Semgrep

Semgrep is a static analysis engine that bridges the gap between simple regex-based linters and heavyweight commercial SAST products. Its core innovation is a pattern syntax that looks like the source code being analysed — a Semgrep rule for detecting hardcoded SQL queries in Python reads almost identically to the vulnerable code itself, making rule authoring accessible to developers rather than confined to security specialists. Under the hood, the engine parses source code into a generic AST representation and performs intra-file dataflow analysis, supporting taint tracking, constant propagation, and metavariable matching across function boundaries.

The open-source CLI (licensed under LGPL 2.1) is designed for speed. Semgrep analyses code incrementally and avoids whole-program compilation, making it practical for pre-commit hooks and CI gates on large codebases. A typical scan of 100,000 lines completes in under ten seconds. The community rule registry provides over 5,000 pre-built rules organised by language, framework, and vulnerability class — covering injection flaws, authentication bypasses, cryptographic misuse, insecure deserialization, and framework-specific pitfalls for Django, Flask, Spring, Express, React, and others.

Semgrep’s commercial platform (Semgrep AppSec Platform) adds cross-file and cross-function analysis, managed CI integration, a findings dashboard with triage workflows, and Semgrep Supply Chain for reachability-aware SCA that determines whether a vulnerable dependency function is actually called in your code. The combination of developer-friendly rule syntax, fast execution, and broad language coverage has driven adoption across thousands of organisations, from startups running the open-source CLI to enterprises using the full platform for their AppSec programs.