunch of additions and improvements that can be done on Semgrep, but it is an open-source tool. I have at least used the open-source version of it. Of course, that comes only with the CLI. The UI and additional dashboarding and other details would definitely make the tool more user-friendly and more of a candidate to be implemented in an enterprise such as the one that I work for. I have not seen any other areas where Semgrep could be improved, aside from the false positives and dashboarding mentioned earlier.
What do I think about the scalability of the solution?
I give Semgrep a six out of 10 simply because there are other tools that are better than this out there. This is an open-source tool, so it absolutely does the job, but if you were to implement a tool such as this in an enterprise, this would probably not be scalable.
What other advice do I have?
My advice to others looking into using Semgrep is to keep in mind that this is an open-source tool. I gave Semgrep an overall rating of 6.5 out of 10.
Accurate Results and a Polished UI from Semgrep
Automated dependency checks have improved our workflows but remain complex and costly to manage
What is our primary use case?
I use Semgrep mainly for its software composition analysis capabilities to identify vulnerabilities in dependencies used in our applications. Every time a new feature is developed or a new version of an application is released, it is run against Semgrep using our CI/CD pipelines to identify any new vulnerabilities.
What is most valuable?
The best part of Semgrep is its ease of integration with CI/CD pipelines and how it is a developer-friendly tool. The interface is really focused on presenting developers what needs to be done, what vulnerabilities have been found, and what packages are affected. Whenever a developer enters the application, they do not need much context because it is really clear what needs to be done based on what the application shows.
Semgrep removes a lot of stress from the product security team since there is now an automated way of checking for vulnerabilities in our software. It has reduced manual work and saved a lot of time since containers no longer need to be manually checked with Semgrep, and we do not even need to check whenever there is a new version. In our automated pipelines, every time there is a new version, the containers get scanned and if something critical or high is detected, we are automatically notified.
Semgrep is scalable and works well across multiple repositories and projects, especially when integrated with CI/CD pipelines as is our case.
What needs improvement?
The coverage of Semgrep could be a bit better, as there are other tools that are more specialized in other areas of security. Semgrep as an SCA tool is adequate, but if you want to use some other parts of it, you get a high price tag. More advanced dependency analysis features in the SCA part and deeper vulnerability databases would be beneficial.
Semgrep is mostly used because it is considered an industry standard, and many of our customers use Semgrep, so they expect us to use it as well. However, as a tool it is really complex to maintain and to use, and it has a huge price tag.
For how long have I used the solution?
I have used Semgrep for one year.
What do I think about the stability of the solution?
There have been no stability issues.
What do I think about the scalability of the solution?
There have been no scalability issues.
How are customer service and support?
Customer support is really good and there is also strong community support.
Which solution did I use previously and why did I switch?
Trivy was previously used, and the switch to Semgrep was made basically because it is the tool that our customers expect us to use.
How was the initial setup?
The setup was quite straightforward and the pricing model is quite flexible. The setup at the beginning was quick, and our pipelines were managed to be running easy enough and fast enough.
What was our ROI?
Although there are no metrics available, an improvement in efficiency has been seen since manual labor is not required as much as before. This can be translated to being able to do the same amount of work with less technicians.
Which other solutions did I evaluate?
Semgrep is considered an alternate solution to other tools.
What other advice do I have?
The first thing you need to do is to integrate Semgrep with your CI/CD pipelines and once they are running, invest time in reading documentation and getting yourself familiar with all of the products offered and all of the capabilities available. Semgrep was found through the peer link navigator that was provided via a LinkedIn message. The overall review rating for this product is 6 out of 10.
Context-aware code analysis has reduced noise and now improves developer experience with actionable security findings
What is our primary use case?
I have been working with Semgrep for almost a year, approximately six to eight months on and off. In my current organization, I have a strong experience for SAST solution POCs, and I have conducted POCs for Semgrep, Checkmarx, Snyk, and SonarQube to evaluate SAST capabilities.
Our primary use case for Semgrep is to identify static code vulnerabilities and SAST vulnerabilities. Every other organization or vendor claims to offer this capability, but Semgrep is built differently compared to all these traditional tools. I have almost a decade of experience using various SAST tools, and Semgrep not only looks at particular code but understands the entire code to get context around whether an issue is real or not through context analysis.
One of the primary use case for us is also the shift-left approach, which means improving our developer experience. Our developers do not want to wait until they commit changes to GitHub or build it. They want synchronous feedback directly within their IDE. Semgrep provides an IDE integration and also supports MCP gateway. Additionally, secrets scanning is another important use case for us.
What is most valuable?
The seamless integration of Semgrep into our existing platform is what I really appreciate. It is very easy, I was able to integrate and onboard it in just 10 to 15 minutes. This is in stark contrast to dealing with different SAST tools about integration across thousands of repos.
Another great feature is that Semgrep greatly reduces the noise compared to other SAST tools. After scanning through the codebase and understanding it, Semgrep has a capability called AI analysis or AI triage. When you triage with AI, it gathers context around the finding and reduces the noise about 80 to 90 percent of the time, asking you to focus only on findings that really matter.
Another excellent experience I had with Semgrep is when there was a finding that AI was not able to correctly diagnose or identify whether it was an actual finding or not. It reported it as a vulnerability, but when I verified it as a security engineer, I determined it was not a vulnerability in our case because we have compensatory controls in place. When I indicate this, Semgrep asks if it can apply the same logic to other similar findings. With a single click, it reduces a lot of noise for me, saving a huge amount of my time and effort.
The results are also impressive. Most solutions identify a static query like raw SQL and simply say there is a SQL injection that is critical. Semgrep, however, looks into the query file and understands the context. It recognizes that this is a SQL query without any user input or database migration script, and it assigns appropriate risk. This intelligent capability of Semgrep is what impressed me.
Semgrep will easily fit into the ecosystem you are building or the ecosystem you are working with. It is going to increase the developer experience in terms of how easily developers are able to understand the findings. It will also increase the security posture because developers are easily able to understand and fix those findings. Overall, the application security posture and the relationship between the development community and the security engineering will improve because Semgrep integrates so seamlessly and functions very smoothly.
What needs improvement?
I have consistently observed that their scan time is an issue for mono repos. Sometimes with their AI-based scanning, when you triage that scan, the scan never completes or finishes(, which makes it difficult. Another consistent issue is that whenever you have a new repo to onboard to the platform, the tool ideally should detect the master branch by default. However, sometimes the tool fails to identify it and will never scan it unless manually somebody looks into it and fixes the issue. Although their support team is really good, this issue was present six or eight months ago during the POC and is still present now. If it is affecting multiple customers, it should be prioritized and fixed.
I would say that their integration aspects could have been improved. I see a lot of different security solutions that provide flexibility to the security teams based on Jira project, team divisions, Slack, and all those can be very much easily customized. Semgrep needs to work on the enhancement of their notification capabilities. Currently, they are working on identifying business logic vulnerabilities or privilege escalation vulnerabilities by looking at the code, and they should continue to focus on and improve this effort.
Regarding stability, whenever you have a mono-repo which is a very large repository, the scan never finishes or the scan never kicks in. At that time, you have to reach out to the support team and ask them to expand the resources in the back end to fix it. This is an issue I keep seeing often on that platform.
For how long have I used the solution?
I have been working with Semgrep on and off for almost a year, approximately six to eight months.
What do I think about the stability of the solution?
I have consistently observed that their scan time is an issue. Sometimes with their AI-based scanning, when you triage that scan, the scan never completes or finishes, which makes it difficult. Another consistent issue is that whenever you have a new repo to onboard to the platform, the tool ideally should detect the master branch by default. However, if there is no master branch or default branch, the tool fails to identify it and will never scan it unless manually somebody looks into it and fixes the issue. Although their support team is really good, this issue was present six or eight months ago during the POC and is still present now. If it is affecting multiple customers, it should be prioritized and fixed.
I would say that their integration aspects could have been improved. I see a lot of different security solutions that provide flexibility to the security teams based on Jira project, team divisions, Slack, and all those can be very much easily customized. Semgrep needs to work on the enhancement of their notification capabilities. Currently, they are working on identifying business logic vulnerabilities or privilege escalation vulnerabilities by looking at the code, and they should continue to focus on and improve this effort.
Regarding stability, whenever you have a mono-repo which is a very large repository, the scan never finishes or the scan never kicks in. At that time, you have to reach out to the support team and ask them to expand the resources in the back end to fix it. This is an issue I keep seeing often on that platform.
What do I think about the scalability of the solution?
It is very easy to scale. When you say scaling, that means the number of users or organizations you need to onboard. I was able to control it from 10 repositories or 10 services to thousands of repositories in a couple of minutes very simply. They could potentially add some enhancements, but the platform is very much easily scalable.
What other advice do I have?
You should primarily focus on what your use case is and why you are moving out. If you are moving out just from the perspective of cost, I do not think Semgrep is the best solution for you. However, if you are looking for value for investment and want to have the complete visibility into your code with less noise, if you are not just looking for a SAST but are really looking for actionable results and want to improve your developer experience and feedback, then you should go for Semgrep. In my organization, it is not only me who selects the solution; I bring in developers from junior and senior levels of all experience and ask them to take a hands-on experience and give me feedback. If you want to improve the developer experience, then go for Semgrep.
Compared to other competitors in the market, the AI-backed capability is the biggest strength of Semgrep. The seamless integration is another major advantage because I have done it for a few other solutions, some of which are extremely difficult and some are okay, but the Semgrep integration with the code repository was the smoothest. The quality of results and reduction in noise are also strengths compared to other competitors. Semgrep also has a great strength in the number of rule sets they have compared to all other vendors. While all other vendors have very limited numbers even though they claim to be enterprise, their community edition itself has close to 4,000 rules and the enterprise edition has around 20,000 rules. That is a really strong advantage.
As for limitations, I would say that Semgrep currently just supports Jira and Slack for integrations. They should expand to different integrations like ServiceNow and other CNAP and CSPM solutions where all results can be brought into one place.
I would rate this review an 8 out of 10.
Streamlined Code Security with Semgrep
Powerful Rule Engine and Autofix, but Governance at Scale Needs Work
• Smooth CI/CD integration and lightweight runtime, enabling frequent scans without major impact on developer velocity.
• Autofix capabilities (deterministic rule‑based and Assistant AI‑assisted) that propose or apply safe code changes, reducing mean time to remediate
• Autofix and AI noise filtering are helpful but still evolving; effectiveness varies by language and codebase, and some teams remain cautious about applying fixes automatically.
Operationally, fast scans and easy CI/SCM integration mean developers see actionable feedback where they work, not in a separate portal, increasing adoption and fixing rates. As a result, we’ve moved from sporadic security reviews to consistent, automated checks across services, with measurable gains in fix rate and fewer high‑risk patterns reaching production. The net benefit is stronger secure‑by‑default practices with minimal productivity tax, plus lower compliance risk thanks to policy‑as‑code rules we can audit and evolve over time.