FOSSA vs Semgrep comparison

FOSSA and Semgrep are both solutions in the Software Composition Analysis (SCA) category. FOSSA is ranked #9 with an average rating of 8.0, while Semgrep is ranked #11 with an average rating of 8.0. FOSSA holds a 3.1% mindshare in SCA, compared to Semgrep’s 3.4% mindshare. Additionally, 92% of FOSSA users are willing to recommend the solution, compared to 100% of Semgrep users who would recommend it.

FOSSA

Read 15 FOSSA reviews

1,643 Views
1,577 Comparison Views

92% willing to recommend

Semgrep

Read 2 Semgrep reviews

2,842 Views
938 Comparison Views

100% willing to recommend

FOSSA

Semgrep

Comparison Buyer's Guide

Download the report

Executive Summary

We performed a comparison between FOSSA and Semgrep based on real PeerSpot user reviews.

Find out in this report how the two Software Composition Analysis (SCA) solutions compare in terms of features, pricing, service and support, easy of deployment, and ROI.

To learn more, read our detailed FOSSA vs. Semgrep Report (Updated: December 2025).

Buyer's Guide

FOSSA vs. Semgrep

December 2025

Download the complete report

Helped 881,082 peers since 2012

Review summaries and opinions

We asked business professionals to review the solutions they use. Here are some excerpts of what they said:

Categories and Ranking

FOSSA

Ranking in Software Composition Analysis (SCA)

9th

Average Rating

8.6

Reviews Sentiment

7.9

Number of Reviews

Ranking in other categories

No ranking in other categories

Semgrep

Ranking in Software Composition Analysis (SCA)

11th

Average Rating

8.0

Reviews Sentiment

6.5

Number of Reviews

Ranking in other categories

Static Application Security Testing (SAST) (18th), Supply Chain Management Software (3rd), Static Code Analysis (7th)

Mindshare comparison

As of January 2026, in the Software Composition Analysis (SCA) category, the mindshare of FOSSA is 3.1%, down from 3.5% compared to the previous year. The mindshare of Semgrep is 3.4%, up from 2.0% compared to the previous year. It is calculated based on PeerSpot user engagement data.

Software Composition Analysis (SCA) Market Share Distribution
Product	Market Share (%)
FOSSA	3.1%
Semgrep	3.4%
Other	93.5%

Software Composition Analysis (SCA)

Featured Reviews

reviewer2588340

Senior Software Engineer at a manufacturing company with 10,001+ employees

Dependency management enhanced with update suggestions but lacks precise vulnerability tracking

FOSSA does not show the exact line of code with vulnerabilities, which adds time to the process as we have to locate these manually. Some other tools like Check Point or SonarQube provide exact line numbers for bugs. Also, the process in FOSSA can be quite contradicting and not very straightforward for new users.

Read full review

Manjunath Maneppagol

Cloud & Application Security at Sixt SE

Context-aware code analysis has reduced noise and now improves developer experience with actionable security findings

I have consistently observed that their scan time is an issue for mono repos. Sometimes with their AI-based scanning, when you triage that scan, the scan never completes or finishes(, which makes it difficult. Another consistent issue is that whenever you have a new repo to onboard to the platform, the tool ideally should detect the master branch by default. However, sometimes the tool fails to identify it and will never scan it unless manually somebody looks into it and fixes the issue. Although their support team is really good, this issue was present six or eight months ago during the POC and is still present now. If it is affecting multiple customers, it should be prioritized and fixed. I would say that their integration aspects could have been improved. I see a lot of different security solutions that provide flexibility to the security teams based on Jira project, team divisions, Slack, and all those can be very much easily customized. Semgrep needs to work on the enhancement of their notification capabilities. Currently, they are working on identifying business logic vulnerabilities or privilege escalation vulnerabilities by looking at the code, and they should continue to focus on and improve this effort. Regarding stability, whenever you have a mono-repo which is a very large repository, the scan never finishes or the scan never kicks in. At that time, you have to reach out to the support team and ask them to expand the resources in the back end to fix it. This is an issue I keep seeing often on that platform.

Read full review

Quotes from Members

We asked business professionals to review the solutions they use. Here are some excerpts of what they said:

Pros

"I am impressed with the tool’s seamless integration and quick results."

"Their CLI tool is very efficient. It does not send your source code over to their servers. It just does fingerprinting. It is also very easy to integrate into software development practices."

"FOSSA suggests solutions for dependency mismatches."

"FOSSA is easy to use and set up, provides relatively accurate results, and doesn't require armies of people to get value from its use."

"The most valuable feature is definitely the ease and speed of integrating into build pipelines, like a Jenkins pipeline or something along those lines. The ease of a new development team coming on board and integrating FOSSA with a new project, or even an existing project, can be done so quickly that it's invaluable and it's easy to ask the developers to use a tool like this. Those developers greatly value the very quick feedback they get on any licensing or security vulnerability issues."

"Policies and identification of open-source licensing issues are the most valuable features. It reduces the time needed to identify open-source software licensing issues."

"What I really need from FOSSA, and it does a really good job of this, is to flag me when there are particular open source licenses that cause me or our legal department concern. It points out where a particular issue is, where it comes from, and the chain that brought it in, which is the most important part to me."

"The scalability is excellent."

More FOSSA pros

"The most valuable feature is the ability to write our custom rules."

"Compared to other competitors in the market, the AI-backed capability is the biggest strength of Semgrep."

Cons

"I would like more customized categories because our company is so big. This is doable for them. They are still in the stages of trying to figure this out since we are one of their biggest companies that they support."

"The solution provides contextualized, actionable, intelligence that alerts us to compliance issues, but there is still a little bit of work to be done on it. One of the issues that I have raised with FOSSA is that when it identifies an issue that is an error, why is it in error? What detail can they give to me? They've improved, but that still needs some work. They could provide more information that helps me to identify the dependencies and then figure out where they originated from."

"One thing that can sometimes be difficult with FOSSA is understanding all that it can do. One of the ways that I've been able to unlock some of those more advanced features is through conversations with the absolutely awesome customer success team at FOSSA, but it has been a little bit difficult to find some of that information separately on my own through FAQs and other information channels that FOSSA has. The improvement is less about the product itself and more about empowering FOSSA customers to know and understand how to unlock its full potential."

"FOSSA does not show the exact line of code with vulnerabilities, which adds time to the process as we have to locate these manually."

"For open-source management, FOSSA's out-of-the-box policy engine is easy to use, but the list of licenses is not as complete as we would like it to be. They should add more open-source licenses to the selection."

"If you have thousands of applications, organizing them all into teams or tags is challenging."

"The technical support has room for improvement."

"Security scanning is an area for improvement. At this point, our experience is that we're only scanning for license information in components, and we're not scanning for security vulnerability information. We don't have access to that data. We use other tools for that. It would be an improvement for us to use one tool instead of two, so that we just have to go through one process instead of two."

More FOSSA cons

"There should be more information on how to acquire the system, catering to beginners in application security, to make it more user-friendly."

"I have consistently observed that their scan time is an issue; sometimes with their AI-based scanning, when you triage that scan, the scan never completes or finishes, which makes it difficult."

Pricing and Cost Advice

"The solution's cost is a five out of ten."

"FOSSA is a fairly priced product. It is not either cheaper or expensive. The pricing lies somewhere in the middle. The solution is worth the money that we are spending to use it."

"Its price is reasonable as compared to the market. It is competitively priced in comparison to other similar solutions on the market. It is also quite affordable in terms of the value that it delivers as compared to its alternative of hiring a team."

"The solution's pricing is good and reasonable because you can literally use a lot of it for free."

"FOSSA is not cheap, but their offering is top-notch. It is very much a "you get what you pay for" scenario. Regardless of the price, I highly recommend FOSSA."

Information not available

See which vendors are best for you

Use our free recommendation engine to learn which Software Composition Analysis (SCA) solutions are best for your needs.

See recommendations

881,082 professionals have used our research since 2012.

Top Industries

By visitors reading reviews

Manufacturing Company

21%

Financial Services Firm

11%

Computer Software Company

Comms Service Provider

Financial Services Firm

17%

Manufacturing Company

12%

Computer Software Company

10%

Comms Service Provider

Company Size

By reviewers

Large Enterprise

Midsize Enterprise

Small Business

By reviewers
Company Size	Count
Small Business	5
Midsize Enterprise	1
Large Enterprise	8

No data available

Questions from the Community

What is your experience regarding pricing and costs for FOSSA?

The solution's pricing is good and reasonable because you can literally use a lot of it for free. You have to pay for the features you need, which I think is fair. If you want to get value for free...

See all answers

What needs improvement with FOSSA?

See all answers

What is your primary use case for FOSSA?

I have worked with FOSSA primarily to manage the dependencies in our projects. For example, if I take a Spring Boot application, FOSSA helps in identifying mismatches or unsupported dependencies th...

See all answers

What needs improvement with Semgrep?

See all answers

What is your primary use case for Semgrep?

I have been working with Semgrep for almost a year, approximately six to eight months on and off. In my current organization, I have a strong experience for SAST solution POCs, and I have conducted...

See all answers

What advice do you have for others considering Semgrep?

You should primarily focus on what your use case is and why you are moving out. If you are moving out just from the perspective of cost, I do not think Semgrep is the best solution for you. However...

See all answers

Comparisons

Black Duck SCA vs FOSSA

Compared 24% of the time

Snyk vs FOSSA

Compared 22% of the time

JFrog Xray vs FOSSA

Compared 10% of the time

Mend.io vs FOSSA

Compared 9% of the time

Sonatype Lifecycle vs FOSSA

Compared 6% of the time

More FOSSA Competitors

SonarQube vs Semgrep

Compared 38% of the time

Veracode vs Semgrep

Compared 5% of the time

Snyk vs Semgrep

Compared 5% of the time

Aikido Security vs Semgrep

Compared 5% of the time

Coverity Static vs Semgrep

Compared 5% of the time

More Semgrep Competitors

Product Reports

Buyer's Guide

FOSSA

January 2026

Download FOSSA product report

Buyer's Guide

Static Application Security Testing (SAST)

January 2026

Download Semgrep product report

Also Known As

No data available

Semgrep Code, Semgrep Supply Chain, Semgrep AppSec Platform

Overview

Up to 90% of any piece of software is from open source, creating countless dependencies and areas of risk to manage. FOSSA is the most reliable automated policy engine for legal teams to maintain license compliance, security to fix vulnerabilities, and engineering to improve code quality across the entire software supply chain. As the only developer-native open source management platform, FOSSA fully integrates with your existing CI/CD pipeline to provide complete visibility and context earlier in the software development lifecycle. For the first time, teams can collaboratively shift left and audit, analyze, control, and remediate license issues and vulnerabilities right in their existing workflows.

FOSSA

Semgrep is an advanced static analysis tool designed to identify vulnerabilities and enforce coding standards, catering primarily to professionals with a focus on enhancing code security and quality.

Engineered for software development environments, Semgrep delivers efficient security feedback with minimal setup. By offering a rich collection of rule sets, it allows customization and integration into CI/CD pipelines, supporting continuous code examination. Semgrep not only uncovers hidden flaws but also enforces best practices, making it a valuable asset for development teams seeking to build secure and reliable software.

What are the most important features of Semgrep?

Customizable Rules: Allows users to define specific rules to match unique coding requirements.
Open Rule Repository: Provides access to a vast array of pre-defined rules covering common security issues.
CI/CD Integration: Seamlessly integrates into development workflows, providing immediate feedback.
Multi-language Support: Detects issues across different programming languages, enhancing its usability.

What benefits or ROI should users consider?

Enhanced Security Posture: Elevates the security standards of codebases.
Time Efficiency: Reduces time spent on manual code reviews.
Adaptability: Easily adapts to evolving coding standards and practices.
Cost-effectiveness: Minimizes the need for external security audits.

In industry applications, Semgrep is a popular choice for sectors such as finance and healthcare, where code integrity and security are paramount. Its integration capabilities allow for effective oversight of compliance and secure coding standards without disrupting existing workflows. This adaptability ensures it meets sector-specific requirements, making it a trusted tool in fields where data privacy and protection are critical.

Semgrep

Sample Customers

AppDyanmic, Uber, Twitter, Zendesk, Confluent

Policygenius, Tide, Lyft, Thinkific, FloQast, Vanta, and Fareportal

Buyer's Guide

FOSSA vs. Semgrep

December 2025

Free Report: FOSSA vs. Semgrep

Find out what your peers are saying about FOSSA vs. Semgrep and other solutions. Updated: December 2025.

DOWNLOAD NOW

881,082 professionals have used our research since 2012.

See our FOSSA vs. Semgrep report.

See our list of best Software Composition Analysis (SCA) vendors.

We monitor all Software Composition Analysis (SCA) reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.