Semgrep Reviews & Product Details

I appreciate using Semgrep for its robust security scanning capabilities, particularly in our code security scans for Azure Data Factory, Azure Databricks notebooks, and Python code. The setup was straightforward and integrated seamlessly into our pipeline without much hassle, demonstrating an ease of use that contrasts sharply with other tools. One of the standout features for me is the low false positive rate; it effectively identifies actual security issues without wasting time on false alerts, which makes it incredibly efficient. The built-in rules are comprehensive, covering most major languages we use and providing thorough checks for common vulnerabilities. The scan results are transparent and actionable, pinpointing the exact line in the code where issues arise and offering clear guidance on how to fix them, significantly speeding up remediation. I also find the performance to be solid, not hindering our build processes with delays. Additionally, after investing time in learning how to write custom rules tailored to our specific needs, I realized the powerful flexibility Semgrep offers. Overall, it has markedly enhanced our code review process by focusing attention on genuine issues and aiding in the early detection of security concerns. This has ultimately strengthened our development workflow and reduced the time spent on security risks. I wholeheartedly recommend Semgrep as a practical SAST tool that delivers exceptional results while being manageable to maintain. Review collected by and hosted on G2.com.

The custom rule syntax took some time to learn and was not intuitive initially. Additionally, sometimes Semgrep misses complex security patterns that span multiple functions or files, necessitating manual reviews for such cases. Furthermore, the rule documentation could be improved with more real-world examples. Better integration with our specific IDE and possibly some AI-assisted rule suggestions based on our code base patterns would also be beneficial. Review collected by and hosted on G2.com.

Flexible, transparent rule engine with clear YAML syntax and data‑flow patterns, plus an extensive public registry for quick wins and customization.

• Smooth CI/CD integration and lightweight runtime, enabling frequent scans without major impact on developer velocity.

• Autofix capabilities (deterministic rule‑based and Assistant AI‑assisted) that propose or apply safe code changes, reducing mean time to remediate Review collected by and hosted on G2.com.

Governance overhead at scale; maintaining org‑wide rule sets, exceptions, and updates across many repos becomes an operational burden without a dedicated owner.

• Autofix and AI noise filtering are helpful but still evolving; effectiveness varies by language and codebase, and some teams remain cautious about applying fixes automatically. Review collected by and hosted on G2.com.

Semgrep is one of the best tools I've used for securing applications. Since it was integrated into our DevSecOps workflow, it has been able to identify a large number of issues much earlier in the development process. Semgrep scans for potentially vulnerable packages or outdated software versions within the codebase and accurately identifies the relevant CVEs. It also provides clear information about the impact and suggests the appropriate remediation steps, so developers don't need to search online for solutions.

I've found it particularly effective at detecting hardcoded secrets, even those that other tools like Trufflehog might miss. Semgrep Supply Chain also does an excellent job of pinpointing vulnerable software versions.

Overall, I consider Semgrep essential for securing CI/CD pipelines in today's environment. Review collected by and hosted on G2.com.

Nothing as such. It works out very well with all functionalities. Review collected by and hosted on G2.com.

Semgrep is lightweight, very fast compared to traditional SAST tools, and integrates smoothly into CI/CD pipelines. I like that it has a strong rule ecosystem (community and Pro rules), and the ability to write custom rules makes it flexible for different coding standards and compliance needs. The dashboard provides great visibility into security findings and code quality issues, helping developers fix problems quickly without slowing them down. Review collected by and hosted on G2.com.

The initial setup for more advanced use cases can be tricky, especially when fine-tuning custom rules or managing large rule sets across multiple projects. Sometimes, there are false positives that require manual triage, and the learning curve for rule writing is a bit steep for newcomers. I would also like to see deeper integrations with more enterprise security platforms out-of-the-box. Review collected by and hosted on G2.com.

Semgrep is a static analysis tool that enables developers to create custom rules using an intuitive pattern-matching syntax, which closely mirrors the code being reviewed. It offers support for a variety of programming languages, including Python, JavaScript, Java, and Go, among others. With Semgrep, users can identify security vulnerabilities, address code quality concerns, and enforce coding standards effectively. Many developers value its seamless integration with CI/CD pipelines, the ability to run scans locally during development, and the flexibility to craft rules tailored to their organization's codebase. The tool is known for its rapid scanning capabilities and lower false positive rates when compared to more traditional static analysis solutions. Additionally, Semgrep is available in both open-source and commercial versions, with advanced features such as centralized rule management and options for team collaboration. Review collected by and hosted on G2.com.

Static analysis tools can present certain limitations, such as generating false positives that must be manually reviewed. They may also struggle to identify complex runtime vulnerabilities or logic flaws that only become apparent during execution. Maintaining and tuning rules to keep up with evolving codebases is an ongoing requirement. Some users note that creating custom rules involves a learning curve, particularly when mastering the pattern-matching syntax. Comprehensive scans of large codebases can also affect CI/CD pipeline performance. While these tools are strong in pattern matching, they might overlook context-dependent vulnerabilities that require more advanced semantic analysis. As a result, teams often need to dedicate time to configuring rules in order to minimize noise and prioritize findings relevant to their specific technology stack. Review collected by and hosted on G2.com.

The feedback is fast and actionable, which makes it easy to address issues quickly. I also appreciate the reduced number of false positives, as it saves time and effort. Integration with GitHub and Actions is seamless, making the workflow smooth. The accuracy is high, and the support for a wide range of languages is another strong point. Review collected by and hosted on G2.com.

Semgrep is quite narrowly focused, concentrating primarily on security and lacking built-in scanning capabilities for other important areas such as secrets detection, infrastructure as code, or container security. There is also a learning curve to consider; crafting effective and custom rules demands a certain level of expertise, which can be particularly challenging when dealing with more complex vulnerabilities. Additionally, Semgrep on its own provides limited context, so without supplementary tools, it can be difficult to determine if a vulnerability is truly exploitable or reachable at runtime. This limitation can make it harder to properly prioritize issues. Review collected by and hosted on G2.com.

The most significant advantage of Semgrep is its highly customizable rule engine and ease of rule writing. The ability to define custom rules in YAML, tailored to specific codebases and threat models, sets it apart from many other SAST solutions. This flexibility allows for precise detection of custom vulnerabilities and adherence to specific coding standards. Its lightweight nature and rapid execution in CI/CD pipelines are also highly beneficial, enabling fast feedback loops without significantly impacting build times. Furthermore, the open-source core provides transparency and allows for community contributions and audits of the rule execution. The reachability analysis in Semgrep Supply Chain is also a standout feature, significantly reducing false positives by focusing on truly exploitable vulnerabilities within third-party components. Review collected by and hosted on G2.com.

While Semgrep excels in static analysis, its narrow focus can be a limitation for organizations seeking a comprehensive application security platform. It does not natively offer integrated scanning for secrets, Infrastructure as Code (IaC), containers, or CI/CD posture, necessitating the use of additional tools for broader coverage. The initial tuning required to reduce false positives and optimize rule sets can also be an upfront investment, especially for new users or complex projects. Finally, while rule writing is a strength, the learning curve for advanced rule creation can be steep for those new to the tool or static analysis in general. The lack of robust, built-in reporting features and export options for detailed vulnerability analysis is also a notable drawback. Review collected by and hosted on G2.com.

I appreciate how Semgrep excels in validating and QA testing capabilities, showing good efficacy in performing these tasks. The ease of use is particularly notable, requiring less scripting compared to other alternatives, and the initial setup process was straightforward and effortless. I value its functionality in conducting functional testing, which simplifies my tasks significantly. The test case design and resulting outcomes are particularly pleasing, enhancing my testing process. Whenever I encounter issues that other tools cannot resolve, Semgrep becomes an indispensable resource, allowing me to progress by utilizing its features effectively. Overall, I find Semgrep a worthy exploration for its functionality and user-friendly approach. Review collected by and hosted on G2.com.

Nothing Review collected by and hosted on G2.com.

Semgrep is one of the super easy and most lightweight tools for detecting security vulnerabilities in our codebase. It also enables us to scan our local repositories and can be integrated with our CI/CD pipeline to provide continuous code scanning. We prefer using it with almost all of our applications to feel more confident. Review collected by and hosted on G2.com.

There isn't much to complain about, but I do think the user interface could be cleaner and more user-friendly. Review collected by and hosted on G2.com.

It's a very user-friendly tool for scanning code repositories, and I find it much easier to use compared to our previous Checkmarx scan.

Its quiet easy to integrate with our existing code repository and can also be filtered based on the need. Review collected by and hosted on G2.com.

Since we have only recently started using this tool, there is nothing we dislike about it so far. Review collected by and hosted on G2.com.