Reviews from AWS Marketplace
0 AWS reviews
-
5 star0
-
4 star0
-
3 star0
-
2 star0
-
1 star0
External reviews
External reviews are not included in the AWS star rating for the product.
Semgrep is extremely customizable, efficient, and scalable
What do you like best about the product?
The customization helps teams shift left. I can create my own rules to avoid false positives and decide which rules block vs. comment vs. just monitor. This helps keep the noise down, makes it easy for software developers to fix findings immediately, and block vulnerabilities from production.
What do you dislike about the product?
I can't run different rulesets at different times. I'd like the ability to run a certain subset of rules in a CI/CD pipeline to block from deploying high-fidelity findings from production; while also running a larger set of best practices and lower-fidelity rules in a separate pipeline to help us with training and fixing less concerning issues that are more complex as tech debt.
What problems is the product solving and how is that benefiting you?
Securing code through static code analysis scanning efficiently in the CI/CD pipeline. Semgrep places the findings directly in PR comments, avoiding the need for software developers to access a different tool. We are able to customize rules to check for things that we care about and are more unique to our code base.
- Leave a Comment |
- Mark review as helpful
Semgrep is a plus with continuous management & tracking of open vulnerabilities.
What do you like best about the product?
Useful for tracking the open vulnerabilities, repository wise, until they're closed. I find the ability to create custom vulnerability config manually to be very useful, to extend the functionality beyond the vulnerabilities that could be picked up by existing available config templates.
What do you dislike about the product?
I think the findings could be improved. There's a limit to what static analysis tools can dig out from the code, and probably it's the limitation of technology itself, rather than semgrep.
What problems is the product solving and how is that benefiting you?
Picking up the bad patterns in the code very early during the development cycle. There are certain coding patterns that semgrep picks up, which could be leading to deeper or critical security issues later.
Effective, efficient and eng friendly scanner
What do you like best about the product?
It's a super customizable, fast and effective tool to have as an inline scanner on the CI/CD pipeline.
What do you dislike about the product?
Nothing really - support is amazing and while they are still early in developing their product suite, they are super receptive to feedback
What problems is the product solving and how is that benefiting you?
Shifting security left in an Eng friendly way
I got a really great experience using Semgrep to fix most vulnerabilities I had with my repo.
What do you like best about the product?
1 - Security inforcment.
2 - Finding common bugs in code.
2 - Finding common bugs in code.
What do you dislike about the product?
It was hard for to set it up with my GitHub repo, so things here can be improved for the future.
What problems is the product solving and how is that benefiting you?
- Like mentioned above the ability to scan for bugs and vulnerabilities in my public repo is one of the benefits.
- CI/CD life improvement.
- Improving code security.
- CI/CD life improvement.
- Improving code security.
Way better than any other tool *cough* verracode *cough*
What do you like best about the product?
It's super easy to use and doesn't get in the way. The ability to create custom rules and easily ignore existing rules makes this tool standout above any of the other "static analysis" tools I've used to date.
What do you dislike about the product?
Honestly, there isn't much I dislike. Perhaps having buttons directly interact with the github comments would be nice?
What problems is the product solving and how is that benefiting you?
It's solving a range of issues:
* Security checks (e.g. no open S3 bucktes)
* code quality (e.g. don't nest for loops or conditionals)
* Infra verification via terraform checks
* Security checks (e.g. no open S3 bucktes)
* code quality (e.g. don't nest for loops or conditionals)
* Infra verification via terraform checks
Easy to extend with custom rules but bumped into lots of bugs
What do you like best about the product?
Easy to add custom rules (e.g. by using the online rule editor). Also, Semgrep App has some nice, convenient features (like private rule repository).
What do you dislike about the product?
Most of the paid Semgrep features can be worked around with the open source version (e.g. using a private git repository to store private rules), so I am not 100% sure the Semgrep Team license and the whole Semgrep App are mature enough to justify the price tag.
Also, we ran into many bugs since we started to roll it out within the organization. The good news is that Semgrep Support is responsive (although with 9 hours time zone diff); the bad news is that I require their help constantly since I find 1-2 new bugs every week.
Also, we ran into many bugs since we started to roll it out within the organization. The good news is that Semgrep Support is responsive (although with 9 hours time zone diff); the bad news is that I require their help constantly since I find 1-2 new bugs every week.
What problems is the product solving and how is that benefiting you?
Preventing secrets and vulnerable code from being committed to git repositories by running Semgrep automatically as part of our CI/CD pipeline.
Excellent tool for outlining security vulnerabilities within your application
What do you like best about the product?
Great analysis of vulnerabilities with ability to review, rank and update status of each incident
What do you dislike about the product?
It would be great if Semgrep did further static analysis to cover code smells and code coverage, in addition to security.
What problems is the product solving and how is that benefiting you?
It provides insights into the security vulnerabilities within our application.
Good set of rules, but a bunch of false positives
What do you like best about the product?
The upsides are that code scanning is very fast, and the ruleset is complete. Rule management on the rule board is also very easy. Integrations and webhooks are a plus.
What do you dislike about the product?
The downsides are that the number of false positives for some of the rules is enormous due to the lack of taint tracking support for PHP. Improving this ruleset, or adding taint tracking for PHP would be most helpful.
What problems is the product solving and how is that benefiting you?
Semgrep is helping us scan our PHP code for first-party vulnerabilities. The most tangible benefit is better coding standards. Their SCA product is also very interesting.
Quick and effective SAST and Dependency Checking
What do you like best about the product?
Super easy to implement and manage. Seamless integration into our CI pipeline, and only gets in the developers' way when it needs to. Reachability testing of depenencies is nice.
What do you dislike about the product?
Not too much to dislike. The Supply Chain/dependency scanning is new and will need more rules for reachability, but these are gradually being built.
What problems is the product solving and how is that benefiting you?
Semgrep acts as an effective guardrail, allowing developers to write code and be guided when potential vulnerabilities are introduced.
Semgrep suited us very well
What do you like best about the product?
Easy integration and custom rules. The CLI makes it very easy to run tests locally.
What do you dislike about the product?
The new UI is a little confusing and the filter addition is a little slow
What problems is the product solving and how is that benefiting you?
Helped with our SAST program
showing 11 - 20