

Find out in this report how the two Static Application Security Testing (SAST) solutions compare in terms of features, pricing, service and support, easy of deployment, and ROI.
This can be translated to being able to do the same amount of work with less technicians.
Tasks that previously took days are completed in significantly less time.
I can say it saves us time related to coding and also saves money, making it a very reliable tool for our organization with great features.
Veracode provides excellent assistance and regularly scheduled calls to address customer concerns and updates.
There is still room for improvement when it comes to the speed of response.
Their documentation and community are very active, so most of the time when problems occur, I get a solution.
Customer support and services for Semgrep are very reliable and good.
Customer support is really good and there is also strong community support.
I was able to control it from 10 repositories or 10 services to thousands of repositories in a couple of minutes very simply.
This is an open-source tool, so it absolutely does the job, but if you were to implement a tool such as this in an enterprise, this would probably not be scalable.
Semgrep makes it easy to integrate and grow within any environment without concern for crashes.
Since we've been using HCL AppScan for about three months, we really have not encountered a false positive.
If there is no master branch or default branch, the tool fails to identify it and will never scan it unless manually somebody looks into it and fixes the issue.
Since I have been using it, I have not experienced any downtime.
If I'm scanning a web application, it shows me the various components being used. It tells me whether I have Java libraries, .NET frameworks, or other log management libraries such as Log4j, and what versions of those specific components are present.
The UI and additional dashboarding and other details would definitely make the tool more user-friendly and more of a candidate to be implemented in an enterprise.
Currently, they are working on identifying business logic vulnerabilities or privilege escalation vulnerabilities by looking at the code, and they should continue to focus on and improve this effort.
More advanced dependency analysis features in the SCA part and deeper vulnerability databases would be beneficial.
Companies often choose based on budget constraints, with Veracode being on the higher end cost-wise.
It is basically open-source, so the cost to set up is no cost.
It offers very reasonable pricing and costs.
AppScan's most valuable features include its ability to identify vulnerabilities accurately, provide detailed remediation steps, and the newly introduced AI-powered features that enhance its functionality further.
I have utilized its interactive application security testing, as well as both static application security testing, dynamic application security testing, and IAST.
When you triage with AI, it gathers context around the finding and reduces the noise about 80 to 90 percent of the time, asking you to focus only on findings that really matter.
The Software Composition Analysis is the most valuable feature in Semgrep.
The best feature of Semgrep is its ability to highlight high priority issues during scanning, making it critical for developers to address these vulnerabilities promptly.
| Product | Mindshare (%) |
|---|---|
| Semgrep | 2.3% |
| HCL AppScan | 2.7% |
| Other | 95.0% |


| Company Size | Count |
|---|---|
| Small Business | 14 |
| Midsize Enterprise | 6 |
| Large Enterprise | 31 |
| Company Size | Count |
|---|---|
| Small Business | 4 |
| Large Enterprise | 3 |
HCL AppScan offers quick vulnerability detection with effective SDLC integration and is known for its user-friendly interface and seamless security integration.
HCL AppScan provides dynamic and static scanning to identify vulnerabilities like XSS and SQL injection. It integrates well into CI/CD pipelines, supports multiple languages, and offers web and dynamic scanning, helping businesses ensure security across development lifecycles. Users benefit from API coverage, Postman integration, and its ability to function in cloud and on-premise environments, facilitating a shift from DevOps to DevSecOps practices.
What features define HCL AppScan?HCL AppScan is leveraged in sectors requiring rigorous security checks, such as finance and healthcare, where it conducts comprehensive scans and offers insights into potential vulnerabilities. Its robust scanning capabilities aid companies in maintaining compliance and security standards.
Semgrep is an advanced static analysis tool designed to identify vulnerabilities and enforce coding standards, catering primarily to professionals with a focus on enhancing code security and quality.
Engineered for software development environments, Semgrep delivers efficient security feedback with minimal setup. By offering a rich collection of rule sets, it allows customization and integration into CI/CD pipelines, supporting continuous code examination. Semgrep not only uncovers hidden flaws but also enforces best practices, making it a valuable asset for development teams seeking to build secure and reliable software.
What are the most important features of Semgrep?In industry applications, Semgrep is a popular choice for sectors such as finance and healthcare, where code integrity and security are paramount. Its integration capabilities allow for effective oversight of compliance and secure coding standards without disrupting existing workflows. This adaptability ensures it meets sector-specific requirements, making it a trusted tool in fields where data privacy and protection are critical.
We monitor all Static Application Security Testing (SAST) reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.