I think Semgrep is a must have for every Software Company
What do you like best about the product?
The fact that it can scan dependencies and has so many rules configured on the spot, with a very friendly and easy to use UI for the SemGrep pro.
What do you dislike about the product?
I think what semgrep needs is a feature that summarizes the overall security standing of a repository/project. And to allow the user to be able to tell the platform the links between different repos/ if there are any.
What problems is the product solving and how is that benefiting you?
I am a security official in a company with over 300 repos. The fact that semgrep can seamlessly scan all lines of code with each change is amazing for me. It makes my work so much easier.
Enhancing Security with Semgrep
What do you like best about the product?
Since it runs fast and integrates directly into CI/CD, my team can surface issues early — from insecure function use to misconfigured patterns — before they ever hit production.
What do you dislike about the product?
Filter limitations and changing some settings at the global level using UI. Having more advanced filtering and project-level controls would make it easier to manage findings across different environments, prioritize risks.
What problems is the product solving and how is that benefiting you?
The biggest benefit for us is automation and consistency. By integrating Semgrep into CI/CD pipelines, I can enforce secure coding practices at scale and ensure that every pull request is checked for common vulnerabilities. This reduces reliance on manual reviews, lowers the chance of critical bugs slipping into production, and frees me up to focus on more complex security work like pentesting and cloud security design.
Hands-off setup could not be easier
What do you like best about the product?
Very little had to be done on our end to set up managed scans for the entire GitHub organization. Aside from Semgrep staff adjusting things to get a scan to complete, or large codebase was running SAST scans in a few days.
Github PR comments show users what to do, and AI can classify many reports correctly as not needing mitigation.
What do you dislike about the product?
Semgrep's features are designed around preventing new problems from being introduced in pull requests, but those same features are not available for issues found on trunk branches - these have to be dealt with manually.
What problems is the product solving and how is that benefiting you?
Identifying potential security flaws in existing code as part of compliance for security certifications.
Fast and positive results
What do you like best about the product?
There are multiple things which is great in the SemGrep tool, 1st easy integration with GSM and CI-CD pipeline, 2nd is easy terminal based code scan which save lot of time and intergration if Code is small.
What do you dislike about the product?
Not specific as such, since everything is good in right price.
What problems is the product solving and how is that benefiting you?
compare to other tools, it is giving better, faster and accurate results in output, also tool suggestion and fix feature would be helpful for long lengthy code.
Fast, reliable, and developer-friendly static analysis tool
What do you like best about the product?
Semgrep is lightweight, very fast compared to traditional SAST tools, and integrates smoothly into CI/CD pipelines. I like that it has a strong rule ecosystem (community and Pro rules), and the ability to write custom rules makes it flexible for different coding standards and compliance needs. The dashboard provides great visibility into security findings and code quality issues, helping developers fix problems quickly without slowing them down.
What do you dislike about the product?
The initial setup for more advanced use cases can be tricky, especially when fine-tuning custom rules or managing large rule sets across multiple projects. Sometimes, there are false positives that require manual triage, and the learning curve for rule writing is a bit steep for newcomers. I would also like to see deeper integrations with more enterprise security platforms out-of-the-box.
What problems is the product solving and how is that benefiting you?
Semgrep helps us detect security vulnerabilities and coding issues early in the development lifecycle. It makes it easier to enforce secure coding standards across multiple teams without adding heavy friction to the developers’ workflow. By integrating directly into CI/CD pipelines, it reduces time-to-detection and prevents risky code from reaching production. This has improved both the security posture and the consistency of our applications while lowering the manual effort needed for code reviews.
An easy to use and fun to customize SAST tool
What do you like best about the product?
That the SAST engine returns a very small number of false positives. And the rules are fun to write. I also like the reachability analysis of the supply chain tool so you don't get overwhelmed by false positives
What do you dislike about the product?
There is no export report feature. Moreover it would be useful a toggle to tell the supply chain tool to report all the vulnerable dependencies, regardless of their reachability.
What problems is the product solving and how is that benefiting you?
Helping to build secure products by writing more secure code
Semgrep experience
What do you like best about the product?
The easy customisation, custom rule creation and fast feedback for devs
What do you dislike about the product?
More products like IaC scanning or DAST, I would love to have full capabilities to scan apps
What problems is the product solving and how is that benefiting you?
Shifting left vulnerabilities
Automated code reviews and good scalability with custom rule adaptability
What is our primary use case?
We use Semgrep to check custom user pipelines and test their claims for any vulnerabilities. We process the code by passing it through the testing process for any operability issues before sending feedback to the developers and providing the final product. This is part of the static testing analysis of code analysis.
How has it helped my organization?
Semgrep has supported our team in automating code reviews and allowed us to catch vulnerabilities before the final product stage. This has improved both our development cost and development speed.
What is most valuable?
The most valuable feature is the ability to write our custom rules. This adaptability allows us to cater specifically to our needs.
What needs improvement?
There should be more information on how to acquire the system, catering to beginners in application security, to make it more user-friendly.
For how long have I used the solution?
My experience with Semgrep is very recent since we started integrating it into our processes.
What do I think about the stability of the solution?
There haven't been any severe stability issues from my end.
What do I think about the scalability of the solution?
We have not faced any scalability issues. Since we are a team of only two users, Semgrep scales well for our current requirements.
How are customer service and support?
There was some difficulty in hearing the questions due to static noise, implying potential issues with communication or support on the call. However, rejoining the call resolved the problem.
How would you rate customer service and support?
Which solution did I use previously and why did I switch?
We did not switch from another product to Semgrep.
How was the initial setup?
The initial setup was straightforward, involving connecting the digital product to Semgrep. I am mainly involved in the usage aspect, and thus, I provided information from my perspective.
What about the implementation team?
We handled the setup internally within our team, and I particularly addressed it.
What was our ROI?
Semgrep has positively impacted our ROI by improving development speed and cost efficiency.
What other advice do I have?
I'd rate the solution eight out of ten.
Which deployment model are you using for this solution?
Public Cloud
If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?
Other
Perfect code security analysis tool to check and eliminate vulnerabilities
What do you like best about the product?
The sast engine and the wholesome dashboard makes everything looks great and crisp
What do you dislike about the product?
I am not satisfied with the accuracy of the integration tools with it
What problems is the product solving and how is that benefiting you?
Making it easy to go shift left in security and in supply chain management security
Just a right way to test and catch your code vulnerability
What do you like best about the product?
I like the SAST engine, it is powerful and capable alongwith less % of false positives. Apart from it, the pro and lot other built rules make it easy to integrate with any DevSecOps process.
What do you dislike about the product?
Currently the newer offering like SEMGREP AI and secrets manager does not add up perfectly
What problems is the product solving and how is that benefiting you?
It is catching the essential, critical and tainted in nature vulnerabilities in day to day code making it is good way to follow shift left practices.