Application Security Platform

I have used Semgrep more as a testing and a POC tool. So, there is no consistent usage of Semgrep, but I have used the tool multiple times for POC purposes.

As a DevSecOps Security Engineer, my main use case for Semgrep when I do use it for POCs or testing is to deal with SAST, secret scanning, and types of testing, white-box testing, AppSec, and those types of activities. Semgrep is a tool for that. Hence, when we perform POCs and try to understand what it is providing for such different types of scanning, Semgrep turns out to be useful in setting benchmarks.

Even if we mainly use Semgrep for POCs, it has positively impacted our organization. So when we are in the process of identifying new tools or trying to understand how to improve our existing tools, that is where Semgrep comes in handy.

As a result of using Semgrep, it helped us compare tools more effectively. It helped us understand what are the expected must-haves of a tool in this domain. That way, other tools that were not even offering these were easily left out because Semgrep is an open-source tool, and when we are trying to acquire paid tools, it is almost definite they should be offering capabilities at least that an open-source tool is offering.

Semgrep flourishes with the SAST, secret scanning, and Software Composition Analysis types of scanning. That is where Semgrep shines. With SCA, it helps find vulnerabilities, SAST weaknesses, and secrets. These are three existing services that are there in my enterprise, and we have other tools that perform the same. Semgrep, as I said, helps us benchmark that while running POCs.

The Software Composition Analysis is the most valuable feature in Semgrep.

As we use Semgrep for secret scanning, I know it is an open-source tool. Oftentimes, that leads to the refinement of the engine, but oftentimes Semgrep ends up flagging a lot of false positive values. If the name of a variable or any text in the code has the word secret in it, then it flags it as a secret violation or as a secret finding, which may not be the case. It might just be a false positive. It might just be a variable called secret but may not contain a value that is actually secret information.

Of course, there are a bunch of additions and improvements that can be done on Semgrep, but it is an open-source tool. I have at least used the open-source version of it. Of course, that comes only with the CLI. The UI and additional dashboarding and other details would definitely make the tool more user-friendly and more of a candidate to be implemented in an enterprise such as the one that I work for. I have not seen any other areas where Semgrep could be improved, aside from the false positives and dashboarding mentioned earlier.

I give Semgrep a six out of 10 simply because there are other tools that are better than this out there. This is an open-source tool, so it absolutely does the job, but if you were to implement a tool such as this in an enterprise, this would probably not be scalable.

My advice to others looking into using Semgrep is to keep in mind that this is an open-source tool. I gave Semgrep an overall rating of 6.5 out of 10.

I use Semgrep mainly for its software composition analysis capabilities to identify vulnerabilities in dependencies used in our applications. Every time a new feature is developed or a new version of an application is released, it is run against Semgrep using our CI/CD pipelines to identify any new vulnerabilities.

The best part of Semgrep is its ease of integration with CI/CD pipelines and how it is a developer-friendly tool. The interface is really focused on presenting developers what needs to be done, what vulnerabilities have been found, and what packages are affected. Whenever a developer enters the application, they do not need much context because it is really clear what needs to be done based on what the application shows.

Semgrep removes a lot of stress from the product security team since there is now an automated way of checking for vulnerabilities in our software. It has reduced manual work and saved a lot of time since containers no longer need to be manually checked with Semgrep, and we do not even need to check whenever there is a new version. In our automated pipelines, every time there is a new version, the containers get scanned and if something critical or high is detected, we are automatically notified.

Semgrep is scalable and works well across multiple repositories and projects, especially when integrated with CI/CD pipelines as is our case.

The coverage of Semgrep could be a bit better, as there are other tools that are more specialized in other areas of security. Semgrep as an SCA tool is adequate, but if you want to use some other parts of it, you get a high price tag. More advanced dependency analysis features in the SCA part and deeper vulnerability databases would be beneficial.

Semgrep is mostly used because it is considered an industry standard, and many of our customers use Semgrep, so they expect us to use it as well. However, as a tool it is really complex to maintain and to use, and it has a huge price tag.

I have used Semgrep for one year.

There have been no stability issues.

There have been no scalability issues.

Customer support is really good and there is also strong community support.

Trivy was previously used, and the switch to Semgrep was made basically because it is the tool that our customers expect us to use.

The setup was quite straightforward and the pricing model is quite flexible. The setup at the beginning was quick, and our pipelines were managed to be running easy enough and fast enough.

Although there are no metrics available, an improvement in efficiency has been seen since manual labor is not required as much as before. This can be translated to being able to do the same amount of work with less technicians.

Semgrep is considered an alternate solution to other tools.

The first thing you need to do is to integrate Semgrep with your CI/CD pipelines and once they are running, invest time in reading documentation and getting yourself familiar with all of the products offered and all of the capabilities available. Semgrep was found through the peer link navigator that was provided via a LinkedIn message. The overall review rating for this product is 6 out of 10.

I have been working with Semgrep for almost a year, approximately six to eight months on and off. In my current organization, I have a strong experience for SAST solution POCs, and I have conducted POCs for Semgrep, Checkmarx, Snyk, and SonarQube to evaluate SAST capabilities.

Our primary use case for Semgrep is to identify static code vulnerabilities and SAST vulnerabilities. Every other organization or vendor claims to offer this capability, but Semgrep is built differently compared to all these traditional tools. I have almost a decade of experience using various SAST tools, and Semgrep not only looks at particular code but understands the entire code to get context around whether an issue is real or not through context analysis.

One of the primary use case for us is also the shift-left approach, which means improving our developer experience. Our developers do not want to wait until they commit changes to GitHub or build it. They want synchronous feedback directly within their IDE. Semgrep provides an IDE integration and also supports MCP gateway. Additionally, secrets scanning is another important use case for us.

The seamless integration of Semgrep into our existing platform is what I really appreciate. It is very easy, I was able to integrate and onboard it in just 10 to 15 minutes. This is in stark contrast to dealing with different SAST tools about integration across thousands of repos.

Another great feature is that Semgrep greatly reduces the noise compared to other SAST tools. After scanning through the codebase and understanding it, Semgrep has a capability called AI analysis or AI triage. When you triage with AI, it gathers context around the finding and reduces the noise about 80 to 90 percent of the time, asking you to focus only on findings that really matter.

Another excellent experience I had with Semgrep is when there was a finding that AI was not able to correctly diagnose or identify whether it was an actual finding or not. It reported it as a vulnerability, but when I verified it as a security engineer, I determined it was not a vulnerability in our case because we have compensatory controls in place. When I indicate this, Semgrep asks if it can apply the same logic to other similar findings. With a single click, it reduces a lot of noise for me, saving a huge amount of my time and effort.

The results are also impressive. Most solutions identify a static query like raw SQL and simply say there is a SQL injection that is critical. Semgrep, however, looks into the query file and understands the context. It recognizes that this is a SQL query without any user input or database migration script, and it assigns appropriate risk. This intelligent capability of Semgrep is what impressed me.

Semgrep will easily fit into the ecosystem you are building or the ecosystem you are working with. It is going to increase the developer experience in terms of how easily developers are able to understand the findings. It will also increase the security posture because developers are easily able to understand and fix those findings. Overall, the application security posture and the relationship between the development community and the security engineering will improve because Semgrep integrates so seamlessly and functions very smoothly.

I have consistently observed that their scan time is an issue for mono repos. Sometimes with their AI-based scanning, when you triage that scan, the scan never completes or finishes(, which makes it difficult. Another consistent issue is that whenever you have a new repo to onboard to the platform, the tool ideally should detect the master branch by default. However, sometimes the tool fails to identify it and will never scan it unless manually somebody looks into it and fixes the issue. Although their support team is really good, this issue was present six or eight months ago during the POC and is still present now. If it is affecting multiple customers, it should be prioritized and fixed.

I would say that their integration aspects could have been improved. I see a lot of different security solutions that provide flexibility to the security teams based on Jira project, team divisions, Slack, and all those can be very much easily customized. Semgrep needs to work on the enhancement of their notification capabilities. Currently, they are working on identifying business logic vulnerabilities or privilege escalation vulnerabilities by looking at the code, and they should continue to focus on and improve this effort.

Regarding stability, whenever you have a mono-repo which is a very large repository, the scan never finishes or the scan never kicks in. At that time, you have to reach out to the support team and ask them to expand the resources in the back end to fix it. This is an issue I keep seeing often on that platform.

I have been working with Semgrep on and off for almost a year, approximately six to eight months.

I have consistently observed that their scan time is an issue. Sometimes with their AI-based scanning, when you triage that scan, the scan never completes or finishes, which makes it difficult. Another consistent issue is that whenever you have a new repo to onboard to the platform, the tool ideally should detect the master branch by default. However, if there is no master branch or default branch, the tool fails to identify it and will never scan it unless manually somebody looks into it and fixes the issue. Although their support team is really good, this issue was present six or eight months ago during the POC and is still present now. If it is affecting multiple customers, it should be prioritized and fixed.

I would say that their integration aspects could have been improved. I see a lot of different security solutions that provide flexibility to the security teams based on Jira project, team divisions, Slack, and all those can be very much easily customized. Semgrep needs to work on the enhancement of their notification capabilities. Currently, they are working on identifying business logic vulnerabilities or privilege escalation vulnerabilities by looking at the code, and they should continue to focus on and improve this effort.

Regarding stability, whenever you have a mono-repo which is a very large repository, the scan never finishes or the scan never kicks in. At that time, you have to reach out to the support team and ask them to expand the resources in the back end to fix it. This is an issue I keep seeing often on that platform.

It is very easy to scale. When you say scaling, that means the number of users or organizations you need to onboard. I was able to control it from 10 repositories or 10 services to thousands of repositories in a couple of minutes very simply. They could potentially add some enhancements, but the platform is very much easily scalable.

You should primarily focus on what your use case is and why you are moving out. If you are moving out just from the perspective of cost, I do not think Semgrep is the best solution for you. However, if you are looking for value for investment and want to have the complete visibility into your code with less noise, if you are not just looking for a SAST but are really looking for actionable results and want to improve your developer experience and feedback, then you should go for Semgrep. In my organization, it is not only me who selects the solution; I bring in developers from junior and senior levels of all experience and ask them to take a hands-on experience and give me feedback. If you want to improve the developer experience, then go for Semgrep.

Compared to other competitors in the market, the AI-backed capability is the biggest strength of Semgrep. The seamless integration is another major advantage because I have done it for a few other solutions, some of which are extremely difficult and some are okay, but the Semgrep integration with the code repository was the smoothest. The quality of results and reduction in noise are also strengths compared to other competitors. Semgrep also has a great strength in the number of rule sets they have compared to all other vendors. While all other vendors have very limited numbers even though they claim to be enterprise, their community edition itself has close to 4,000 rules and the enterprise edition has around 20,000 rules. That is a really strong advantage.

As for limitations, I would say that Semgrep currently just supports Jira and Slack for integrations. They should expand to different integrations like ServiceNow and other CNAP and CSPM solutions where all results can be brought into one place.

I would rate this review an 8 out of 10.