Semgrep Reviews & Product Details

That the SAST engine returns a very small number of false positives. And the rules are fun to write. I also like the reachability analysis of the supply chain tool so you don't get overwhelmed by false positives Review collected by and hosted on G2.com.

There is no export report feature. Moreover it would be useful a toggle to tell the supply chain tool to report all the vulnerable dependencies, regardless of their reachability. Review collected by and hosted on G2.com.

The easy customisation, custom rule creation and fast feedback for devs Review collected by and hosted on G2.com.

More products like IaC scanning or DAST, I would love to have full capabilities to scan apps Review collected by and hosted on G2.com.

I like the SAST engine, it is powerful and capable alongwith less % of false positives. Apart from it, the pro and lot other built rules make it easy to integrate with any DevSecOps process. Review collected by and hosted on G2.com.

Currently the newer offering like SEMGREP AI and secrets manager does not add up perfectly Review collected by and hosted on G2.com.

The sast engine and the wholesome dashboard makes everything looks great and crisp Review collected by and hosted on G2.com.

I am not satisfied with the accuracy of the integration tools with it Review collected by and hosted on G2.com.

- Easy to integrate in CICD and custom workflows

- CLI configurations are simple

- Powerful scanning capabilities

- Supports many languages

- Reachability analysis is helpful

- Stable and reliable Review collected by and hosted on G2.com.

- Doesn't handle unicode chars properly at many places, if there are unicodes in your code then semgrep can crash

- No GUI for OSS version, they should atleast provide a basic GUI for OSS version Review collected by and hosted on G2.com.

One of the things that I love most about Semgrep is how easy it is to use. As a static analysis tool, it has a reputation for being intimidating or difficult to integrate into existing workflows. But with Semgrep, developers don't have to worry about that at all. It seamlessly integrates with many popular code editors, version control systems, and continuous integration tools. This means that it's a breeze to set up and start using to detect potential security vulnerabilities, performance issues, and other code quality problems.

But what's really cool about Semgrep is how it feels like a tool that's designed with developers in mind. The pre-built rules are incredibly comprehensive and cover a wide range of potential issues. But if you need to customize them for your project, it's easy to do so. And if you ever get stuck, the community is always there to help you out.

All in all, Semgrep is a powerful tool that can help developers improve the quality of their code. But more importantly, it feels like a tool that was designed to make our lives easier. And who doesn't love that? Review collected by and hosted on G2.com.

As with any tool, Semgrep has some potential downsides to consider. Here are a few:

Learning curve: While Semgrep is generally considered to be user-friendly and easy to use, there is still a learning curve to using any new tool. Some developers may need to spend some time getting familiar with Semgrep's syntax and how to write and modify rules.

False positives/negatives: Like any static analysis tool, Semgrep can generate false positives (i.e., flagging code as problematic when it's not) or false negatives (i.e., failing to flag problematic code). This can be frustrating and may require some additional time and effort to sort out.

Resource-intensive: Depending on the size of your codebase, running Semgrep can be resource-intensive and may slow down your development process. It's important to consider this when integrating Semgrep into your workflow and ensure that your hardware and infrastructure can handle it.

Overall, these potential downsides are relatively minor compared to the benefits that Semgrep can provide. However, it's important to consider these factors when deciding whether or not Semgrep is the right tool for your project. Review collected by and hosted on G2.com.

-Installation is pretty straightforward

-Supports almost all programming languages

-Scans are relatively faster than other static code analysis tool

-In certain cases, I have noticed results/findings from Semgrep were more accurate Review collected by and hosted on G2.com.

-There were quite a few false positives as well

-Other tools such as Sonarqube has more features and provides thorough reports

-Troubleshooting can be difficult Review collected by and hosted on G2.com.

Semgrep helped us in no time narrowing down important vulnerabilities and focusing on what matters thanks to Semgrep Supply Chain.

It is the product with the best ROI I would recommend to add to your SSDLC. it fast, extendable and customizable, with a handy CLI. Review collected by and hosted on G2.com.

Less advanced Bitbucket / Jira integration compared to GitHub but catching up fast! Review collected by and hosted on G2.com.

Semgrep is an easy-to-use and highly customizable static code analysis tool. Its intuitive interface and flexible rules library make running scans on any codebase effortless, big or small. With its active community of contributors and open-source nature, Semgrep is an essential tool for developers looking to enhance code quality and security quickly and efficiently. Review collected by and hosted on G2.com.

I have not encountered any major issues while using the product so far. During onboarding, I experienced some minor UI issues, but they did not significantly impact my overall experience. Review collected by and hosted on G2.com.

context aware scanning that allows a security engineer to see true metrics on vulnerabilities in the code. Its offering of IaC shows how much context aware it can be with its custom data flows. Review collected by and hosted on G2.com.

It's hard to name anything in particular, but the one thing that is challenging is to get onboarded with this. There is definitely a learning curve to get started with writing your own rules. Review collected by and hosted on G2.com.