# Semgrep Reviews **Vendor:** Semgrep **Category:** [Software Composition Analysis Tools](https://www.g2.com/categories/software-composition-analysis) **Average Rating:** 4.6/5.0 **Total Reviews:** 55 ## About Semgrep Semgrep is a modern static analysis (SAST), software composition analysis (SCA), and secrets detection platform designed for both developers and security teams. It combines fast, deterministic analysis with context-aware AI that triages findings like a senior security engineer. The AI Assistant helps reduce false positives, prioritize meaningful results, and offers clear remediation guidance. Its “Memories” feature learns from past decisions to further reduce triage noise over time. Semgrep also supports deep analysis of transitive dependencies, not just direct ones, helping teams surface and address hidden risks in their supply chain. It integrates well into modern development workflows and is easy to customize across environments. ## Semgrep Pros & Cons **What users like:** - Users value the **ease of use** of Semgrep, seamlessly integrating into workflows and enhancing developer efficiency. (16 reviews) - Users appreciate Semgrep's **user-friendly setup and QA testing capabilities** , making it essential for effective functional testing. (14 reviews) - Users value the **customizable vulnerability detection** in Semgrep, enhancing security in CI/CD workflows and codebases. (13 reviews) - Users value the **scanning efficiency** of Semgrep, enabling rapid detection of issues early in the development process. (12 reviews) - Users appreciate the **customizable rule engine** of Semgrep, enhancing security and precision in vulnerability detection. (12 reviews) - Users value the **fast performance** of Semgrep, allowing quick identification of security issues without slowing down development. (11 reviews) - Users value the **automated scanning** capabilities of Semgrep, effectively identifying vulnerabilities early in development. (10 reviews) - Users appreciate the **high accuracy of findings** in Semgrep, noting minimal false positives in analysis results. (9 reviews) - Users appreciate the **easy customization and fun rule creation** with Semgrep, enhancing development efficiency and accuracy. (9 reviews) - Easy Integrations (9 reviews) **What users dislike:** - Users find Semgrep to be **not user-friendly** due to a steep learning curve and complicated initial setup processes. (7 reviews) - Users note Semgrep's **limited features** , especially regarding broader security capabilities and management of complex findings. (6 reviews) - Users find the **difficult learning curve** for custom rules in Semgrep a challenge, especially for newcomers and complex setups. (5 reviews) - Users experience a **lack of guidance** with Semgrep, making it challenging to navigate custom rule creation and configuration. (5 reviews) - Users face a **steep learning curve** with Semgrep's custom rule syntax, impacting initial setup and usability. (5 reviews) - Learning Difficulty (5 reviews) - Users find the **missing features** in Semgrep limiting, requiring supplementary tools for comprehensive security coverage. (5 reviews) - Users find **code management challenging** due to tricky setups and steep learning curves for custom rules. (4 reviews) - False Positives (4 reviews) - Setup Complexity (4 reviews) ## Semgrep Reviews ### 1. Streamlined Code Security with Semgrep **Rating:** 5.0/5.0 stars **Reviewed by:** Shreekanth k. | Cloud Application Development Engineer, Enterprise (> 1000 emp.) **Reviewed Date:** November 18, 2025 **What do you like best about Semgrep?** I appreciate using Semgrep for its robust security scanning capabilities, particularly in our code security scans for Azure Data Factory, Azure Databricks notebooks, and Python code. The setup was straightforward and integrated seamlessly into our pipeline without much hassle, demonstrating an ease of use that contrasts sharply with other tools. One of the standout features for me is the low false positive rate; it effectively identifies actual security issues without wasting time on false alerts, which makes it incredibly efficient. The built-in rules are comprehensive, covering most major languages we use and providing thorough checks for common vulnerabilities. The scan results are transparent and actionable, pinpointing the exact line in the code where issues arise and offering clear guidance on how to fix them, significantly speeding up remediation. I also find the performance to be solid, not hindering our build processes with delays. Additionally, after investing time in learning how to write custom rules tailored to our specific needs, I realized the powerful flexibility Semgrep offers. Overall, it has markedly enhanced our code review process by focusing attention on genuine issues and aiding in the early detection of security concerns. This has ultimately strengthened our development workflow and reduced the time spent on security risks. I wholeheartedly recommend Semgrep as a practical SAST tool that delivers exceptional results while being manageable to maintain. **What do you dislike about Semgrep?** The custom rule syntax took some time to learn and was not intuitive initially. Additionally, sometimes Semgrep misses complex security patterns that span multiple functions or files, necessitating manual reviews for such cases. Furthermore, the rule documentation could be improved with more real-world examples. Better integration with our specific IDE and possibly some AI-assisted rule suggestions based on our code base patterns would also be beneficial. **What problems is Semgrep solving and how is that benefiting you?** I use Semgrep to catch security vulnerabilities and code quality issues early, saving time on manual reviews and reducing security risks. It offers actionable scan results, minimal false positives, and customizable rules, all enhancing our development efficiency. ### 2. Powerful Rule Engine and Autofix, but Governance at Scale Needs Work **Rating:** 4.5/5.0 stars **Reviewed by:** Verified User in Information Technology and Services | Enterprise (> 1000 emp.) **Reviewed Date:** November 01, 2025 **What do you like best about Semgrep?** Flexible, transparent rule engine with clear YAML syntax and data‑flow patterns, plus an extensive public registry for quick wins and customization. • Smooth CI/CD integration and lightweight runtime, enabling frequent scans without major impact on developer velocity. • Autofix capabilities (deterministic rule‑based and Assistant AI‑assisted) that propose or apply safe code changes, reducing mean time to remediate **What do you dislike about Semgrep?** Governance overhead at scale; maintaining org‑wide rule sets, exceptions, and updates across many repos becomes an operational burden without a dedicated owner. • Autofix and AI noise filtering are helpful but still evolving; effectiveness varies by language and codebase, and some teams remain cautious about applying fixes automatically. **What problems is Semgrep solving and how is that benefiting you?** Semgrep is helping embed security into daily development by catching risky patterns early in pull requests and CI, which reduces rework and keeps release velocity high. Transparent, customizable rules let the team encode our own guardrails and quickly add checks for new frameworks, so coverage improves without waiting on vendor updates. AI‑assisted noise filtering and autofix guidance cut triage time and help developers resolve issues faster, which lowers MTTR and helps us meet remediation SLAs more consistently. Operationally, fast scans and easy CI/SCM integration mean developers see actionable feedback where they work, not in a separate portal, increasing adoption and fixing rates. As a result, we’ve moved from sporadic security reviews to consistent, automated checks across services, with measurable gains in fix rate and fewer high‑risk patterns reaching production. The net benefit is stronger secure‑by‑default practices with minimal productivity tax, plus lower compliance risk thanks to policy‑as‑code rules we can audit and evolve over time. ### 3. Semgrep Review **Rating:** 5.0/5.0 stars **Reviewed by:** Deepam . | Security Engineer, Enterprise (> 1000 emp.) **Reviewed Date:** September 25, 2025 **What do you like best about Semgrep?** Semgrep is one of the best tools I've used for securing applications. Since it was integrated into our DevSecOps workflow, it has been able to identify a large number of issues much earlier in the development process. Semgrep scans for potentially vulnerable packages or outdated software versions within the codebase and accurately identifies the relevant CVEs. It also provides clear information about the impact and suggests the appropriate remediation steps, so developers don't need to search online for solutions. I've found it particularly effective at detecting hardcoded secrets, even those that other tools like Trufflehog might miss. Semgrep Supply Chain also does an excellent job of pinpointing vulnerable software versions. Overall, I consider Semgrep essential for securing CI/CD pipelines in today's environment. **What do you dislike about Semgrep?** Nothing as such. It works out very well with all functionalities. **What problems is Semgrep solving and how is that benefiting you?** Semgrep is great at automation and for earlier identification of security issues, saves a lot of manual effort for developers and pentesters ### 4. Fast, reliable, and developer-friendly static analysis tool **Rating:** 4.5/5.0 stars **Reviewed by:** Ivo M. | Analista de segurança da informação junior, Enterprise (> 1000 emp.) **Reviewed Date:** September 05, 2025 **What do you like best about Semgrep?** Semgrep is lightweight, very fast compared to traditional SAST tools, and integrates smoothly into CI/CD pipelines. I like that it has a strong rule ecosystem (community and Pro rules), and the ability to write custom rules makes it flexible for different coding standards and compliance needs. The dashboard provides great visibility into security findings and code quality issues, helping developers fix problems quickly without slowing them down. **What do you dislike about Semgrep?** The initial setup for more advanced use cases can be tricky, especially when fine-tuning custom rules or managing large rule sets across multiple projects. Sometimes, there are false positives that require manual triage, and the learning curve for rule writing is a bit steep for newcomers. I would also like to see deeper integrations with more enterprise security platforms out-of-the-box. **What problems is Semgrep solving and how is that benefiting you?** Semgrep helps us detect security vulnerabilities and coding issues early in the development lifecycle. It makes it easier to enforce secure coding standards across multiple teams without adding heavy friction to the developers’ workflow. By integrating directly into CI/CD pipelines, it reduces time-to-detection and prevents risky code from reaching production. This has improved both the security posture and the consistency of our applications while lowering the manual effort needed for code reviews. ### 5. Powerful, Customizable Static Analysis with Fast Scans—Some Learning Curve and Tuning Needed **Rating:** 5.0/5.0 stars **Reviewed by:** Verified User in Manufacturing | Enterprise (> 1000 emp.) **Reviewed Date:** October 22, 2025 **What do you like best about Semgrep?** Semgrep is a static analysis tool that enables developers to create custom rules using an intuitive pattern-matching syntax, which closely mirrors the code being reviewed. It offers support for a variety of programming languages, including Python, JavaScript, Java, and Go, among others. With Semgrep, users can identify security vulnerabilities, address code quality concerns, and enforce coding standards effectively. Many developers value its seamless integration with CI/CD pipelines, the ability to run scans locally during development, and the flexibility to craft rules tailored to their organization's codebase. The tool is known for its rapid scanning capabilities and lower false positive rates when compared to more traditional static analysis solutions. Additionally, Semgrep is available in both open-source and commercial versions, with advanced features such as centralized rule management and options for team collaboration. **What do you dislike about Semgrep?** Static analysis tools can present certain limitations, such as generating false positives that must be manually reviewed. They may also struggle to identify complex runtime vulnerabilities or logic flaws that only become apparent during execution. Maintaining and tuning rules to keep up with evolving codebases is an ongoing requirement. Some users note that creating custom rules involves a learning curve, particularly when mastering the pattern-matching syntax. Comprehensive scans of large codebases can also affect CI/CD pipeline performance. While these tools are strong in pattern matching, they might overlook context-dependent vulnerabilities that require more advanced semantic analysis. As a result, teams often need to dedicate time to configuring rules in order to minimize noise and prioritize findings relevant to their specific technology stack. **What problems is Semgrep solving and how is that benefiting you?** It lacks the option to manually trigger a code scan, specifically for static scans. ### 6. Fast, Accurate, and Seamless Integration with GitHub **Rating:** 4.5/5.0 stars **Reviewed by:** Verified User in Manufacturing | Small-Business (50 or fewer emp.) **Reviewed Date:** October 22, 2025 **What do you like best about Semgrep?** The feedback is fast and actionable, which makes it easy to address issues quickly. I also appreciate the reduced number of false positives, as it saves time and effort. Integration with GitHub and Actions is seamless, making the workflow smooth. The accuracy is high, and the support for a wide range of languages is another strong point. **What do you dislike about Semgrep?** Semgrep is quite narrowly focused, concentrating primarily on security and lacking built-in scanning capabilities for other important areas such as secrets detection, infrastructure as code, or container security. There is also a learning curve to consider; crafting effective and custom rules demands a certain level of expertise, which can be particularly challenging when dealing with more complex vulnerabilities. Additionally, Semgrep on its own provides limited context, so without supplementary tools, it can be difficult to determine if a vulnerability is truly exploitable or reachable at runtime. This limitation can make it harder to properly prioritize issues. **What problems is Semgrep solving and how is that benefiting you?** Semgrep helps assisting developers and security teams in identifying bugs, vulnerabilities, and enforcing coding standards. It analyzes source code to detect patterns that correspond to predefined rules, which makes it valuable for code reviews, security audits, and maintaining overall code quality. Semgrep will be our new default SAST tool as we begin to phase out the current tool which is outdated and cumbersome to use. ### 7. Semgrep: A Powerful and Customizable SAST Solution **Rating:** 3.5/5.0 stars **Reviewed by:** Verified User in Information Technology and Services | Enterprise (> 1000 emp.) **Reviewed Date:** October 21, 2025 **What do you like best about Semgrep?** The most significant advantage of Semgrep is its highly customizable rule engine and ease of rule writing. The ability to define custom rules in YAML, tailored to specific codebases and threat models, sets it apart from many other SAST solutions. This flexibility allows for precise detection of custom vulnerabilities and adherence to specific coding standards. Its lightweight nature and rapid execution in CI/CD pipelines are also highly beneficial, enabling fast feedback loops without significantly impacting build times. Furthermore, the open-source core provides transparency and allows for community contributions and audits of the rule execution. The reachability analysis in Semgrep Supply Chain is also a standout feature, significantly reducing false positives by focusing on truly exploitable vulnerabilities within third-party components. **What do you dislike about Semgrep?** While Semgrep excels in static analysis, its narrow focus can be a limitation for organizations seeking a comprehensive application security platform. It does not natively offer integrated scanning for secrets, Infrastructure as Code (IaC), containers, or CI/CD posture, necessitating the use of additional tools for broader coverage. The initial tuning required to reduce false positives and optimize rule sets can also be an upfront investment, especially for new users or complex projects. Finally, while rule writing is a strength, the learning curve for advanced rule creation can be steep for those new to the tool or static analysis in general. The lack of robust, built-in reporting features and export options for detailed vulnerability analysis is also a notable drawback. **What problems is Semgrep solving and how is that benefiting you?** Semgrep solves the problem of finding security vulnerabilities, bugs, and enforcing code standards early and quickly in the development lifecycle. It helps shift security left by integrating directly into development workflows, such as CI/CD pipelines and IDEs. ### 8. Easy to Use with Great Functional Testing Capabilities **Rating:** 5.0/5.0 stars **Reviewed by:** Nagaraju A. | Delivery Manager, Mid-Market (51-1000 emp.) **Reviewed Date:** October 31, 2025 **What do you like best about Semgrep?** I appreciate how Semgrep excels in validating and QA testing capabilities, showing good efficacy in performing these tasks. The ease of use is particularly notable, requiring less scripting compared to other alternatives, and the initial setup process was straightforward and effortless. I value its functionality in conducting functional testing, which simplifies my tasks significantly. The test case design and resulting outcomes are particularly pleasing, enhancing my testing process. Whenever I encounter issues that other tools cannot resolve, Semgrep becomes an indispensable resource, allowing me to progress by utilizing its features effectively. Overall, I find Semgrep a worthy exploration for its functionality and user-friendly approach. **What do you dislike about Semgrep?** Nothing **What problems is Semgrep solving and how is that benefiting you?** I find Semgrep improves my workflow for functional testing, making it easy to use and reducing scripting. It solves problems when other tools fail, helping me proceed further and block issues effectively. ### 9. Great Experience, But UI Could Be More User-Friendly **Rating:** 4.5/5.0 stars **Reviewed by:** Mohammad A. | Product Owner, Enterprise (> 1000 emp.) **Reviewed Date:** October 22, 2025 **What do you like best about Semgrep?** Semgrep is one of the super easy and most lightweight tools for detecting security vulnerabilities in our codebase. It also enables us to scan our local repositories and can be integrated with our CI/CD pipeline to provide continuous code scanning. We prefer using it with almost all of our applications to feel more confident. **What do you dislike about Semgrep?** There isn't much to complain about, but I do think the user interface could be cleaner and more user-friendly. **What problems is Semgrep solving and how is that benefiting you?** The platform offers vulnerability scanning and helps keep applications free of bugs. It also provides automated code scanning through the CI/CD pipeline and supports scanning for multiple programming languages. ### 10. Effortless Code Scanning—Much Easier Than Our Old Tool **Rating:** 5.0/5.0 stars **Reviewed by:** Avneesh J. | Engineering manager-DevOps, Enterprise (> 1000 emp.) **Reviewed Date:** October 28, 2025 **What do you like best about Semgrep?** It's a very user-friendly tool for scanning code repositories, and I find it much easier to use compared to our previous Checkmarx scan. Its quiet easy to integrate with our existing code repository and can also be filtered based on the need. **What do you dislike about Semgrep?** Since we have only recently started using this tool, there is nothing we dislike about it so far. **What problems is Semgrep solving and how is that benefiting you?** Its helping to find out the vulnerability with open-source softwares and implemented in our pipelines for code deployment has helped us a lot to proactively finding out the vulnerability before reaching of any environment. ### 11. I think Semgrep is a must have for every Software Company **Rating:** 4.5/5.0 stars **Reviewed by:** Mahmoud H. | Information Security Intern, Mid-Market (51-1000 emp.) **Reviewed Date:** September 16, 2025 **What do you like best about Semgrep?** The fact that it can scan dependencies and has so many rules configured on the spot, with a very friendly and easy to use UI for the SemGrep pro. **What do you dislike about Semgrep?** I think what semgrep needs is a feature that summarizes the overall security standing of a repository/project. And to allow the user to be able to tell the platform the links between different repos/ if there are any. **What problems is Semgrep solving and how is that benefiting you?** I am a security official in a company with over 300 repos. The fact that semgrep can seamlessly scan all lines of code with each change is amazing for me. It makes my work so much easier. ### 12. Accurate Results and a Polished UI from Semgrep **Rating:** 4.5/5.0 stars **Reviewed by:** Nitish U. | Product Security Lead, Computer & Network Security, Mid-Market (51-1000 emp.) **Reviewed Date:** April 13, 2026 **What do you like best about Semgrep?** Accuracy, UI. Semgrep AI assistant. Semgrep SCA reachability matrix **What do you dislike about Semgrep?** Bugs, Crashes. Frequent issues in PR scans. **What problems is Semgrep solving and how is that benefiting you?** SAST, Code Review, Supply Chain issues ### 13. Enhancing Security with Semgrep **Rating:** 4.0/5.0 stars **Reviewed by:** Verified User in Computer Software | Mid-Market (51-1000 emp.) **Reviewed Date:** September 12, 2025 **What do you like best about Semgrep?** Since it runs fast and integrates directly into CI/CD, my team can surface issues early — from insecure function use to misconfigured patterns — before they ever hit production. **What do you dislike about Semgrep?** Filter limitations and changing some settings at the global level using UI. Having more advanced filtering and project-level controls would make it easier to manage findings across different environments, prioritize risks. **What problems is Semgrep solving and how is that benefiting you?** The biggest benefit for us is automation and consistency. By integrating Semgrep into CI/CD pipelines, I can enforce secure coding practices at scale and ensure that every pull request is checked for common vulnerabilities. This reduces reliance on manual reviews, lowers the chance of critical bugs slipping into production, and frees me up to focus on more complex security work like pentesting and cloud security design. ### 14. Fast and positive results **Rating:** 4.5/5.0 stars **Reviewed by:** Siddhesh J. | Senior Security Analyst & Consultant, Information Technology and Services, Mid-Market (51-1000 emp.) **Reviewed Date:** September 08, 2025 **What do you like best about Semgrep?** There are multiple things which is great in the SemGrep tool, 1st easy integration with GSM and CI-CD pipeline, 2nd is easy terminal based code scan which save lot of time and intergration if Code is small. **What do you dislike about Semgrep?** Not specific as such, since everything is good in right price. **What problems is Semgrep solving and how is that benefiting you?** compare to other tools, it is giving better, faster and accurate results in output, also tool suggestion and fix feature would be helpful for long lengthy code. ### 15. Effortless Code Scanning, But Dynamic Issues Can Slip Through **Rating:** 2.5/5.0 stars **Reviewed by:** Andrew K. | Systems Administrator, Enterprise (> 1000 emp.) **Reviewed Date:** October 21, 2025 **What do you like best about Semgrep?** Our company has it automatically enabled to scan our code. We can click a link and see what items need to be addressed. I get a review of my code every commit. **What do you dislike about Semgrep?** I can hide security issues with dynamically loaded variables and methods **What problems is Semgrep solving and how is that benefiting you?** Security issues that might have flown under the radar ### 16. Hands-off setup could not be easier **Rating:** 4.5/5.0 stars **Reviewed by:** Verified User in Computer Software | Small-Business (50 or fewer emp.) **Reviewed Date:** September 09, 2025 **What do you like best about Semgrep?** Very little had to be done on our end to set up managed scans for the entire GitHub organization. Aside from Semgrep staff adjusting things to get a scan to complete, or large codebase was running SAST scans in a few days. Github PR comments show users what to do, and AI can classify many reports correctly as not needing mitigation. **What do you dislike about Semgrep?** Semgrep's features are designed around preventing new problems from being introduced in pull requests, but those same features are not available for issues found on trunk branches - these have to be dealt with manually. **What problems is Semgrep solving and how is that benefiting you?** Identifying potential security flaws in existing code as part of compliance for security certifications. ### 17. Insightful Vulnerability Analysis, But Needs Automatic Analysis **Rating:** 5.0/5.0 stars **Reviewed by:** Verified User in Semiconductors | Enterprise (> 1000 emp.) **Reviewed Date:** October 21, 2025 **What do you like best about Semgrep?** The tool provides an analysis of detected vulnerabilities in the code and also offers suggested fixes. This feature is helpful for identifying potential issues and understanding how to address them. **What do you dislike about Semgrep?** Currently, I have to manually trigger the analysis each time a new detection occurs, but I would prefer if the analysis happened automatically as soon as something is detected. **What problems is Semgrep solving and how is that benefiting you?** This tool has been useful in identifying security issues within my code. It helps me catch vulnerabilities that I might have otherwise missed. ### 18. Speeds Up Bug Detection, But Rule Syntax Can Be Limiting for Complex Code **Rating:** 4.0/5.0 stars **Reviewed by:** Verified User in International Affairs | Enterprise (> 1000 emp.) **Reviewed Date:** October 21, 2025 **What do you like best about Semgrep?** The best thing about Semgrep is that it helps catch bugs and enforce code standards early in development, without slowing engineers down. It’s quick, understandable, and fits naturally into the developer workflow. **What do you dislike about Semgrep?** My main dislike is that Semgrep’s rule syntax can feel restrictive when dealing with dynamic code or frameworks that rely heavily on metaprogramming. It’s great for straightforward patterns, but deeper semantic analysis sometimes needs more manual effort. **What problems is Semgrep solving and how is that benefiting you?** Semgrep helps catch bugs and security issues early by running fast, customizable static analysis directly in the developer workflow. It helps me maintain consistent, secure code and saves time by preventing late-stage fixes. ### 19. Flexible Rules and GitHub Integration Shine, But Needs Better Product Segmentation **Rating:** 4.5/5.0 stars **Reviewed by:** Verified User in Hospital & Health Care | Enterprise (> 1000 emp.) **Reviewed Date:** October 30, 2025 **What do you like best about Semgrep?** Semgrep offers a single platform for SAST and SCA solutions which is good, but the best part is semgrep rules they are so flexible and easy to write that you dont need to manually do filtering or removing. The tool has another feature I personally like is github actions that will show bugs in git itself with an AI reviewed fixed version. **What do you dislike about Semgrep?** Semgrep doesnt have Product wise segmentation like for organizations with multiple products you will have only projects and have to use labels to categorise those products. **What problems is Semgrep solving and how is that benefiting you?** It provides great SCA and SAST solutioning. ### 20. Clean Interface and Clear Insights, But Setup Can Be Frustrating **Rating:** 4.0/5.0 stars **Reviewed by:** Shuiab S. | EDA hardwarw engineer, Enterprise (> 1000 emp.) **Reviewed Date:** October 21, 2025 **What do you like best about Semgrep?** The interface is extremely clean, and all vulnerabilities are clearly highlighted. **What do you dislike about Semgrep?** Setting up the system for the first time was quite frustrating, as I found myself needing assistance from the IT agent on several occasions. **What problems is Semgrep solving and how is that benefiting you?** This tool was useful in identifying vulnerabilities within the code and assisted in resolving issues that appeared in production. ### 21. Excellent Tool for Code Quality and Security. **Rating:** 5.0/5.0 stars **Reviewed by:** Verified User in Manufacturing | Mid-Market (51-1000 emp.) **Reviewed Date:** October 22, 2025 **What do you like best about Semgrep?** It is a good tool to identify the issues and security in code which can impact the quality and security. **What do you dislike about Semgrep?** The UI is not as efficient. Also code setup creates some issues. **What problems is Semgrep solving and how is that benefiting you?** This product is excellent when it comes to handling. I am quite satisfied with how well it manages tasks. ### 22. Amazing tool **Rating:** 5.0/5.0 stars **Reviewed by:** Verified User in Electrical/Electronic Manufacturing | Enterprise (> 1000 emp.) **Reviewed Date:** September 25, 2025 **What do you like best about Semgrep?** The tool offers all the necessary features to track and manage security vulnerabilities. **What do you dislike about Semgrep?** The tool is extremely useful, with all its features working exactly as intended. **What problems is Semgrep solving and how is that benefiting you?** Semgrep highlights all the security issues present in the tools and also offers solutions for each of them. Additionally, it provides explanations to help understand the problems and the recommended fixes. ### 23. Effortless to Use and Implement—Works Perfectly! **Rating:** 3.0/5.0 stars **Reviewed by:** Ryan M. | Software Application Development Engineer, Enterprise (> 1000 emp.) **Reviewed Date:** October 21, 2025 **What do you like best about Semgrep?** Ease of usage and implementation in your github repo. **What do you dislike about Semgrep?** Nothing, it has worked great for me and i have had no issues **What problems is Semgrep solving and how is that benefiting you?** It his helping in vulnerability scanning. ### 24. Effortless Integrations and Impressive Coverage **Rating:** 5.0/5.0 stars **Reviewed by:** Arnau E. | Lead Security Engineer, Enterprise (> 1000 emp.) **Reviewed Date:** October 21, 2025 **What do you like best about Semgrep?** Ease of integrations, broad coverage with different types of offerings. **What do you dislike about Semgrep?** Integrations could be better, a bit of manual effort required. **What problems is Semgrep solving and how is that benefiting you?** SAST, Secrets, SCA. ### 25. An easy to use and fun to customize SAST tool **Rating:** 4.5/5.0 stars **Reviewed by:** Verified User in Computer Software | Small-Business (50 or fewer emp.) **Reviewed Date:** December 04, 2024 **What do you like best about Semgrep?** That the SAST engine returns a very small number of false positives. And the rules are fun to write. I also like the reachability analysis of the supply chain tool so you don't get overwhelmed by false positives **What do you dislike about Semgrep?** There is no export report feature. Moreover it would be useful a toggle to tell the supply chain tool to report all the vulnerable dependencies, regardless of their reachability. **What problems is Semgrep solving and how is that benefiting you?** Helping to build secure products by writing more secure code ### 26. Semgrep experience **Rating:** 5.0/5.0 stars **Reviewed by:** Verified User in Computer & Network Security | Enterprise (> 1000 emp.) **Reviewed Date:** December 04, 2024 **What do you like best about Semgrep?** The easy customisation, custom rule creation and fast feedback for devs **What do you dislike about Semgrep?** More products like IaC scanning or DAST, I would love to have full capabilities to scan apps **What problems is Semgrep solving and how is that benefiting you?** Shifting left vulnerabilities ### 27. Just a right way to test and catch your code vulnerability **Rating:** 4.5/5.0 stars **Reviewed by:** Abhineet S. | DevSecOps Engineer II, Mid-Market (51-1000 emp.) **Reviewed Date:** February 20, 2024 **What do you like best about Semgrep?** I like the SAST engine, it is powerful and capable alongwith less % of false positives. Apart from it, the pro and lot other built rules make it easy to integrate with any DevSecOps process. **What do you dislike about Semgrep?** Currently the newer offering like SEMGREP AI and secrets manager does not add up perfectly **What problems is Semgrep solving and how is that benefiting you?** It is catching the essential, critical and tainted in nature vulnerabilities in day to day code making it is good way to follow shift left practices. ### 28. Perfect code security analysis tool to check and eliminate vulnerabilities **Rating:** 4.5/5.0 stars **Reviewed by:** Shivam J. | QA Engineer, Information Technology and Services, Mid-Market (51-1000 emp.) **Reviewed Date:** February 20, 2024 **What do you like best about Semgrep?** The sast engine and the wholesome dashboard makes everything looks great and crisp **What do you dislike about Semgrep?** I am not satisfied with the accuracy of the integration tools with it **What problems is Semgrep solving and how is that benefiting you?** Making it easy to go shift left in security and in supply chain management security ### 29. Simple yet powerful SAST & SCA **Rating:** 4.0/5.0 stars **Reviewed by:** Verified User in Computer Games | Mid-Market (51-1000 emp.) **Reviewed Date:** November 07, 2023 **What do you like best about Semgrep?** - Easy to integrate in CICD and custom workflows - CLI configurations are simple - Powerful scanning capabilities - Supports many languages - Reachability analysis is helpful - Stable and reliable **What do you dislike about Semgrep?** - Doesn't handle unicode chars properly at many places, if there are unicodes in your code then semgrep can crash - No GUI for OSS version, they should atleast provide a basic GUI for OSS version **What problems is Semgrep solving and how is that benefiting you?** Semgrep is helping us identify vulnerabilities at the early stages of the development by continously identifying the vulnerabilities in our codebase and highlighting the vulnerable OSS libraries being used. ### 30. A Seamless Static Analysis Tool **Rating:** 5.0/5.0 stars **Reviewed by:** Kiko E. | Engineering Manager, Mid-Market (51-1000 emp.) **Reviewed Date:** February 22, 2023 **What do you like best about Semgrep?** One of the things that I love most about Semgrep is how easy it is to use. As a static analysis tool, it has a reputation for being intimidating or difficult to integrate into existing workflows. But with Semgrep, developers don't have to worry about that at all. It seamlessly integrates with many popular code editors, version control systems, and continuous integration tools. This means that it's a breeze to set up and start using to detect potential security vulnerabilities, performance issues, and other code quality problems. But what's really cool about Semgrep is how it feels like a tool that's designed with developers in mind. The pre-built rules are incredibly comprehensive and cover a wide range of potential issues. But if you need to customize them for your project, it's easy to do so. And if you ever get stuck, the community is always there to help you out. All in all, Semgrep is a powerful tool that can help developers improve the quality of their code. But more importantly, it feels like a tool that was designed to make our lives easier. And who doesn't love that? **What do you dislike about Semgrep?** As with any tool, Semgrep has some potential downsides to consider. Here are a few: Learning curve: While Semgrep is generally considered to be user-friendly and easy to use, there is still a learning curve to using any new tool. Some developers may need to spend some time getting familiar with Semgrep's syntax and how to write and modify rules. False positives/negatives: Like any static analysis tool, Semgrep can generate false positives (i.e., flagging code as problematic when it's not) or false negatives (i.e., failing to flag problematic code). This can be frustrating and may require some additional time and effort to sort out. Resource-intensive: Depending on the size of your codebase, running Semgrep can be resource-intensive and may slow down your development process. It's important to consider this when integrating Semgrep into your workflow and ensure that your hardware and infrastructure can handle it. Overall, these potential downsides are relatively minor compared to the benefits that Semgrep can provide. However, it's important to consider these factors when deciding whether or not Semgrep is the right tool for your project. **What problems is Semgrep solving and how is that benefiting you?** The problem that Semgrep is solving is that it can be difficult for developers to manually review code for potential issues. With codebases that are constantly growing and changing, it can be easy to miss potential issues or introduce new ones. Semgrep automates this process and enables developers to quickly identify and address potential issues before they become larger problems. ### 31. Free and open-source static code analysis tool **Rating:** 4.5/5.0 stars **Reviewed by:** Dhaval D. | Small-Business (50 or fewer emp.) **Reviewed Date:** June 27, 2023 **What do you like best about Semgrep?** -Installation is pretty straightforward -Supports almost all programming languages -Scans are relatively faster than other static code analysis tool -In certain cases, I have noticed results/findings from Semgrep were more accurate **What do you dislike about Semgrep?** -There were quite a few false positives as well -Other tools such as Sonarqube has more features and provides thorough reports -Troubleshooting can be difficult **What problems is Semgrep solving and how is that benefiting you?** In my case, I use Semgrep to find initial bugs in my code and it works almost perfectly in almost all cases and pass on the report to tester to debug more and fix the same issues. ### 32. Amazing quality product and affordable for SMBs with great support team and community ! **Rating:** 5.0/5.0 stars **Reviewed by:** Stéphane S. | Small-Business (50 or fewer emp.) **Reviewed Date:** May 29, 2023 **What do you like best about Semgrep?** Semgrep helped us in no time narrowing down important vulnerabilities and focusing on what matters thanks to Semgrep Supply Chain. It is the product with the best ROI I would recommend to add to your SSDLC. it fast, extendable and customizable, with a handy CLI. **What do you dislike about Semgrep?** Less advanced Bitbucket / Jira integration compared to GitHub but catching up fast! **What problems is Semgrep solving and how is that benefiting you?** Making sure we maintain cybersecurity compliance and ensure safety of the data we process. Semgrep Supply Chain ensure we are focusing the most important security issues first. ### 33. A Highly Customizable SAST **Rating:** 5.0/5.0 stars **Reviewed by:** Verified User in Financial Services | Mid-Market (51-1000 emp.) **Reviewed Date:** March 24, 2023 **What do you like best about Semgrep?** Semgrep is an easy-to-use and highly customizable static code analysis tool. Its intuitive interface and flexible rules library make running scans on any codebase effortless, big or small. With its active community of contributors and open-source nature, Semgrep is an essential tool for developers looking to enhance code quality and security quickly and efficiently. **What do you dislike about Semgrep?** I have not encountered any major issues while using the product so far. During onboarding, I experienced some minor UI issues, but they did not significantly impact my overall experience. **What problems is Semgrep solving and how is that benefiting you?** It helps identify potential issues before they become major problems, saving time and resources in the long run. By finding and fixing issues early on in the development process, developers can improve the overall quality of the codebase and reduce the likelihood of future problems. ### 34. Semgrep - future of SAST **Rating:** 5.0/5.0 stars **Reviewed by:** Aleksandr K. | Mid-Market (51-1000 emp.) **Reviewed Date:** February 22, 2023 **What do you like best about Semgrep?** context aware scanning that allows a security engineer to see true metrics on vulnerabilities in the code. Its offering of IaC shows how much context aware it can be with its custom data flows. **What do you dislike about Semgrep?** It's hard to name anything in particular, but the one thing that is challenging is to get onboarded with this. There is definitely a learning curve to get started with writing your own rules. **What problems is Semgrep solving and how is that benefiting you?** All things related to code security: putting security guardrails for developers in pre-commit stage, ensuring no secrets are ever committed, keeping our lockfiles with libraries up to date. ### 35. Game-changer for application security **Rating:** 5.0/5.0 stars **Reviewed by:** Verified User in Information Technology and Services | Mid-Market (51-1000 emp.) **Reviewed Date:** December 30, 2022 **What do you like best about Semgrep?** The Semgrep supply chain is a boon for application and product security teams. Backed by the already solid Semgrep engine, it can quickly surface vulnerabilities that are *actually* vulnerabilities and materially improves our security and risk management. It feels like it gave me new superpowers. I would recommend this to any security team, along with the base product. Most importantly, the r2c engineers and support team are first-rate. They are incredibly supportive and responsive, and I felt like their most important customer every step of the way. **What do you dislike about Semgrep?** There are very few downsides I can think of, but one that comes to mind is the ability to extend or templatize existing rules. The base rules and rulesets are good but may produce false positives without customization. I would love the ability for Semgrep to offer a way to further customize rules and layer on specificity that increase accuracy. **What problems is Semgrep solving and how is that benefiting you?** Semgrep saves us innumerable hours of manual work and toil. It allows us to multiply our impact, "shift left," and free up valuable time that we can use to focus on higher-impact security efforts. I can't imagine running a security program without it. ### 36. Semgrep is extremely customizable, efficient, and scalable **Rating:** 4.5/5.0 stars **Reviewed by:** Verified User in Insurance | Mid-Market (51-1000 emp.) **Reviewed Date:** December 16, 2022 **What do you like best about Semgrep?** The customization helps teams shift left. I can create my own rules to avoid false positives and decide which rules block vs. comment vs. just monitor. This helps keep the noise down, makes it easy for software developers to fix findings immediately, and block vulnerabilities from production. **What do you dislike about Semgrep?** I can't run different rulesets at different times. I'd like the ability to run a certain subset of rules in a CI/CD pipeline to block from deploying high-fidelity findings from production; while also running a larger set of best practices and lower-fidelity rules in a separate pipeline to help us with training and fixing less concerning issues that are more complex as tech debt. **What problems is Semgrep solving and how is that benefiting you?** Securing code through static code analysis scanning efficiently in the CI/CD pipeline. Semgrep places the findings directly in PR comments, avoiding the need for software developers to access a different tool. We are able to customize rules to check for things that we care about and are more unique to our code base. ### 37. Semgrep's custom rules are the killer SAST feature **Rating:** 5.0/5.0 stars **Reviewed by:** Verified User in Computer Software | Mid-Market (51-1000 emp.) **Reviewed Date:** December 08, 2022 **What do you like best about Semgrep?** Custom rules and being able to fork + modify the existing rules make Semgrep a lot more valuable as a SAST tool. For certain rules, a couple of additional "pattern-not"s have reduced our false-positive rate by as much as 30%. That kind of thing is easy in Semgrep and pretty much impossible with all other SAST tools I've used. Many other providers claim that you don't need that capability with their tools; because they have teams of people who already improve their false-positive rate. In reality, I've found Semgrep's approach works much better to cut down on spurious results. **What do you dislike about Semgrep?** Semgrep App is still noticeably immature. There are many minor bugs around the editor, creating private rules, and the rule board. I haven't found any without some sort of workaround thus far, and R2C's support team is extremely responsive. On balance, the upsides of centralizing your rule management and having a single pane of glass to view all findings are worth the sometimes buggy UI and lacking features (such as the inability to delete rules published via the CLI). **What problems is Semgrep solving and how is that benefiting you?** Semgrep solves static analysis for us. We're using it across all of our repositories and using custom rules to catch common mistakes our team makes. Compared to our previous SAST tool (Veracode), Semgrep scans much more quickly, and our developers love how much easier it is to triage findings. ### 38. Easy to extend with custom rules but bumped into lots of bugs **Rating:** 4.0/5.0 stars **Reviewed by:** Verified User in Financial Services | Mid-Market (51-1000 emp.) **Reviewed Date:** December 13, 2022 **What do you like best about Semgrep?** Easy to add custom rules (e.g. by using the online rule editor). Also, Semgrep App has some nice, convenient features (like private rule repository). **What do you dislike about Semgrep?** Most of the paid Semgrep features can be worked around with the open source version (e.g. using a private git repository to store private rules), so I am not 100% sure the Semgrep Team license and the whole Semgrep App are mature enough to justify the price tag. Also, we ran into many bugs since we started to roll it out within the organization. The good news is that Semgrep Support is responsive (although with 9 hours time zone diff); the bad news is that I require their help constantly since I find 1-2 new bugs every week. **What problems is Semgrep solving and how is that benefiting you?** Preventing secrets and vulnerable code from being committed to git repositories by running Semgrep automatically as part of our CI/CD pipeline. ### 39. Semgrep works really well in Devsecops environments **Rating:** 5.0/5.0 stars **Reviewed by:** Jovin L. | Application Security Lead, Enterprise (> 1000 emp.) **Reviewed Date:** December 08, 2022 **What do you like best about Semgrep?** Semgrep is quick and allows us to write additional rules very easily. This makes it very effective, and there is support for a lot of languages. The dashboard is user friendly and its easy to look for findings reported. **What do you dislike about Semgrep?** Semgrep does not show co-relation with multiple files. For example if an input is not filtered and is reflected on another page where it would get rendered it would be difficult to identify inSemgrep. Finding a way to have co-relation between multiple files would be great to have. **What problems is Semgrep solving and how is that benefiting you?** Semgrep allows to run vast number of scans across a large set of repos. That helps in a devsecops environment. ### 40. Way better than any other tool *cough* verracode *cough* **Rating:** 4.5/5.0 stars **Reviewed by:** Garry P. | Staff Software Engineer, Mid-Market (51-1000 emp.) **Reviewed Date:** December 13, 2022 **What do you like best about Semgrep?** It's super easy to use and doesn't get in the way. The ability to create custom rules and easily ignore existing rules makes this tool standout above any of the other "static analysis" tools I've used to date. **What do you dislike about Semgrep?** Honestly, there isn't much I dislike. Perhaps having buttons directly interact with the github comments would be nice? **What problems is Semgrep solving and how is that benefiting you?** It's solving a range of issues: * Security checks (e.g. no open S3 bucktes) * code quality (e.g. don't nest for loops or conditionals) * Infra verification via terraform checks ### 41. Semgrep is a plus with continuous management & tracking of open vulnerabilities. **Rating:** 4.5/5.0 stars **Reviewed by:** Verified User in Financial Services | Enterprise (> 1000 emp.) **Reviewed Date:** December 15, 2022 **What do you like best about Semgrep?** Useful for tracking the open vulnerabilities, repository wise, until they're closed. I find the ability to create custom vulnerability config manually to be very useful, to extend the functionality beyond the vulnerabilities that could be picked up by existing available config templates. **What do you dislike about Semgrep?** I think the findings could be improved. There's a limit to what static analysis tools can dig out from the code, and probably it's the limitation of technology itself, rather than semgrep. **What problems is Semgrep solving and how is that benefiting you?** Picking up the bad patterns in the code very early during the development cycle. There are certain coding patterns that semgrep picks up, which could be leading to deeper or critical security issues later. ### 42. Easy to use and powerful **Rating:** 4.5/5.0 stars **Reviewed by:** Verified User in Information Technology and Services | Enterprise (> 1000 emp.) **Reviewed Date:** December 29, 2022 **What do you like best about Semgrep?** Very easy to use, no matter which language you are using. Unlike more legacy static code analysis tools, there is no need to spend a lot of time learning rule types and syntaxes; new rules can be spun up and tested very quickly. Also, results are of high quality. **What do you dislike about Semgrep?** Community support is not as developed as they are pretty new. The breadth of rules and integrations is not as extensive as some other tools. However, this is improving rapidly and the rules that are present have much lesser false positives. **What problems is Semgrep solving and how is that benefiting you?** We use semgrep as part of our static code analysis process. We use a combination of community and custom rules to suit our purposes. This helps us automate finding of common pattern matches to look out for. ### 43. Semgrep helped us catch security bugs while scaling and supporting our code review processes **Rating:** 5.0/5.0 stars **Reviewed by:** Verified User in Computer Software | Enterprise (> 1000 emp.) **Reviewed Date:** December 08, 2022 **What do you like best about Semgrep?** Semgrep's powerful rule language and engine blends usability with flexibility. Developers being able to write their own rules in Semgrep without knowing exactly how Semgrep works has helped us scale our deployment. **What do you dislike about Semgrep?** Without fine-tuning, Semgrep (like any SAST) can be pretty noisy. I know they've been working on surfacing developer feedback to rule writers and maintainers, but I still wish there was a more scalable way to reduce noise (e.g. rule change suggestions based on where developers report false positives). **What problems is Semgrep solving and how is that benefiting you?** We wanted to surface information about security to developers when they needed it in code review. Semgrep is helping us do that. ### 44. Great community driven SAST **Rating:** 5.0/5.0 stars **Reviewed by:** Verified User in Financial Services | Mid-Market (51-1000 emp.) **Reviewed Date:** December 08, 2022 **What do you like best about Semgrep?** We were sold on the idea that Semgrep was Python based and detections were community driven. While still providing us with the ability to write custom detections. **What do you dislike about Semgrep?** Nothing in particular. If anything, I'd like Semgrep to add GitHub Dependabot / Snyk like features so we can manage more controls around our source code through a single vendor. The latest Supply Chain feature is a new addition. **What problems is Semgrep solving and how is that benefiting you?** Our static analysis needs - especially custom controls. Previously we had developed our own SAST tool, but as the company grew, we decided to move to something commercial and more robust. ### 45. No place for False Positives **Rating:** 5.0/5.0 stars **Reviewed by:** Avinash S. | Security Lead, Mid-Market (51-1000 emp.) **Reviewed Date:** December 08, 2022 **What do you like best about Semgrep?** It is the most efficient and simple to use integration for SAST. Free, and community-driven Discussions on Slack channels provide valuable help and insights. **What do you dislike about Semgrep?** Nothing major. It is evolving in right direction. But A trial version would be good. **What problems is Semgrep solving and how is that benefiting you?** Mostly eliminating the use of multiple SAST scanners into one. ### 46. Semgrep is best in class for customizability, ease of use, and support **Rating:** 4.0/5.0 stars **Reviewed by:** Verified User in Information Technology and Services | Enterprise (> 1000 emp.) **Reviewed Date:** December 08, 2022 **What do you like best about Semgrep?** Semgrep makes it really easy to write rules. It's really straightforward and the UI also allows you to easily get feedback on rules as well. The dashboard is also convenient and simple to use. The customer support is also pretty amazing, in that they will help you over a meeting with issues you may have with implementation. **What do you dislike about Semgrep?** The binary has been buggy in the past, and has required some debugging and patching to get working correctly. However, the Semgrep team was helpful with the entire process. **What problems is Semgrep solving and how is that benefiting you?** It's a fantastic way to get static code analysis implemented into your CI/CD pipeline. The integration hooks seamlessly into your GitHub environment and provides a clean interface for engineers to use. ### 47. Quick and effective SAST and Dependency Checking **Rating:** 4.5/5.0 stars **Reviewed by:** Verified User in Financial Services | Mid-Market (51-1000 emp.) **Reviewed Date:** December 09, 2022 **What do you like best about Semgrep?** Super easy to implement and manage. Seamless integration into our CI pipeline, and only gets in the developers' way when it needs to. Reachability testing of depenencies is nice. **What do you dislike about Semgrep?** Not too much to dislike. The Supply Chain/dependency scanning is new and will need more rules for reachability, but these are gradually being built. **What problems is Semgrep solving and how is that benefiting you?** Semgrep acts as an effective guardrail, allowing developers to write code and be guided when potential vulnerabilities are introduced. ### 48. Good set of rules, but a bunch of false positives **Rating:** 3.5/5.0 stars **Reviewed by:** Verified User in Computer Software | Enterprise (> 1000 emp.) **Reviewed Date:** December 09, 2022 **What do you like best about Semgrep?** The upsides are that code scanning is very fast, and the ruleset is complete. Rule management on the rule board is also very easy. Integrations and webhooks are a plus. **What do you dislike about Semgrep?** The downsides are that the number of false positives for some of the rules is enormous due to the lack of taint tracking support for PHP. Improving this ruleset, or adding taint tracking for PHP would be most helpful. **What problems is Semgrep solving and how is that benefiting you?** Semgrep is helping us scan our PHP code for first-party vulnerabilities. The most tangible benefit is better coding standards. Their SCA product is also very interesting. ### 49. Excellent tool for outlining security vulnerabilities within your application **Rating:** 4.0/5.0 stars **Reviewed by:** Verified User in Biotechnology | Mid-Market (51-1000 emp.) **Reviewed Date:** December 12, 2022 **What do you like best about Semgrep?** Great analysis of vulnerabilities with ability to review, rank and update status of each incident **What do you dislike about Semgrep?** It would be great if Semgrep did further static analysis to cover code smells and code coverage, in addition to security. **What problems is Semgrep solving and how is that benefiting you?** It provides insights into the security vulnerabilities within our application. ### 50. Effective, efficient and eng friendly scanner **Rating:** 5.0/5.0 stars **Reviewed by:** Verified User in Insurance | Mid-Market (51-1000 emp.) **Reviewed Date:** December 14, 2022 **What do you like best about Semgrep?** It's a super customizable, fast and effective tool to have as an inline scanner on the CI/CD pipeline. **What do you dislike about Semgrep?** Nothing really - support is amazing and while they are still early in developing their product suite, they are super receptive to feedback **What problems is Semgrep solving and how is that benefiting you?** Shifting security left in an Eng friendly way - [View Semgrep pricing details and edition comparison](https://www.g2.com/products/semgrep/reviews?section=pricing&secure%5Bexpires_at%5D=2026-05-18+04%3A53%3A43+-0500&secure%5Bsession_id%5D=d7e3431b-73ee-4b99-bc80-7ca24fca1f1f&secure%5Btoken%5D=ce552b4ef0faab932b7d34647f1e765f654645c169dc24122d827adc6a0d62d1&format=llm_user) ## Semgrep Integrations - [Azure DevOps Labs](https://www.g2.com/products/azure-devops-labs/reviews) - [Azure Pipelines](https://www.g2.com/products/azure-pipelines/reviews) - [Bitbucket](https://www.g2.com/products/bitbucket/reviews) - [Cursor](https://www.g2.com/products/cursor/reviews) - [Git](https://www.g2.com/products/git/reviews) - [GitHub](https://www.g2.com/products/github/reviews) - [Jira](https://www.g2.com/products/jira/reviews) - [Slack](https://www.g2.com/products/slack/reviews) - [Visual Studio Code](https://www.g2.com/products/visual-studio-code/reviews) ## Semgrep Features **Administration** - API / Integrations - Extensibility **Performance** - Issue Tracking - Detection Rate - False Positives - Automated Scans **Functionality - Software Composition Analysis ** - Language Support - Integration - Transparency **Documentation** - Feedback - Prioritization - Remediation Suggestions **Agentic AI - Static Code Analysis** - Adaptive Learning - Natural Language Interaction - Proactive Assistance **Performance - AI AppSec Assistants** - Remediation - Real-time Vulnerability Detection - Accuracy **Analysis** - Reporting and Analytics - Issue Tracking - Static Code Analysis - Code Analysis **Analysis** - Reporting and Analytics - Issue Tracking - Static Code Analysis - Vulnerability Scan - Code Analysis **Network** - Compliance Testing - Perimeter Scanning - Configuration Monitoring **Effectiveness - Software Composition Analysis** - Remediation Suggestions - Continuous Monitoring - Thorough Detection **Security** - False Positives - Custom Compliance - Agility **Integration - AI AppSec Assistants** - Stack Integration - Workflow Integration - Codebase Contextual Awareness **Testing** - Command-Line Tools - Compliance Testing - Black-Box Scanning - Detection Rate - False Positives **Testing** - Black-Box Scanning - Detection Rate - False Positives **Application** - Static Code Analysis - Black Box Testing **Agentic AI - Interactive Application Security Testing (IAST)** - Autonomous Task Execution **Agentic AI - Vulnerability Scanner** - Autonomous Task Execution - Proactive Assistance **Agentic AI - Static Application Security Testing (SAST)** - Autonomous Task Execution ## Top Semgrep Alternatives - [SonarQube](https://www.g2.com/products/sonarqube/reviews) - 4.4/5.0 (139 reviews) - [Snyk](https://www.g2.com/products/snyk/reviews) - 4.5/5.0 (132 reviews) - [GitHub](https://www.g2.com/products/github/reviews) - 4.7/5.0 (2,280 reviews)