reddit hackernews mail facebook facebook linkedin


Lightweight static analysis for many languages.

Semgrep accelerates your security journey by swiftly scanning code and package dependencies for known issues, software vulnerabilities, and detected secrets with unparalleled efficiency. Semgrep offers:
- Code to find bugs & vulnerabilities using custom or pre-built rules
- Supply Chain to find dependencies with known vulnerabilities
- Secrets to find hard-coded credentials that shouldn't be checked into source code

Semgrep analyzes code locally on your computer or in your build environment: by default, code is never uploaded.
Semgrep Code supports 30+ languages and Semgrep Supply Chain supports 8 languages across 15 package managers.