About

  • Free open-source static code analysis tool.

  • Rules are written in YAML and contain one or more patterns.

  • Stable support for the following languages:

    • Go

    • Java

    • JavaScript

    • JSON

    • Python

    • Ruby

    • TypeScript

    • JSX

    • TSX

  • Experimental support for the following languages:

    • OCaml

    • PHP

    • C

    • YAML

    • Generic (ERB, Jinja, etc.)

  • Compared to CodeQL, Semgrep does not require the project's codebase to be created as a database. While this makes it easier to work with certain projects such as closed-source Java projects which are decompiled, it is not nearly as powerful as CodeQL when it comes to data flow analysis.

  • Semgrep could be thought of grep on steroids with a few bonus functionalities such as autofix (could be powerful when Semgrep is used in a CI pipeline).

PreviousCompiling DatabasesNextReal World Examples

Last updated