Semgrep Reviews

I have been working with Semgrep for almost a year, approximately six to eight months on and off. In my current organization, I have a strong experience for SAST solution POCs, and I have conducted POCs for Semgrep, Checkmarx, Snyk, and SonarQube to evaluate SAST capabilities.

Our primary use case for Semgrep is to identify static code vulnerabilities and SAST vulnerabilities. Every other organization or vendor claims to offer this capability, but Semgrep is built differently compared to all these traditional tools. I have almost a decade of experience using various SAST tools, and Semgrep not only looks at particular code but understands the entire code to get context around whether an issue is real or not through context analysis.

One of the primary use case for us is also the shift-left approach, which means improving our developer experience. Our developers do not want to wait until they commit changes to GitHub or build it. They want synchronous feedback directly within their IDE. Semgrep provides an IDE integration and also supports MCP gateway. Additionally, secrets scanning is another important use case for us.

The seamless integration of Semgrep into our existing platform is what I really appreciate. It is very easy, I was able to integrate and onboard it in just 10 to 15 minutes. This is in stark contrast to dealing with different SAST tools about integration across thousands of repos.

Another great feature is that Semgrep greatly reduces the noise compared to other SAST tools. After scanning through the codebase and understanding it, Semgrep has a capability called AI analysis or AI triage. When you triage with AI, it gathers context around the finding and reduces the noise about 80 to 90 percent of the time, asking you to focus only on findings that really matter.

Another excellent experience I had with Semgrep is when there was a finding that AI was not able to correctly diagnose or identify whether it was an actual finding or not. It reported it as a vulnerability, but when I verified it as a security engineer, I determined it was not a vulnerability in our case because we have compensatory controls in place. When I indicate this, Semgrep asks if it can apply the same logic to other similar findings. With a single click, it reduces a lot of noise for me, saving a huge amount of my time and effort.

The results are also impressive. Most solutions identify a static query like raw SQL and simply say there is a SQL injection that is critical. Semgrep, however, looks into the query file and understands the context. It recognizes that this is a SQL query without any user input or database migration script, and it assigns appropriate risk. This intelligent capability of Semgrep is what impressed me.

Semgrep will easily fit into the ecosystem you are building or the ecosystem you are working with. It is going to increase the developer experience in terms of how easily developers are able to understand the findings. It will also increase the security posture because developers are easily able to understand and fix those findings. Overall, the application security posture and the relationship between the development community and the security engineering will improve because Semgrep integrates so seamlessly and functions very smoothly.

I have consistently observed that their scan time is an issue for mono repos. Sometimes with their AI-based scanning, when you triage that scan, the scan never completes or finishes(, which makes it difficult. Another consistent issue is that whenever you have a new repo to onboard to the platform, the tool ideally should detect the master branch by default. However, sometimes the tool fails to identify it and will never scan it unless manually somebody looks into it and fixes the issue. Although their support team is really good, this issue was present six or eight months ago during the POC and is still present now. If it is affecting multiple customers, it should be prioritized and fixed.

I would say that their integration aspects could have been improved. I see a lot of different security solutions that provide flexibility to the security teams based on Jira project, team divisions, Slack, and all those can be very much easily customized. Semgrep needs to work on the enhancement of their notification capabilities. Currently, they are working on identifying business logic vulnerabilities or privilege escalation vulnerabilities by looking at the code, and they should continue to focus on and improve this effort.

Regarding stability, whenever you have a mono-repo which is a very large repository, the scan never finishes or the scan never kicks in. At that time, you have to reach out to the support team and ask them to expand the resources in the back end to fix it. This is an issue I keep seeing often on that platform.

I have been working with Semgrep on and off for almost a year, approximately six to eight months.

I have consistently observed that their scan time is an issue. Sometimes with their AI-based scanning, when you triage that scan, the scan never completes or finishes, which makes it difficult. Another consistent issue is that whenever you have a new repo to onboard to the platform, the tool ideally should detect the master branch by default. However, if there is no master branch or default branch, the tool fails to identify it and will never scan it unless manually somebody looks into it and fixes the issue. Although their support team is really good, this issue was present six or eight months ago during the POC and is still present now. If it is affecting multiple customers, it should be prioritized and fixed.

I would say that their integration aspects could have been improved. I see a lot of different security solutions that provide flexibility to the security teams based on Jira project, team divisions, Slack, and all those can be very much easily customized. Semgrep needs to work on the enhancement of their notification capabilities. Currently, they are working on identifying business logic vulnerabilities or privilege escalation vulnerabilities by looking at the code, and they should continue to focus on and improve this effort.

Regarding stability, whenever you have a mono-repo which is a very large repository, the scan never finishes or the scan never kicks in. At that time, you have to reach out to the support team and ask them to expand the resources in the back end to fix it. This is an issue I keep seeing often on that platform.

It is very easy to scale. When you say scaling, that means the number of users or organizations you need to onboard. I was able to control it from 10 repositories or 10 services to thousands of repositories in a couple of minutes very simply. They could potentially add some enhancements, but the platform is very much easily scalable.

You should primarily focus on what your use case is and why you are moving out. If you are moving out just from the perspective of cost, I do not think Semgrep is the best solution for you. However, if you are looking for value for investment and want to have the complete visibility into your code with less noise, if you are not just looking for a SAST but are really looking for actionable results and want to improve your developer experience and feedback, then you should go for Semgrep. In my organization, it is not only me who selects the solution; I bring in developers from junior and senior levels of all experience and ask them to take a hands-on experience and give me feedback. If you want to improve the developer experience, then go for Semgrep.

Compared to other competitors in the market, the AI-backed capability is the biggest strength of Semgrep. The seamless integration is another major advantage because I have done it for a few other solutions, some of which are extremely difficult and some are okay, but the Semgrep integration with the code repository was the smoothest. The quality of results and reduction in noise are also strengths compared to other competitors. Semgrep also has a great strength in the number of rule sets they have compared to all other vendors. While all other vendors have very limited numbers even though they claim to be enterprise, their community edition itself has close to 4,000 rules and the enterprise edition has around 20,000 rules. That is a really strong advantage.

As for limitations, I would say that Semgrep currently just supports Jira and Slack for integrations. They should expand to different integrations like ServiceNow and other CNAP and CSPM solutions where all results can be brought into one place.

I would rate this review an 8 out of 10.

My main use case is to perform SAST, static application security testing. I have been using it for the last 10 months. Initially, I was planning to use it just for the code review part so that developers can get secure code. However, it can also be integrated in CI/CD pipelines and other tools, which makes it robust.

I deployed Semgrep with my development team in their IDEs, such as VS Code and other notebook tools that my developers use. Semgrep helps to identify code-level issues, such as the possibility of SQL injection, XSS, or hard-coded values. It initially triggers alerts and shows which aspects are not correct and need correction.

First, it is very easy to use. It has customization features that allow me to customize it to find particular types of vulnerabilities that I am looking for. There is scanning efficiency which allows for rapid issue detection early in the development process. The customizable rule engine is the best thing because I can customize it according to my needs.

I can customize my rules according to my needs. The YAML file is easy to write. A person with good basic knowledge of coding can generate custom rules particular to the type of vulnerability they are targeting. Therefore, it is customizable.

The feature is easy to use, saves a lot of time, and is streamlined in nature. That is the best aspect.

It has helped my code review part significantly. It saves around two to three hours per day of going through each line of code to find mistakes and identify issues that are present at the code level. Code review is a tedious task for any security engineer or developer to do, so it helps tremendously while reviewing code.

By avoiding these tedious tasks, my team gets to focus on other important tasks that are required. Sometimes there are urgent tasks that need to be done before code reviews can be completed. The time I save is utilized elsewhere, which effectively benefits my team.

Semgrep can be improved by making it more user-friendly. There are tools in the market, such as Aqua Security, that have features worth utilizing. However, there are some comprehensive scanning capabilities which I feel Semgrep lacks. For code-level review, it is very good.

I have been using Semgrep for around nine to 10 months for detection of security flaws in the code.

It is stable in nature.

It is also good. I can scale it for small to large-scale teams. I can use it with a small number of people or a large-sized team.

Customer support is good because I have not needed much customer support until now, which is very good. I think that is a good part. Their documentation and community are very active, so most of the time when problems occur, I get a solution.

I have used SonarQube. However, the results of Semgrep are much better. I compared them both, so I switched to Semgrep only, and it works very well. I do not have to pay any licensing fee or anything like that. It has been good to work with Semgrep.

I evaluated a tool such as SonarQube, which is in the market and is also open-source. However, the results provided by Semgrep are much more effective and efficient with fewer false positives. The number of true positives is higher, which effectively saves time from checking whether false positives are right or wrong.

The accuracy I would rate at 85 to 90%. Sometimes it gives false positives, but compared to its peers, it is better.

At a team level, I can say that per day I save around two hours, which can result in eight hours a week. Monthly, I save around 30 to 35 hours because of this.

The best case is that it solves a lot of things, and for the vulnerabilities that will arise in the future, I solve them at the initial stage.

It is basically open-source, so the cost to set up is no cost.

If you are looking for an open-source tool that can perform SAST in your environment and you are a technical person with a team that can grasp new technologies in a short period of time, then you can use Semgrep directly to perform SAST and code reviews at the development level. Early detection of security issues and bugs can be fixed.

It streamlines with the governance and compliance of the country where the company operates. It follows GDPR guidelines and EU guidelines. In India, I follow certain guidelines, so it also passes that criteria to go through those guidelines and follow the restrictions and suggestions provided at a national level. I would rate this review an 8 out of 10.

My main use case for Semgrep is as a SAST tool. Since I work with code directly, I use it to scan the code for vulnerabilities and relay information to developers so they can address any issues. This approach ensures I maintain a security focus as a DevOps person, which is crucial.

Semgrep fits into my workflow by allowing me to scan code and ensure there are no breaches before running it in containers.

The best feature of Semgrep is its ability to highlight high priority issues during scanning, making it critical for developers to address these vulnerabilities promptly. This seamless process enhances efficiency and expedites issue resolution within our systems.

I find Semgrep's user-friendliness valuable, allowing me to run scans easily with simple commands, which clearly indicate vulnerabilities and their priority levels, effectively meeting my needs.

When receiving high-priority findings, I act as a DevOps person who incorporates security into my culture by notifying developers about issues I find and urging them to check the code. I advocate that all developers have Semgrep installed on their laptops, ensuring they avoid pushing vulnerable code.

The impact of Semgrep on my organization includes the recommendation I made as an external consultant to incorporate it into projects. It is easy for developers to use and helps monitor our security posture by scanning code before production pushes.

Since implementing Semgrep, I have noticed significant outcomes. For example, I can resolve vulnerabilities that previously took four days in under a day, saving both time and money, thus enhancing our return on investment.

Semgrep needs ongoing improvements, and gathering user feedback will help enhance its effectiveness and provide better solutions globally.

I suggest improving documentation and integrating agentic AI to help users get quicker answers to security problems when scanning.

That first use was in 2022, so that is about four years now, and I continue to use Semgrep on my MacBook, finding it very useful, and I still recommend it to developers.

Semgrep is absolutely stable.

Semgrep's scalability is impressive, being designed as cloud-native and cloud-agnostic, making it easy to integrate and grow within any environment without concern for crashes.

I have not contacted Semgrep's customer service because their documentation usually provides solutions for my inquiries.

I have not used any solution prior to Semgrep.

I find Semgrep's pricing and setup reasonable and recommended its installation for developers to facilitate code scanning and avoid vulnerabilities.

The return on investment from using Semgrep is evident as I save time and money. For example, tasks that previously took days are completed in significantly less time, enabling faster business responses and improved profit margins.

I did not evaluate other options before choosing Semgrep. I found it through an online review and decided to try it based on that.

My advice for others considering Semgrep is to adopt it, as it stands out in the open-source market and shows solid growth. You can trust it based on its innovative developments.

I believe Semgrep will scale effectively with the rise of agentic AI and security needs, leading to broader adoption among companies. Sharing wins at open-source conferences will help demonstrate its potential impact.

I rate this review an 8.

I have used Semgrep more as a testing and a POC tool. So, there is no consistent usage of Semgrep, but I have used the tool multiple times for POC purposes.

As a DevSecOps Security Engineer, my main use case for Semgrep when I do use it for POCs or testing is to deal with SAST, secret scanning, and types of testing, white-box testing, AppSec, and those types of activities. Semgrep is a tool for that. Hence, when we perform POCs and try to understand what it is providing for such different types of scanning, Semgrep turns out to be useful in setting benchmarks.

Even if we mainly use Semgrep for POCs, it has positively impacted our organization. So when we are in the process of identifying new tools or trying to understand how to improve our existing tools, that is where Semgrep comes in handy.

As a result of using Semgrep, it helped us compare tools more effectively. It helped us understand what are the expected must-haves of a tool in this domain. That way, other tools that were not even offering these were easily left out because Semgrep is an open-source tool, and when we are trying to acquire paid tools, it is almost definite they should be offering capabilities at least that an open-source tool is offering.

Semgrep flourishes with the SAST, secret scanning, and Software Composition Analysis types of scanning. That is where Semgrep shines. With SCA, it helps find vulnerabilities, SAST weaknesses, and secrets. These are three existing services that are there in my enterprise, and we have other tools that perform the same. Semgrep, as I said, helps us benchmark that while running POCs.

The Software Composition Analysis is the most valuable feature in Semgrep.

As we use Semgrep for secret scanning, I know it is an open-source tool. Oftentimes, that leads to the refinement of the engine, but oftentimes Semgrep ends up flagging a lot of false positive values. If the name of a variable or any text in the code has the word secret in it, then it flags it as a secret violation or as a secret finding, which may not be the case. It might just be a false positive. It might just be a variable called secret but may not contain a value that is actually secret information.

Of course, there are a bunch of additions and improvements that can be done on Semgrep, but it is an open-source tool. I have at least used the open-source version of it. Of course, that comes only with the CLI. The UI and additional dashboarding and other details would definitely make the tool more user-friendly and more of a candidate to be implemented in an enterprise such as the one that I work for. I have not seen any other areas where Semgrep could be improved, aside from the false positives and dashboarding mentioned earlier.

I give Semgrep a six out of 10 simply because there are other tools that are better than this out there. This is an open-source tool, so it absolutely does the job, but if you were to implement a tool such as this in an enterprise, this would probably not be scalable.

My advice to others looking into using Semgrep is to keep in mind that this is an open-source tool. I gave Semgrep an overall rating of 6.5 out of 10.

I use Semgrep mainly for its software composition analysis capabilities to identify vulnerabilities in dependencies used in our applications. Every time a new feature is developed or a new version of an application is released, it is run against Semgrep using our CI/CD pipelines to identify any new vulnerabilities.

The best part of Semgrep is its ease of integration with CI/CD pipelines and how it is a developer-friendly tool. The interface is really focused on presenting developers what needs to be done, what vulnerabilities have been found, and what packages are affected. Whenever a developer enters the application, they do not need much context because it is really clear what needs to be done based on what the application shows.

Semgrep removes a lot of stress from the product security team since there is now an automated way of checking for vulnerabilities in our software. It has reduced manual work and saved a lot of time since containers no longer need to be manually checked with Semgrep, and we do not even need to check whenever there is a new version. In our automated pipelines, every time there is a new version, the containers get scanned and if something critical or high is detected, we are automatically notified.

Semgrep is scalable and works well across multiple repositories and projects, especially when integrated with CI/CD pipelines as is our case.

The coverage of Semgrep could be a bit better, as there are other tools that are more specialized in other areas of security. Semgrep as an SCA tool is adequate, but if you want to use some other parts of it, you get a high price tag. More advanced dependency analysis features in the SCA part and deeper vulnerability databases would be beneficial.

Semgrep is mostly used because it is considered an industry standard, and many of our customers use Semgrep, so they expect us to use it as well. However, as a tool it is really complex to maintain and to use, and it has a huge price tag.

I have used Semgrep for one year.

There have been no stability issues.

There have been no scalability issues.

Customer support is really good and there is also strong community support.

Trivy was previously used, and the switch to Semgrep was made basically because it is the tool that our customers expect us to use.

The setup was quite straightforward and the pricing model is quite flexible. The setup at the beginning was quick, and our pipelines were managed to be running easy enough and fast enough.

Although there are no metrics available, an improvement in efficiency has been seen since manual labor is not required as much as before. This can be translated to being able to do the same amount of work with less technicians.

Semgrep is considered an alternate solution to other tools.

The first thing you need to do is to integrate Semgrep with your CI/CD pipelines and once they are running, invest time in reading documentation and getting yourself familiar with all of the products offered and all of the capabilities available. Semgrep was found through the peer link navigator that was provided via a LinkedIn message. The overall review rating for this product is 6 out of 10.

We use Semgrep to check custom user pipelines and test their claims for any vulnerabilities. We process the code by passing it through the testing process for any operability issues before sending feedback to the developers and providing the final product. This is part of the static testing analysis of code analysis.

Semgrep has supported our team in automating code reviews and allowed us to catch vulnerabilities before the final product stage. This has improved both our development cost and development speed.

The most valuable feature is the ability to write our custom rules. This adaptability allows us to cater specifically to our needs.

There should be more information on how to acquire the system, catering to beginners in application security, to make it more user-friendly.

My experience with Semgrep is very recent since we started integrating it into our processes.

There haven't been any severe stability issues from my end.

We have not faced any scalability issues. Since we are a team of only two users, Semgrep scales well for our current requirements.

There was some difficulty in hearing the questions due to static noise, implying potential issues with communication or support on the call. However, rejoining the call resolved the problem.

Positive

We did not switch from another product to Semgrep.

The initial setup was straightforward, involving connecting the digital product to Semgrep. I am mainly involved in the usage aspect, and thus, I provided information from my perspective.

We handled the setup internally within our team, and I particularly addressed it.

Semgrep has positively impacted our ROI by improving development speed and cost efficiency.

I'd rate the solution eight out of ten.