Sign in
Sign in
or
Create a new account
Categories
Your Saved List Become a Channel Partner Sell in AWS Marketplace Amazon Web Services Home Help

Application Security Platform

Semgrep, Inc. | 1

Reviews from AWS Marketplace

0 AWS reviews
  • 5 star
    0
  • 4 star
    0
  • 3 star
    0
  • 2 star
    0
  • 1 star
    0

External reviews

31 reviews
from G2

External reviews are not included in the AWS star rating for the product.

    Information Technology and Services

Game-changer for application security

  • December 30, 2022
  • Review verified by G2

What do you like best about the product?
The Semgrep supply chain is a boon for application and product security teams. Backed by the already solid Semgrep engine, it can quickly surface vulnerabilities that are *actually* vulnerabilities and materially improves our security and risk management. It feels like it gave me new superpowers. I would recommend this to any security team, along with the base product. Most importantly, the r2c engineers and support team are first-rate. They are incredibly supportive and responsive, and I felt like their most important customer every step of the way.
What do you dislike about the product?
There are very few downsides I can think of, but one that comes to mind is the ability to extend or templatize existing rules. The base rules and rulesets are good but may produce false positives without customization. I would love the ability for Semgrep to offer a way to further customize rules and layer on specificity that increase accuracy.
What problems is the product solving and how is that benefiting you?
Semgrep saves us innumerable hours of manual work and toil. It allows us to multiply our impact, "shift left," and free up valuable time that we can use to focus on higher-impact security efforts. I can't imagine running a security program without it.

    Information Technology and Services

Easy to use and powerful

  • December 30, 2022
  • Review provided by G2

What do you like best about the product?
Very easy to use, no matter which language you are using. Unlike more legacy static code analysis tools, there is no need to spend a lot of time learning rule types and syntaxes; new rules can be spun up and tested very quickly. Also, results are of high quality.
What do you dislike about the product?
Community support is not as developed as they are pretty new. The breadth of rules and integrations is not as extensive as some other tools. However, this is improving rapidly and the rules that are present have much lesser false positives.
What problems is the product solving and how is that benefiting you?
We use semgrep as part of our static code analysis process. We use a combination of community and custom rules to suit our purposes. This helps us automate finding of common pattern matches to look out for.

    Insurance

Semgrep is extremely customizable, efficient, and scalable

  • December 16, 2022
  • Review verified by G2

What do you like best about the product?
The customization helps teams shift left. I can create my own rules to avoid false positives and decide which rules block vs. comment vs. just monitor. This helps keep the noise down, makes it easy for software developers to fix findings immediately, and block vulnerabilities from production.
What do you dislike about the product?
I can't run different rulesets at different times. I'd like the ability to run a certain subset of rules in a CI/CD pipeline to block from deploying high-fidelity findings from production; while also running a larger set of best practices and lower-fidelity rules in a separate pipeline to help us with training and fixing less concerning issues that are more complex as tech debt.
What problems is the product solving and how is that benefiting you?
Securing code through static code analysis scanning efficiently in the CI/CD pipeline. Semgrep places the findings directly in PR comments, avoiding the need for software developers to access a different tool. We are able to customize rules to check for things that we care about and are more unique to our code base.

    Financial Services

Semgrep is a plus with continuous management & tracking of open vulnerabilities.

  • December 15, 2022
  • Review verified by G2

What do you like best about the product?
Useful for tracking the open vulnerabilities, repository wise, until they're closed. I find the ability to create custom vulnerability config manually to be very useful, to extend the functionality beyond the vulnerabilities that could be picked up by existing available config templates.
What do you dislike about the product?
I think the findings could be improved. There's a limit to what static analysis tools can dig out from the code, and probably it's the limitation of technology itself, rather than semgrep.
What problems is the product solving and how is that benefiting you?
Picking up the bad patterns in the code very early during the development cycle. There are certain coding patterns that semgrep picks up, which could be leading to deeper or critical security issues later.

    Insurance

Effective, efficient and eng friendly scanner

  • December 14, 2022
  • Review verified by G2

What do you like best about the product?
It's a super customizable, fast and effective tool to have as an inline scanner on the CI/CD pipeline.
What do you dislike about the product?
Nothing really - support is amazing and while they are still early in developing their product suite, they are super receptive to feedback
What problems is the product solving and how is that benefiting you?
Shifting security left in an Eng friendly way

    Information Technology and Services

I got a really great experience using Semgrep to fix most vulnerabilities I had with my repo.

  • December 13, 2022
  • Review provided by G2

What do you like best about the product?
1 - Security inforcment.
2 - Finding common bugs in code.
What do you dislike about the product?
It was hard for to set it up with my GitHub repo, so things here can be improved for the future.
What problems is the product solving and how is that benefiting you?
- Like mentioned above the ability to scan for bugs and vulnerabilities in my public repo is one of the benefits.
- CI/CD life improvement.
- Improving code security.

    Garry P.

Way better than any other tool *cough* verracode *cough*

  • December 13, 2022
  • Review verified by G2

What do you like best about the product?
It's super easy to use and doesn't get in the way. The ability to create custom rules and easily ignore existing rules makes this tool standout above any of the other "static analysis" tools I've used to date.
What do you dislike about the product?
Honestly, there isn't much I dislike. Perhaps having buttons directly interact with the github comments would be nice?
What problems is the product solving and how is that benefiting you?
It's solving a range of issues:

* Security checks (e.g. no open S3 bucktes)
* code quality (e.g. don't nest for loops or conditionals)
* Infra verification via terraform checks

    Financial Services

Easy to extend with custom rules but bumped into lots of bugs

  • December 13, 2022
  • Review verified by G2

What do you like best about the product?
Easy to add custom rules (e.g. by using the online rule editor). Also, Semgrep App has some nice, convenient features (like private rule repository).
What do you dislike about the product?
Most of the paid Semgrep features can be worked around with the open source version (e.g. using a private git repository to store private rules), so I am not 100% sure the Semgrep Team license and the whole Semgrep App are mature enough to justify the price tag.
Also, we ran into many bugs since we started to roll it out within the organization. The good news is that Semgrep Support is responsive (although with 9 hours time zone diff); the bad news is that I require their help constantly since I find 1-2 new bugs every week.
What problems is the product solving and how is that benefiting you?
Preventing secrets and vulnerable code from being committed to git repositories by running Semgrep automatically as part of our CI/CD pipeline.

    Biotechnology

Excellent tool for outlining security vulnerabilities within your application

  • December 12, 2022
  • Review verified by G2

What do you like best about the product?
Great analysis of vulnerabilities with ability to review, rank and update status of each incident
What do you dislike about the product?
It would be great if Semgrep did further static analysis to cover code smells and code coverage, in addition to security.
What problems is the product solving and how is that benefiting you?
It provides insights into the security vulnerabilities within our application.

    Computer Software

Good set of rules, but a bunch of false positives

  • December 09, 2022
  • Review provided by G2

What do you like best about the product?
The upsides are that code scanning is very fast, and the ruleset is complete. Rule management on the rule board is also very easy. Integrations and webhooks are a plus.
What do you dislike about the product?
The downsides are that the number of false positives for some of the rules is enormous due to the lack of taint tracking support for PHP. Improving this ruleset, or adding taint tracking for PHP would be most helpful.
What problems is the product solving and how is that benefiting you?
Semgrep is helping us scan our PHP code for first-party vulnerabilities. The most tangible benefit is better coding standards. Their SCA product is also very interesting.

showing 11 - 20