Application Security Platform
Semgrep, Inc.Reviews from AWS customer
0 AWS reviews
-
5 star0
-
4 star0
-
3 star0
-
2 star0
-
1 star0
External reviews
52 reviews
from
and
External reviews are not included in the AWS star rating for the product.
Powerful Rule Engine and Autofix, but Governance at Scale Needs Work
What do you like best about the product?
Flexible, transparent rule engine with clear YAML syntax and data‑flow patterns, plus an extensive public registry for quick wins and customization.
• Smooth CI/CD integration and lightweight runtime, enabling frequent scans without major impact on developer velocity.
• Autofix capabilities (deterministic rule‑based and Assistant AI‑assisted) that propose or apply safe code changes, reducing mean time to remediate
• Smooth CI/CD integration and lightweight runtime, enabling frequent scans without major impact on developer velocity.
• Autofix capabilities (deterministic rule‑based and Assistant AI‑assisted) that propose or apply safe code changes, reducing mean time to remediate
What do you dislike about the product?
Governance overhead at scale; maintaining org‑wide rule sets, exceptions, and updates across many repos becomes an operational burden without a dedicated owner.
• Autofix and AI noise filtering are helpful but still evolving; effectiveness varies by language and codebase, and some teams remain cautious about applying fixes automatically.
• Autofix and AI noise filtering are helpful but still evolving; effectiveness varies by language and codebase, and some teams remain cautious about applying fixes automatically.
What problems is the product solving and how is that benefiting you?
Semgrep is helping embed security into daily development by catching risky patterns early in pull requests and CI, which reduces rework and keeps release velocity high. Transparent, customizable rules let the team encode our own guardrails and quickly add checks for new frameworks, so coverage improves without waiting on vendor updates. AI‑assisted noise filtering and autofix guidance cut triage time and help developers resolve issues faster, which lowers MTTR and helps us meet remediation SLAs more consistently.
Operationally, fast scans and easy CI/SCM integration mean developers see actionable feedback where they work, not in a separate portal, increasing adoption and fixing rates. As a result, we’ve moved from sporadic security reviews to consistent, automated checks across services, with measurable gains in fix rate and fewer high‑risk patterns reaching production. The net benefit is stronger secure‑by‑default practices with minimal productivity tax, plus lower compliance risk thanks to policy‑as‑code rules we can audit and evolve over time.
Operationally, fast scans and easy CI/SCM integration mean developers see actionable feedback where they work, not in a separate portal, increasing adoption and fixing rates. As a result, we’ve moved from sporadic security reviews to consistent, automated checks across services, with measurable gains in fix rate and fewer high‑risk patterns reaching production. The net benefit is stronger secure‑by‑default practices with minimal productivity tax, plus lower compliance risk thanks to policy‑as‑code rules we can audit and evolve over time.
Effortless Code Scanning—Much Easier Than Our Old Tool
What do you like best about the product?
It's a very user-friendly tool for scanning code repositories, and I find it much easier to use compared to our previous Checkmarx scan.
Its quiet easy to integrate with our existing code repository and can also be filtered based on the need.
Its quiet easy to integrate with our existing code repository and can also be filtered based on the need.
What do you dislike about the product?
Since we have only recently started using this tool, there is nothing we dislike about it so far.
What problems is the product solving and how is that benefiting you?
Its helping to find out the vulnerability with open-source softwares and implemented in our pipelines for code deployment has helped us a lot to proactively finding out the vulnerability before reaching of any environment.
Excellent Tool for Code Quality and Security.
What do you like best about the product?
It is a good tool to identify the issues and security in code which can impact the quality and security.
What do you dislike about the product?
The UI is not as efficient. Also code setup creates some issues.
What problems is the product solving and how is that benefiting you?
This product is excellent when it comes to handling. I am quite satisfied with how well it manages tasks.
Powerful, Customizable Static Analysis with Fast Scans—Some Learning Curve and Tuning Needed
What do you like best about the product?
Semgrep is a static analysis tool that enables developers to create custom rules using an intuitive pattern-matching syntax, which closely mirrors the code being reviewed. It offers support for a variety of programming languages, including Python, JavaScript, Java, and Go, among others. With Semgrep, users can identify security vulnerabilities, address code quality concerns, and enforce coding standards effectively. Many developers value its seamless integration with CI/CD pipelines, the ability to run scans locally during development, and the flexibility to craft rules tailored to their organization's codebase. The tool is known for its rapid scanning capabilities and lower false positive rates when compared to more traditional static analysis solutions. Additionally, Semgrep is available in both open-source and commercial versions, with advanced features such as centralized rule management and options for team collaboration.
What do you dislike about the product?
Static analysis tools can present certain limitations, such as generating false positives that must be manually reviewed. They may also struggle to identify complex runtime vulnerabilities or logic flaws that only become apparent during execution. Maintaining and tuning rules to keep up with evolving codebases is an ongoing requirement. Some users note that creating custom rules involves a learning curve, particularly when mastering the pattern-matching syntax. Comprehensive scans of large codebases can also affect CI/CD pipeline performance. While these tools are strong in pattern matching, they might overlook context-dependent vulnerabilities that require more advanced semantic analysis. As a result, teams often need to dedicate time to configuring rules in order to minimize noise and prioritize findings relevant to their specific technology stack.
What problems is the product solving and how is that benefiting you?
It lacks the option to manually trigger a code scan, specifically for static scans.
Fast, Accurate, and Seamless Integration with GitHub
What do you like best about the product?
The feedback is fast and actionable, which makes it easy to address issues quickly. I also appreciate the reduced number of false positives, as it saves time and effort. Integration with GitHub and Actions is seamless, making the workflow smooth. The accuracy is high, and the support for a wide range of languages is another strong point.
What do you dislike about the product?
Semgrep is quite narrowly focused, concentrating primarily on security and lacking built-in scanning capabilities for other important areas such as secrets detection, infrastructure as code, or container security. There is also a learning curve to consider; crafting effective and custom rules demands a certain level of expertise, which can be particularly challenging when dealing with more complex vulnerabilities. Additionally, Semgrep on its own provides limited context, so without supplementary tools, it can be difficult to determine if a vulnerability is truly exploitable or reachable at runtime. This limitation can make it harder to properly prioritize issues.
What problems is the product solving and how is that benefiting you?
Semgrep helps assisting developers and security teams in identifying bugs, vulnerabilities, and enforcing coding standards. It analyzes source code to detect patterns that correspond to predefined rules, which makes it valuable for code reviews, security audits, and maintaining overall code quality. Semgrep will be our new default SAST tool as we begin to phase out the current tool which is outdated and cumbersome to use.
Great Experience, But UI Could Be More User-Friendly
What do you like best about the product?
Semgrep is one of the super easy and most lightweight tools for detecting security vulnerabilities in our codebase. It also enables us to scan our local repositories and can be integrated with our CI/CD pipeline to provide continuous code scanning. We prefer using it with almost all of our applications to feel more confident.
What do you dislike about the product?
There isn't much to complain about, but I do think the user interface could be cleaner and more user-friendly.
What problems is the product solving and how is that benefiting you?
The platform offers vulnerability scanning and helps keep applications free of bugs. It also provides automated code scanning through the CI/CD pipeline and supports scanning for multiple programming languages.
Insightful Vulnerability Analysis, But Needs Automatic Analysis
What do you like best about the product?
The tool provides an analysis of detected vulnerabilities in the code and also offers suggested fixes. This feature is helpful for identifying potential issues and understanding how to address them.
What do you dislike about the product?
Currently, I have to manually trigger the analysis each time a new detection occurs, but I would prefer if the analysis happened automatically as soon as something is detected.
What problems is the product solving and how is that benefiting you?
This tool has been useful in identifying security issues within my code. It helps me catch vulnerabilities that I might have otherwise missed.
Speeds Up Bug Detection, But Rule Syntax Can Be Limiting for Complex Code
What do you like best about the product?
The best thing about Semgrep is that it helps catch bugs and enforce code standards early in development, without slowing engineers down. It’s quick, understandable, and fits naturally into the developer workflow.
What do you dislike about the product?
My main dislike is that Semgrep’s rule syntax can feel restrictive when dealing with dynamic code or frameworks that rely heavily on metaprogramming. It’s great for straightforward patterns, but deeper semantic analysis sometimes needs more manual effort.
What problems is the product solving and how is that benefiting you?
Semgrep helps catch bugs and security issues early by running fast, customizable static analysis directly in the developer workflow. It helps me maintain consistent, secure code and saves time by preventing late-stage fixes.
Clean Interface and Clear Insights, But Setup Can Be Frustrating
What do you like best about the product?
The interface is extremely clean, and all vulnerabilities are clearly highlighted.
What do you dislike about the product?
Setting up the system for the first time was quite frustrating, as I found myself needing assistance from the IT agent on several occasions.
What problems is the product solving and how is that benefiting you?
This tool was useful in identifying vulnerabilities within the code and assisted in resolving issues that appeared in production.
Semgrep: A Powerful and Customizable SAST Solution
What do you like best about the product?
The most significant advantage of Semgrep is its highly customizable rule engine and ease of rule writing. The ability to define custom rules in YAML, tailored to specific codebases and threat models, sets it apart from many other SAST solutions. This flexibility allows for precise detection of custom vulnerabilities and adherence to specific coding standards. Its lightweight nature and rapid execution in CI/CD pipelines are also highly beneficial, enabling fast feedback loops without significantly impacting build times. Furthermore, the open-source core provides transparency and allows for community contributions and audits of the rule execution. The reachability analysis in Semgrep Supply Chain is also a standout feature, significantly reducing false positives by focusing on truly exploitable vulnerabilities within third-party components.
What do you dislike about the product?
While Semgrep excels in static analysis, its narrow focus can be a limitation for organizations seeking a comprehensive application security platform. It does not natively offer integrated scanning for secrets, Infrastructure as Code (IaC), containers, or CI/CD posture, necessitating the use of additional tools for broader coverage. The initial tuning required to reduce false positives and optimize rule sets can also be an upfront investment, especially for new users or complex projects. Finally, while rule writing is a strength, the learning curve for advanced rule creation can be steep for those new to the tool or static analysis in general. The lack of robust, built-in reporting features and export options for detailed vulnerability analysis is also a notable drawback.
What problems is the product solving and how is that benefiting you?
Semgrep solves the problem of finding security vulnerabilities, bugs, and enforcing code standards early and quickly in the development lifecycle. It helps shift security left by integrating directly into development workflows, such as CI/CD pipelines and IDEs.
showing 1 - 10