As we use Semgrep for secret scanning, I know it is an open-source tool. Oftentimes, that leads to the refinement of the engine, but oftentimes Semgrep ends up flagging a lot of false positive values. If the name of a variable or any text in the code has the word secret in it, then it flags it as a secret violation or as a secret finding, which may not be the case. It might just be a false positive. It might just be a variable called secret but may not contain a value that is actually secret information. Of course, there are a bunch of additions and improvements that can be done on Semgrep, but it is an open-source tool. I have at least used the open-source version of it. Of course, that comes only with the CLI. The UI and additional dashboarding and other details would definitely make the tool more user-friendly and more of a candidate to be implemented in an enterprise such as the one that I work for. I have not seen any other areas where Semgrep could be improved, aside from the false positives and dashboarding mentioned earlier.
The coverage of Semgrep could be a bit better, as there are other tools that are more specialized in other areas of security. Semgrep as an SCA tool is adequate, but if you want to use some other parts of it, you get a high price tag. More advanced dependency analysis features in the SCA part and deeper vulnerability databases would be beneficial. Semgrep is mostly used because it is considered an industry standard, and many of our customers use Semgrep, so they expect us to use it as well. However, as a tool it is really complex to maintain and to use, and it has a huge price tag.
I have consistently observed that their scan time is an issue for mono repos. Sometimes with their AI-based scanning, when you triage that scan, the scan never completes or finishes(, which makes it difficult. Another consistent issue is that whenever you have a new repo to onboard to the platform, the tool ideally should detect the master branch by default. However, sometimes the tool fails to identify it and will never scan it unless manually somebody looks into it and fixes the issue. Although their support team is really good, this issue was present six or eight months ago during the POC and is still present now. If it is affecting multiple customers, it should be prioritized and fixed. I would say that their integration aspects could have been improved. I see a lot of different security solutions that provide flexibility to the security teams based on Jira project, team divisions, Slack, and all those can be very much easily customized. Semgrep needs to work on the enhancement of their notification capabilities. Currently, they are working on identifying business logic vulnerabilities or privilege escalation vulnerabilities by looking at the code, and they should continue to focus on and improve this effort. Regarding stability, whenever you have a mono-repo which is a very large repository, the scan never finishes or the scan never kicks in. At that time, you have to reach out to the support team and ask them to expand the resources in the back end to fix it. This is an issue I keep seeing often on that platform.
Find out what your peers are saying about Semgrep, SonarSource SĂ rl, Snyk and others in Static Application Security Testing (SAST). Updated: May 2026.
Static Application Security Testing provides tools to identify vulnerabilities in code early in the development cycle, improving security and minimizing risk exposure.SAST focuses on analyzing source code, binaries, or bytecode to detect issues like SQL injection, buffer overflows, and cross-site scripting. This proactive approach enables developers to remediate potential security flaws before applications are deployed. The solution integrates seamlessly with existing CI/CD pipelines,...
As we use Semgrep for secret scanning, I know it is an open-source tool. Oftentimes, that leads to the refinement of the engine, but oftentimes Semgrep ends up flagging a lot of false positive values. If the name of a variable or any text in the code has the word secret in it, then it flags it as a secret violation or as a secret finding, which may not be the case. It might just be a false positive. It might just be a variable called secret but may not contain a value that is actually secret information. Of course, there are a bunch of additions and improvements that can be done on Semgrep, but it is an open-source tool. I have at least used the open-source version of it. Of course, that comes only with the CLI. The UI and additional dashboarding and other details would definitely make the tool more user-friendly and more of a candidate to be implemented in an enterprise such as the one that I work for. I have not seen any other areas where Semgrep could be improved, aside from the false positives and dashboarding mentioned earlier.
The coverage of Semgrep could be a bit better, as there are other tools that are more specialized in other areas of security. Semgrep as an SCA tool is adequate, but if you want to use some other parts of it, you get a high price tag. More advanced dependency analysis features in the SCA part and deeper vulnerability databases would be beneficial. Semgrep is mostly used because it is considered an industry standard, and many of our customers use Semgrep, so they expect us to use it as well. However, as a tool it is really complex to maintain and to use, and it has a huge price tag.
I have consistently observed that their scan time is an issue for mono repos. Sometimes with their AI-based scanning, when you triage that scan, the scan never completes or finishes(, which makes it difficult. Another consistent issue is that whenever you have a new repo to onboard to the platform, the tool ideally should detect the master branch by default. However, sometimes the tool fails to identify it and will never scan it unless manually somebody looks into it and fixes the issue. Although their support team is really good, this issue was present six or eight months ago during the POC and is still present now. If it is affecting multiple customers, it should be prioritized and fixed. I would say that their integration aspects could have been improved. I see a lot of different security solutions that provide flexibility to the security teams based on Jira project, team divisions, Slack, and all those can be very much easily customized. Semgrep needs to work on the enhancement of their notification capabilities. Currently, they are working on identifying business logic vulnerabilities or privilege escalation vulnerabilities by looking at the code, and they should continue to focus on and improve this effort. Regarding stability, whenever you have a mono-repo which is a very large repository, the scan never finishes or the scan never kicks in. At that time, you have to reach out to the support team and ask them to expand the resources in the back end to fix it. This is an issue I keep seeing often on that platform.
There should be more information on how to acquire the system, catering to beginners in application security, to make it more user-friendly.