Skip to main content
    Semgrep themed logoSemgrep themed logo

    Semgrep docs

    Find bugs and reachable dependency vulnerabilities in code. Enforce your code standards on every commit.

    Scan with Semgrep AppSec Platform

    Deploy static application security testing (SAST), software composition analysis (SCA), and secrets scans from one platform.

    Image
    Get started

    Run your first Semgrep scan.

    Image
    Deploy Semgrep

    Deploy Semgrep to your organization quickly and at scale.

    Image
    Triage and remediate

    Triage and remediate findings; fine-tune guardrails for developers.

    Image
    Write rules

    Enforce your organization’s coding standards with custom rules.

    Supported languages

    ProductLanguages
    Semgrep CodeGenerally available (GA)
    C and C++ • C# • Generic • Go • Java • JavaScript • JSON • Kotlin • Python • TypeScript • Ruby • Rust • JSX • PHP • Scala • Swift • Terraform

    Beta
    APEX • Elixir

    Experimental
    Bash • Cairo • Circom • Clojure • Dart • Dockerfile • Hack • HTML • Jsonnet • Julia • Lisp • Lua • Move on Aptos • Move on Sui • OCaml• R • Scheme • Solidity • YAML • XML
    Semgrep Supply ChainGenerally available reachability
    C# • Go • Java • JavaScript and TypeScript • Kotlin • PHP • Python • Ruby • Scala • Swift

    Languages without support for reachability analysis
    Dart • Elixir • Rust
    Semgrep SecretsLanguage-agnostic; can detect 630+ types of credentials or keys.

    See the Supported languages documentation for more details.

    February 2026 release notes summary

    • MCP:
      • Hooks for both Claude Code and Cursor now pull custom rules from the Semgrep Registry.
      • Enabled DNS rebinding protection for the MCP server.
    • Improved the accuracy of taint tracking through assignments, which helps reduce the number of false positive findings.
    • Added support for case-insensitive string comparisons using lower() and upper(): 
      - metavariable-comparison:
          metavariable: $VALUE
          comparison: upper(str($VALUE)) == "SEMGREP"
    • You can now pass environmental variables to third-party package managers using SEMGREP_LOCAL_BUILD_ENV, which accepts a JSON object, as part of the dependency resolution process invoked by --allow-local-builds.
    • The feedback dialog for Assistant auto-triage now allows you to provide comments in addition to selecting whether you agree or disagree with the recommendation.
    • Documentation updates and additions:

    See the latest release notes

    Not finding what you need in this doc? Ask questions in our Community Slack group, or see Support for other ways to get help.