Skip to main content
    Semgrep themed logoSemgrep themed logo

    Semgrep docs

    Find bugs and reachable dependency vulnerabilities in code. Enforce your code standards on every commit.

    Scan with Semgrep AppSec Platform

    Deploy static application security testing (SAST), software composition analysis (SCA), and secrets scans from one platform.

    Get started

    Run your first Semgrep scan.

    Deploy Semgrep

    Deploy Semgrep to your organization quickly and at scale.

    Triage and remediate

    Triage and remediate findings; fine-tune guardrails for developers.

    Write rules

    Enforce your organization’s coding standards with custom rules.

    Supported languages

    ProductLanguages
    Semgrep CodeGenerally available (GA)
    C and C++ • C# • Generic • Go • Java • JavaScript • JSON • Kotlin • Python • TypeScript • Ruby • Rust • JSX • PHP • Scala • Swift • Terraform

    Beta
    APEX • Elixir

    Experimental
    Bash • Cairo • Circom • Clojure • Dart • Dockerfile • Hack • HTML • Jsonnet • Julia • Lisp • Lua • Move on Aptos • Move on Sui • OCaml• R • Scheme • Solidity • YAML • XML
    Semgrep Supply ChainGenerally available reachability
    C# • Go • Java • JavaScript and TypeScript • Kotlin • PHP • Python • Ruby • Scala • Swift

    Languages without support for reachability analysis
    Dart • Elixir • Rust
    Semgrep SecretsLanguage-agnostic; can detect 630+ types of credentials or keys.

    See the Supported languages documentation for more details.

    December 2025 release notes summary

    • Added a new Priority tab on Findings page to display high-priority findings. Each product has default priority categories, and Semgrep admins can customize the Priority tab to control which findings appear. Admins can save Priority tab filters for all users.
    • Added a new Provisionally ignored finding status.
    • Semgrep Secrets findings are now assigned a severity of Critical. This applies to Secrets findings from scans performed after November 2025. Any existing findings from those rules will be updated to Critical after the project's next full scan.
    • Pull request comments for findings generated using Semgrep-authored rules now include Assistant-generated explanations to help developers understand the findings. The summary message can be expanded to show additional details.
    • Added support for Cursor post-generation hooks, enabling Semgrep to integrate with Cursor workflows after code generation.
    • The Findings page now has improved navigation and more intuitive links. The code path now opens the finding's Details page, and an in-product tour introduces the new layout.

    See the latest release notes

    Not finding what you need in this doc? Ask questions in our Community Slack group, or see Support for other ways to get help.