Context-aware code analysis has reduced noise and now improves developer experience with actionable security findings
What is our primary use case?
I have been working with Semgrep for almost a year, approximately six to eight months on and off. In my current organization, I have a strong experience for SAST solution POCs, and I have conducted POCs for Semgrep, Checkmarx, Snyk, and SonarQube to evaluate SAST capabilities.
Our primary use case for Semgrep is to identify static code vulnerabilities and SAST vulnerabilities. Every other organization or vendor claims to offer this capability, but Semgrep is built differently compared to all these traditional tools. I have almost a decade of experience using various SAST tools, and Semgrep not only looks at particular code but understands the entire code to get context around whether an issue is real or not through context analysis.
One of the primary use case for us is also the shift-left approach, which means improving our developer experience. Our developers do not want to wait until they commit changes to GitHub or build it. They want synchronous feedback directly within their IDE. Semgrep provides an IDE integration and also supports MCP gateway. Additionally, secrets scanning is another important use case for us.
What is most valuable?
The seamless integration of Semgrep into our existing platform is what I really appreciate. It is very easy, I was able to integrate and onboard it in just 10 to 15 minutes. This is in stark contrast to dealing with different SAST tools about integration across thousands of repos.
Another great feature is that Semgrep greatly reduces the noise compared to other SAST tools. After scanning through the codebase and understanding it, Semgrep has a capability called AI analysis or AI triage. When you triage with AI, it gathers context around the finding and reduces the noise about 80 to 90 percent of the time, asking you to focus only on findings that really matter.
Another excellent experience I had with Semgrep is when there was a finding that AI was not able to correctly diagnose or identify whether it was an actual finding or not. It reported it as a vulnerability, but when I verified it as a security engineer, I determined it was not a vulnerability in our case because we have compensatory controls in place. When I indicate this, Semgrep asks if it can apply the same logic to other similar findings. With a single click, it reduces a lot of noise for me, saving a huge amount of my time and effort.
The results are also impressive. Most solutions identify a static query like raw SQL and simply say there is a SQL injection that is critical. Semgrep, however, looks into the query file and understands the context. It recognizes that this is a SQL query without any user input or database migration script, and it assigns appropriate risk. This intelligent capability of Semgrep is what impressed me.
Semgrep will easily fit into the ecosystem you are building or the ecosystem you are working with. It is going to increase the developer experience in terms of how easily developers are able to understand the findings. It will also increase the security posture because developers are easily able to understand and fix those findings. Overall, the application security posture and the relationship between the development community and the security engineering will improve because Semgrep integrates so seamlessly and functions very smoothly.
What needs improvement?
I have consistently observed that their scan time is an issue for mono repos. Sometimes with their AI-based scanning, when you triage that scan, the scan never completes or finishes(, which makes it difficult. Another consistent issue is that whenever you have a new repo to onboard to the platform, the tool ideally should detect the master branch by default. However, sometimes the tool fails to identify it and will never scan it unless manually somebody looks into it and fixes the issue. Although their support team is really good, this issue was present six or eight months ago during the POC and is still present now. If it is affecting multiple customers, it should be prioritized and fixed.
I would say that their integration aspects could have been improved. I see a lot of different security solutions that provide flexibility to the security teams based on Jira project, team divisions, Slack, and all those can be very much easily customized. Semgrep needs to work on the enhancement of their notification capabilities. Currently, they are working on identifying business logic vulnerabilities or privilege escalation vulnerabilities by looking at the code, and they should continue to focus on and improve this effort.
Regarding stability, whenever you have a mono-repo which is a very large repository, the scan never finishes or the scan never kicks in. At that time, you have to reach out to the support team and ask them to expand the resources in the back end to fix it. This is an issue I keep seeing often on that platform.
For how long have I used the solution?
I have been working with Semgrep on and off for almost a year, approximately six to eight months.
What do I think about the stability of the solution?
I have consistently observed that their scan time is an issue. Sometimes with their AI-based scanning, when you triage that scan, the scan never completes or finishes, which makes it difficult. Another consistent issue is that whenever you have a new repo to onboard to the platform, the tool ideally should detect the master branch by default. However, if there is no master branch or default branch, the tool fails to identify it and will never scan it unless manually somebody looks into it and fixes the issue. Although their support team is really good, this issue was present six or eight months ago during the POC and is still present now. If it is affecting multiple customers, it should be prioritized and fixed.
I would say that their integration aspects could have been improved. I see a lot of different security solutions that provide flexibility to the security teams based on Jira project, team divisions, Slack, and all those can be very much easily customized. Semgrep needs to work on the enhancement of their notification capabilities. Currently, they are working on identifying business logic vulnerabilities or privilege escalation vulnerabilities by looking at the code, and they should continue to focus on and improve this effort.
Regarding stability, whenever you have a mono-repo which is a very large repository, the scan never finishes or the scan never kicks in. At that time, you have to reach out to the support team and ask them to expand the resources in the back end to fix it. This is an issue I keep seeing often on that platform.
What do I think about the scalability of the solution?
It is very easy to scale. When you say scaling, that means the number of users or organizations you need to onboard. I was able to control it from 10 repositories or 10 services to thousands of repositories in a couple of minutes very simply. They could potentially add some enhancements, but the platform is very much easily scalable.
What other advice do I have?
You should primarily focus on what your use case is and why you are moving out. If you are moving out just from the perspective of cost, I do not think Semgrep is the best solution for you. However, if you are looking for value for investment and want to have the complete visibility into your code with less noise, if you are not just looking for a SAST but are really looking for actionable results and want to improve your developer experience and feedback, then you should go for Semgrep. In my organization, it is not only me who selects the solution; I bring in developers from junior and senior levels of all experience and ask them to take a hands-on experience and give me feedback. If you want to improve the developer experience, then go for Semgrep.
Compared to other competitors in the market, the AI-backed capability is the biggest strength of Semgrep. The seamless integration is another major advantage because I have done it for a few other solutions, some of which are extremely difficult and some are okay, but the Semgrep integration with the code repository was the smoothest. The quality of results and reduction in noise are also strengths compared to other competitors. Semgrep also has a great strength in the number of rule sets they have compared to all other vendors. While all other vendors have very limited numbers even though they claim to be enterprise, their community edition itself has close to 4,000 rules and the enterprise edition has around 20,000 rules. That is a really strong advantage.
As for limitations, I would say that Semgrep currently just supports Jira and Slack for integrations. They should expand to different integrations like ServiceNow and other CNAP and CSPM solutions where all results can be brought into one place.
I would rate this review an 8 out of 10.
Streamlined Code Security with Semgrep
What do you like best about the product?
I appreciate using Semgrep for its robust security scanning capabilities, particularly in our code security scans for Azure Data Factory, Azure Databricks notebooks, and Python code. The setup was straightforward and integrated seamlessly into our pipeline without much hassle, demonstrating an ease of use that contrasts sharply with other tools. One of the standout features for me is the low false positive rate; it effectively identifies actual security issues without wasting time on false alerts, which makes it incredibly efficient. The built-in rules are comprehensive, covering most major languages we use and providing thorough checks for common vulnerabilities. The scan results are transparent and actionable, pinpointing the exact line in the code where issues arise and offering clear guidance on how to fix them, significantly speeding up remediation. I also find the performance to be solid, not hindering our build processes with delays. Additionally, after investing time in learning how to write custom rules tailored to our specific needs, I realized the powerful flexibility Semgrep offers. Overall, it has markedly enhanced our code review process by focusing attention on genuine issues and aiding in the early detection of security concerns. This has ultimately strengthened our development workflow and reduced the time spent on security risks. I wholeheartedly recommend Semgrep as a practical SAST tool that delivers exceptional results while being manageable to maintain.
What do you dislike about the product?
The custom rule syntax took some time to learn and was not intuitive initially. Additionally, sometimes Semgrep misses complex security patterns that span multiple functions or files, necessitating manual reviews for such cases. Furthermore, the rule documentation could be improved with more real-world examples. Better integration with our specific IDE and possibly some AI-assisted rule suggestions based on our code base patterns would also be beneficial.
What problems is the product solving and how is that benefiting you?
I use Semgrep to catch security vulnerabilities and code quality issues early, saving time on manual reviews and reducing security risks. It offers actionable scan results, minimal false positives, and customizable rules, all enhancing our development efficiency.
Powerful Rule Engine and Autofix, but Governance at Scale Needs Work
What do you like best about the product?
Flexible, transparent rule engine with clear YAML syntax and data‑flow patterns, plus an extensive public registry for quick wins and customization.
• Smooth CI/CD integration and lightweight runtime, enabling frequent scans without major impact on developer velocity.
• Autofix capabilities (deterministic rule‑based and Assistant AI‑assisted) that propose or apply safe code changes, reducing mean time to remediate
What do you dislike about the product?
Governance overhead at scale; maintaining org‑wide rule sets, exceptions, and updates across many repos becomes an operational burden without a dedicated owner.
• Autofix and AI noise filtering are helpful but still evolving; effectiveness varies by language and codebase, and some teams remain cautious about applying fixes automatically.
What problems is the product solving and how is that benefiting you?
Semgrep is helping embed security into daily development by catching risky patterns early in pull requests and CI, which reduces rework and keeps release velocity high. Transparent, customizable rules let the team encode our own guardrails and quickly add checks for new frameworks, so coverage improves without waiting on vendor updates. AI‑assisted noise filtering and autofix guidance cut triage time and help developers resolve issues faster, which lowers MTTR and helps us meet remediation SLAs more consistently.
Operationally, fast scans and easy CI/SCM integration mean developers see actionable feedback where they work, not in a separate portal, increasing adoption and fixing rates. As a result, we’ve moved from sporadic security reviews to consistent, automated checks across services, with measurable gains in fix rate and fewer high‑risk patterns reaching production. The net benefit is stronger secure‑by‑default practices with minimal productivity tax, plus lower compliance risk thanks to policy‑as‑code rules we can audit and evolve over time.
Easy to Use with Great Functional Testing Capabilities
What do you like best about the product?
I appreciate how Semgrep excels in validating and QA testing capabilities, showing good efficacy in performing these tasks. The ease of use is particularly notable, requiring less scripting compared to other alternatives, and the initial setup process was straightforward and effortless. I value its functionality in conducting functional testing, which simplifies my tasks significantly. The test case design and resulting outcomes are particularly pleasing, enhancing my testing process. Whenever I encounter issues that other tools cannot resolve, Semgrep becomes an indispensable resource, allowing me to progress by utilizing its features effectively. Overall, I find Semgrep a worthy exploration for its functionality and user-friendly approach.
What do you dislike about the product?
Nothing
What problems is the product solving and how is that benefiting you?
I find Semgrep improves my workflow for functional testing, making it easy to use and reducing scripting. It solves problems when other tools fail, helping me proceed further and block issues effectively.
Flexible Rules and GitHub Integration Shine, But Needs Better Product Segmentation
What do you like best about the product?
Semgrep offers a single platform for SAST and SCA solutions which is good, but the best part is semgrep rules they are so flexible and easy to write that you dont need to manually do filtering or removing.
The tool has another feature I personally like is github actions that will show bugs in git itself with an AI reviewed fixed version.
What do you dislike about the product?
Semgrep doesnt have Product wise segmentation like for organizations with multiple products you will have only projects and have to use labels to categorise those products.
What problems is the product solving and how is that benefiting you?
It provides great SCA and SAST solutioning.
Effortless Code Scanning—Much Easier Than Our Old Tool
What do you like best about the product?
It's a very user-friendly tool for scanning code repositories, and I find it much easier to use compared to our previous Checkmarx scan.
Its quiet easy to integrate with our existing code repository and can also be filtered based on the need.
What do you dislike about the product?
Since we have only recently started using this tool, there is nothing we dislike about it so far.
What problems is the product solving and how is that benefiting you?
Its helping to find out the vulnerability with open-source softwares and implemented in our pipelines for code deployment has helped us a lot to proactively finding out the vulnerability before reaching of any environment.
Excellent Tool for Code Quality and Security.
What do you like best about the product?
It is a good tool to identify the issues and security in code which can impact the quality and security.
What do you dislike about the product?
The UI is not as efficient. Also code setup creates some issues.
What problems is the product solving and how is that benefiting you?
This product is excellent when it comes to handling. I am quite satisfied with how well it manages tasks.
Powerful, Customizable Static Analysis with Fast Scans—Some Learning Curve and Tuning Needed
What do you like best about the product?
Semgrep is a static analysis tool that enables developers to create custom rules using an intuitive pattern-matching syntax, which closely mirrors the code being reviewed. It offers support for a variety of programming languages, including Python, JavaScript, Java, and Go, among others. With Semgrep, users can identify security vulnerabilities, address code quality concerns, and enforce coding standards effectively. Many developers value its seamless integration with CI/CD pipelines, the ability to run scans locally during development, and the flexibility to craft rules tailored to their organization's codebase. The tool is known for its rapid scanning capabilities and lower false positive rates when compared to more traditional static analysis solutions. Additionally, Semgrep is available in both open-source and commercial versions, with advanced features such as centralized rule management and options for team collaboration.
What do you dislike about the product?
Static analysis tools can present certain limitations, such as generating false positives that must be manually reviewed. They may also struggle to identify complex runtime vulnerabilities or logic flaws that only become apparent during execution. Maintaining and tuning rules to keep up with evolving codebases is an ongoing requirement. Some users note that creating custom rules involves a learning curve, particularly when mastering the pattern-matching syntax. Comprehensive scans of large codebases can also affect CI/CD pipeline performance. While these tools are strong in pattern matching, they might overlook context-dependent vulnerabilities that require more advanced semantic analysis. As a result, teams often need to dedicate time to configuring rules in order to minimize noise and prioritize findings relevant to their specific technology stack.
What problems is the product solving and how is that benefiting you?
It lacks the option to manually trigger a code scan, specifically for static scans.
Fast, Accurate, and Seamless Integration with GitHub
What do you like best about the product?
The feedback is fast and actionable, which makes it easy to address issues quickly. I also appreciate the reduced number of false positives, as it saves time and effort. Integration with GitHub and Actions is seamless, making the workflow smooth. The accuracy is high, and the support for a wide range of languages is another strong point.
What do you dislike about the product?
Semgrep is quite narrowly focused, concentrating primarily on security and lacking built-in scanning capabilities for other important areas such as secrets detection, infrastructure as code, or container security. There is also a learning curve to consider; crafting effective and custom rules demands a certain level of expertise, which can be particularly challenging when dealing with more complex vulnerabilities. Additionally, Semgrep on its own provides limited context, so without supplementary tools, it can be difficult to determine if a vulnerability is truly exploitable or reachable at runtime. This limitation can make it harder to properly prioritize issues.
What problems is the product solving and how is that benefiting you?
Semgrep helps assisting developers and security teams in identifying bugs, vulnerabilities, and enforcing coding standards. It analyzes source code to detect patterns that correspond to predefined rules, which makes it valuable for code reviews, security audits, and maintaining overall code quality. Semgrep will be our new default SAST tool as we begin to phase out the current tool which is outdated and cumbersome to use.
Great Experience, But UI Could Be More User-Friendly
What do you like best about the product?
Semgrep is one of the super easy and most lightweight tools for detecting security vulnerabilities in our codebase. It also enables us to scan our local repositories and can be integrated with our CI/CD pipeline to provide continuous code scanning. We prefer using it with almost all of our applications to feel more confident.
What do you dislike about the product?
There isn't much to complain about, but I do think the user interface could be cleaner and more user-friendly.
What problems is the product solving and how is that benefiting you?
The platform offers vulnerability scanning and helps keep applications free of bugs. It also provides automated code scanning through the CI/CD pipeline and supports scanning for multiple programming languages.
