Skip to main content
    Semgrep themed logoSemgrep themed logo

    Semgrep docs

    Find bugs and reachable dependency vulnerabilities in code. Enforce your code standards on every commit.

    Scan with Semgrep AppSec Platform

    Deploy static application security testing (SAST), software composition analysis (SCA), and secrets scans from one platform.

    Get started

    Run your first Semgrep scan.

    Deploy Semgrep

    Deploy Semgrep to your organization quickly and at scale.

    Triage and remediate

    Triage and remediate findings; fine-tune guardrails for developers.

    Write rules

    Enforce your organization’s coding standards with custom rules.

    Supported languages

    ProductLanguages
    Semgrep CodeGenerally available (GA)
    C and C++ • C# • Generic • Go • Java • JavaScript • JSON • Kotlin • Python • TypeScript • Ruby • Rust • JSX • PHP • Scala • Swift • Terraform

    Beta
    APEX • Elixir

    Experimental
    Bash • Cairo • Circom • Clojure • Dart • Dockerfile • Hack • HTML • Jsonnet • Julia • Lisp • Lua • Move on Aptos • Move on Sui • OCaml• R • Scheme • Solidity • YAML • XML
    Semgrep Supply ChainGenerally available reachability
    C# • Go • Java • JavaScript and TypeScript • Kotlin • PHP • Python • Ruby • Scala • Swift

    Languages without support for reachability analysis
    Dart • Elixir • Rust
    Semgrep SecretsLanguage-agnostic; can detect 630+ types of credentials or keys.

    See the Supported languages documentation for more details.

    October 2025 release notes summary

    • Semgrep Managed Scanning is now generally available. With Managed Scans, you can add repositories to your Semgrep organization in bulk without changing your existing CI workflows, and integrate Semgrep into developer workflows through PR or MR comments.
    • Semgrep Code findings now show Assistant's true or false positive analyses more prominently, along with the memories Assistant used during analysis. The findings also present the threat model for specific security issues in the context of the code, along with a summary of each issue.
    • The /setup_semgrep_mcp command now supports Claude Code.
    • Supply Chain's reachability analysis now covers all high-severity CVEs from supported sources starting from 2017 for Go packages.
    • Added a new filter for Semgrep Assistant's AI component tags with No decision, allowing users to find findings analyzed by the Assistant, but not classified as low or high risk.

    See the latest release notes

    Not finding what you need in this doc? Ask questions in our Community Slack group, or see Support for other ways to get help.