Semgrep Reviews & Product Details

Semgrep Product Details

Semgrep is a modern static analysis (SAST), software composition analysis (SCA), and secrets detection platform designed for both developers and security teams. It combines fast, deterministic analysis with context-aware AI that triages findings like a senior security engineer. The AI Assistant helps reduce false positives, prioritize meaningful results, and offers clear remediation guidance. Its “Memories” feature learns from past decisions to further reduce triage noise over time. Semgrep also supports deep analysis of transitive dependencies, not just direct ones, helping teams surface and address hidden risks in their supply chain. It integrates well into modern development workflows and is easy to customize across environments.

Product Website

Seller

Semgrep

Discussions

Semgrep Community

Languages Supported

English

Product Description

Find bugs, run security scans in CI, and enforce security standards across your organization. Scale your security team. Actionable, low-noise, and developer-friendly results let you scale your security and ship with high velocity. Enable developers to be more productive. Reduce friction between security engineers and developers by finding and sharing vulnerabilities in your code and in open source dependencies. Easily write custom rules. Easily write rules to find bugs specific to your organization — rules look like source code, so there’s no need to learn a new proprietary language.

Overview by

Nav Singh

Pricing

Pricing provided by Semgrep.

Semgrep Code, Supply Chain, and Secrets Detection

Starting at $40.00

1 contributor Per Month

View More Pricing Information

Semgrep Integrations

(8)

Verified by Semgrep

Semgrep Media

Semgrep Demo - Semgrep Supply Chain (SCA)

Semgrep Supply Chain makes it easy to find and remediate the 2% of dependency vulnerabilities that are actually reachable in your code.

A SAST solution where developers actually fix the majority of issues they see. Make fix rate the north star metric of your AppSec program with Semgrep Code.

Go beyond regex: leverage Semantic Analysis, entropy analysis, and validation to accurately detect and fix secrets.

The Semgrep dashboard provides clear, actionable insights into code security and quality, helping teams quickly identify, prioritize, and remediate issues across their projects.

Semgrep is a code security solution that enables organizations to scale their security programs quickly and easily.

Interactive Demo

edit

Try an interactive demo created by the software seller (right here on G2).

Try demo

G2 reviews are authentic and verified.

Here's how.

D

Deepam .

Security Engineer

Enterprise (> 1000 emp.)

9/25/2025

"Semgrep Review"

5/5

What do you like best about Semgrep?

Semgrep is one of the best tools I've used for securing applications. Since it was integrated into our DevSecOps workflow, it has been able to identify a large number of issues much earlier in the development process. Semgrep scans for potentially vulnerable packages or outdated software versions within the codebase and accurately identifies the relevant CVEs. It also provides clear information about the impact and suggests the appropriate remediation steps, so developers don't need to search online for solutions.

I've found it particularly effective at detecting hardcoded secrets, even those that other tools like Trufflehog might miss. Semgrep Supply Chain also does an excellent job of pinpointing vulnerable software versions.

Overall, I consider Semgrep essential for securing CI/CD pipelines in today's environment. Review collected by and hosted on G2.com.

What do you dislike about Semgrep?

Nothing as such. It works out very well with all functionalities. Review collected by and hosted on G2.com.

IM

Ivo M.

Analista de segurança da informação junior

Enterprise (> 1000 emp.)

9/5/2025

"Fast, reliable, and developer-friendly static analysis tool"

4.5/5

What do you like best about Semgrep?

Semgrep is lightweight, very fast compared to traditional SAST tools, and integrates smoothly into CI/CD pipelines. I like that it has a strong rule ecosystem (community and Pro rules), and the ability to write custom rules makes it flexible for different coding standards and compliance needs. The dashboard provides great visibility into security findings and code quality issues, helping developers fix problems quickly without slowing them down. Review collected by and hosted on G2.com.

What do you dislike about Semgrep?

The initial setup for more advanced use cases can be tricky, especially when fine-tuning custom rules or managing large rule sets across multiple projects. Sometimes, there are false positives that require manual triage, and the learning curve for rule writing is a bit steep for newcomers. I would also like to see deeper integrations with more enterprise security platforms out-of-the-box. Review collected by and hosted on G2.com.

What problems is Semgrep solving and how is that benefiting you?

Semgrep helps us detect security vulnerabilities and coding issues early in the development lifecycle. It makes it easier to enforce secure coding standards across multiple teams without adding heavy friction to the developers’ workflow. By integrating directly into CI/CD pipelines, it reduces time-to-detection and prevents risky code from reaching production. This has improved both the security posture and the consistency of our applications while lowering the manual effort needed for code reviews. Review collected by and hosted on G2.com.

MH

Mahmoud H.

Information Security Intern

Mid-Market (51-1000 emp.)

9/16/2025

"I think Semgrep is a must have for every Software Company"

4.5/5

What do you like best about Semgrep?

The fact that it can scan dependencies and has so many rules configured on the spot, with a very friendly and easy to use UI for the SemGrep pro. Review collected by and hosted on G2.com.

What do you dislike about Semgrep?

I think what semgrep needs is a feature that summarizes the overall security standing of a repository/project. And to allow the user to be able to tell the platform the links between different repos/ if there are any. Review collected by and hosted on G2.com.

UC

Verified User in Computer Software

Mid-Market (51-1000 emp.)

9/12/2025

"Enhancing Security with Semgrep"

4/5

What do you like best about Semgrep?

Since it runs fast and integrates directly into CI/CD, my team can surface issues early — from insecure function use to misconfigured patterns — before they ever hit production. Review collected by and hosted on G2.com.

What do you dislike about Semgrep?

Filter limitations and changing some settings at the global level using UI. Having more advanced filtering and project-level controls would make it easier to manage findings across different environments, prioritize risks. Review collected by and hosted on G2.com.

What problems is Semgrep solving and how is that benefiting you?

The biggest benefit for us is automation and consistency. By integrating Semgrep into CI/CD pipelines, I can enforce secure coding practices at scale and ensure that every pull request is checked for common vulnerabilities. This reduces reliance on manual reviews, lowers the chance of critical bugs slipping into production, and frees me up to focus on more complex security work like pentesting and cloud security design. Review collected by and hosted on G2.com.

SJ

Siddhesh J.

Senior Security Analyst & Consultant

Information Technology and Services

Mid-Market (51-1000 emp.)

9/8/2025

"Fast and positive results"

4.5/5

What do you like best about Semgrep?

There are multiple things which is great in the SemGrep tool, 1st easy integration with GSM and CI-CD pipeline, 2nd is easy terminal based code scan which save lot of time and intergration if Code is small. Review collected by and hosted on G2.com.

What do you dislike about Semgrep?

Not specific as such, since everything is good in right price. Review collected by and hosted on G2.com.

EC

Verified User in Computer Software

Small-Business (50 or fewer emp.)

9/9/2025

"Hands-off setup could not be easier"

4.5/5

What do you like best about Semgrep?

Very little had to be done on our end to set up managed scans for the entire GitHub organization. Aside from Semgrep staff adjusting things to get a scan to complete, or large codebase was running SAST scans in a few days.

Github PR comments show users what to do, and AI can classify many reports correctly as not needing mitigation. Review collected by and hosted on G2.com.

What do you dislike about Semgrep?

Semgrep's features are designed around preventing new problems from being introduced in pull requests, but those same features are not available for issues found on trunk branches - these have to be dealt with manually. Review collected by and hosted on G2.com.

UE

Verified User in Electrical/Electronic Manufacturing

Enterprise (> 1000 emp.)

9/25/2025

"Amazing tool"

5/5

What do you like best about Semgrep?

The tool offers all the necessary features to track and manage security vulnerabilities. Review collected by and hosted on G2.com.

What do you dislike about Semgrep?

The tool is extremely useful, with all its features working exactly as intended. Review collected by and hosted on G2.com.

CC

Verified User in Computer Software

Small-Business (50 or fewer emp.)

12/4/2024

"An easy to use and fun to customize SAST tool"

4.5/5

What do you like best about Semgrep?

That the SAST engine returns a very small number of false positives. And the rules are fun to write. I also like the reachability analysis of the supply chain tool so you don't get overwhelmed by false positives Review collected by and hosted on G2.com.

What do you dislike about Semgrep?

There is no export report feature. Moreover it would be useful a toggle to tell the supply chain tool to report all the vulnerable dependencies, regardless of their reachability. Review collected by and hosted on G2.com.

UC

Verified User in Computer & Network Security

Enterprise (> 1000 emp.)

12/4/2024

"Semgrep experience"

5/5

What do you like best about Semgrep?

The easy customisation, custom rule creation and fast feedback for devs Review collected by and hosted on G2.com.

What do you dislike about Semgrep?

More products like IaC scanning or DAST, I would love to have full capabilities to scan apps Review collected by and hosted on G2.com.

AS

Abhineet S.

DevSecOps Engineer II

Mid-Market (51-1000 emp.)

2/20/2024

"Just a right way to test and catch your code vulnerability"

4.5/5

What do you like best about Semgrep?

I like the SAST engine, it is powerful and capable alongwith less % of false positives. Apart from it, the pro and lot other built rules make it easy to integrate with any DevSecOps process. Review collected by and hosted on G2.com.

What do you dislike about Semgrep?

Currently the newer offering like SEMGREP AI and secrets manager does not add up perfectly Review collected by and hosted on G2.com.