No more typing reviews! Try our Samantha, our new voice AI agent.

HCL AppScan vs Semgrep comparison

 

Comparison Buyer's Guide

Executive Summary

Review summaries and opinions

We asked business professionals to review the solutions they use. Here are some excerpts of what they said:
 

ROI

Sentiment score
1.7
HCL AppScan enhances architecture with fewer errors and improved security, achieving 50% return and 20% cost savings.
Sentiment score
6.3
Semgrep improves ROI by accelerating development, reducing manual labor, and addressing vulnerabilities early, enhancing efficiency and profitability.
This can be translated to being able to do the same amount of work with less technicians.
SecOps Engineer at IriusRisk
Tasks that previously took days are completed in significantly less time.
DevOps Engineer at Exponential Craft
I can say it saves us time related to coding and also saves money, making it a very reliable tool for our organization with great features.
Angular Developer at Flourish Software
 

Customer Service

Sentiment score
5.6
HCL AppScan's support is responsive with mixed reviews, facing regional challenges and lagging behind competitors like Veracode.
Sentiment score
6.1
Semgrep's customer service is efficient, with comprehensive documentation and community support reducing the need for direct assistance.
Veracode provides excellent assistance and regularly scheduled calls to address customer concerns and updates.
Associate Principal, Software Engineering at LTI - Larsen & Toubro Infotech
There is still room for improvement when it comes to the speed of response.
Founder Director at Techsa Services
Their documentation and community are very active, so most of the time when problems occur, I get a solution.
Sr. Project Analyst [Cybersecurity] at a consultancy with 10,001+ employees
Customer support and services for Semgrep are very reliable and good.
Angular Developer at Flourish Software
Customer support is really good and there is also strong community support.
SecOps Engineer at IriusRisk
 

Scalability Issues

Sentiment score
3.9
HCL AppScan is scalable yet varies by license, integration issues, infrastructure compatibility, and CI/CD pipeline design effectiveness.
Sentiment score
8.1
Semgrep scales efficiently for both small and large teams, adapting well to diverse environments with cloud-native features.
I was able to control it from 10 repositories or 10 services to thousands of repositories in a couple of minutes very simply.
Cloud & Application Security at Sixt SE
This is an open-source tool, so it absolutely does the job, but if you were to implement a tool such as this in an enterprise, this would probably not be scalable.
DevSecOps Security Engineer at a manufacturing company with 10,001+ employees
Semgrep makes it easy to integrate and grow within any environment without concern for crashes.
DevOps Engineer at Exponential Craft
 

Stability Issues

Sentiment score
7.2
HCL AppScan is stable and reliable, with minor hardware issues, improved by recent upgrades enhancing performance and stability.
Sentiment score
7.8
Semgrep generally operates stably, though AI scanning limitations and integration improvements are needed for large repositories.
Since we've been using HCL AppScan for about three months, we really have not encountered a false positive.
Founder Director at Techsa Services
If there is no master branch or default branch, the tool fails to identify it and will never scan it unless manually somebody looks into it and fixes the issue.
Cloud & Application Security at Sixt SE
Since I have been using it, I have not experienced any downtime.
Angular Developer at Flourish Software
 

Room For Improvement

HCL AppScan requires improvements in vulnerability detection, usability, integration, performance, support, pricing, and language/codebase compatibility to stay competitive.
Semgrep needs user-friendly enhancements, better documentation, efficient scanning, integration flexibility, AI advancements, and improved notifications and databases.
If I'm scanning a web application, it shows me the various components being used. It tells me whether I have Java libraries, .NET frameworks, or other log management libraries such as Log4j, and what versions of those specific components are present.
Founder Director at Techsa Services
The UI and additional dashboarding and other details would definitely make the tool more user-friendly and more of a candidate to be implemented in an enterprise.
DevSecOps Security Engineer at a manufacturing company with 10,001+ employees
Currently, they are working on identifying business logic vulnerabilities or privilege escalation vulnerabilities by looking at the code, and they should continue to focus on and improve this effort.
Cloud & Application Security at Sixt SE
More advanced dependency analysis features in the SCA part and deeper vulnerability databases would be beneficial.
SecOps Engineer at IriusRisk
 

Setup Cost

HCL AppScan is considered expensive but cost-effective, with varied pricing opinions influenced by its premium features and discounts.
Companies often choose based on budget constraints, with Veracode being on the higher end cost-wise.
Associate Principal, Software Engineering at LTI - Larsen & Toubro Infotech
It is basically open-source, so the cost to set up is no cost.
Sr. Project Analyst [Cybersecurity] at a consultancy with 10,001+ employees
It offers very reasonable pricing and costs.
Angular Developer at Flourish Software
 

Valuable Features

HCL AppScan detects vulnerabilities, integrates with agile processes, offers scalability, user-friendly features, and AI-enhanced rapid scanning for security.
Semgrep enhances security and efficiency with customizable rules, seamless integration, and user-friendly interfaces for rapid issue detection.
AppScan's most valuable features include its ability to identify vulnerabilities accurately, provide detailed remediation steps, and the newly introduced AI-powered features that enhance its functionality further.
Associate Principal, Software Engineering at LTI - Larsen & Toubro Infotech
I have utilized its interactive application security testing, as well as both static application security testing, dynamic application security testing, and IAST.
Founder Director at Techsa Services
When you triage with AI, it gathers context around the finding and reduces the noise about 80 to 90 percent of the time, asking you to focus only on findings that really matter.
Cloud & Application Security at Sixt SE
The Software Composition Analysis is the most valuable feature in Semgrep.
DevSecOps Security Engineer at a manufacturing company with 10,001+ employees
The best feature of Semgrep is its ability to highlight high priority issues during scanning, making it critical for developers to address these vulnerabilities promptly.
DevOps Engineer at Exponential Craft
 

Categories and Ranking

HCL AppScan
Ranking in Static Application Security Testing (SAST)
17th
Average Rating
7.6
Reviews Sentiment
5.9
Number of Reviews
44
Ranking in other categories
Application Security Tools (21st), Dynamic Application Security Testing (DAST) (6th)
Semgrep
Ranking in Static Application Security Testing (SAST)
13th
Average Rating
7.6
Reviews Sentiment
7.2
Number of Reviews
7
Ranking in other categories
Supply Chain Management Software (4th), Software Composition Analysis (SCA) (8th), Static Code Analysis (5th)
 

Mindshare comparison

As of July 2026, in the Static Application Security Testing (SAST) category, the mindshare of HCL AppScan is 2.7%, down from 2.8% compared to the previous year. The mindshare of Semgrep is 2.3%, down from 2.7% compared to the previous year. It is calculated based on PeerSpot user engagement data.
Static Application Security Testing (SAST) Mindshare Distribution
ProductMindshare (%)
Semgrep2.3%
HCL AppScan2.7%
Other95.0%
Static Application Security Testing (SAST)
 

Featured Reviews

Ravi Khanchandani - PeerSpot reviewer
Founder Director at Techsa Services
Has improved identification of encryption and authentication issues across cloud and on-prem applications
During the learning curve of onboarding HCL AppScan, we learned that HCL has altered the portfolio and now offers HCL AppScan 360, which has a much better look and feel with an improved user interface. However, there is one feature called SCA, which stands for Software Composition Analysis, that could be improved. When I'm doing an application scan, HCL AppScan has the ability to generate information about what components are in use. For example, if I'm scanning a web application, it shows me the various components being used. It tells me whether I have Java libraries, .NET frameworks, or other log management libraries such as Log4j, and what versions of those specific components are present. I would like to see more detailed reports from the tool. Currently, you can find out the components belonging to a specific software, but if detailed reporting became available, you would be in a better position to identify vulnerabilities. For instance, I could identify that I had the Log4j vulnerability and know that I need to fix my application accordingly. If they add the features I'm describing, I would consider giving them a higher rating. However, I've only been experienced with the product for three months.
Manjunath Maneppagol - PeerSpot reviewer
Cloud & Application Security at Sixt SE
Context-aware code analysis has reduced noise and now improves developer experience with actionable security findings
I have consistently observed that their scan time is an issue for mono repos. Sometimes with their AI-based scanning, when you triage that scan, the scan never completes or finishes(, which makes it difficult. Another consistent issue is that whenever you have a new repo to onboard to the platform, the tool ideally should detect the master branch by default. However, sometimes the tool fails to identify it and will never scan it unless manually somebody looks into it and fixes the issue. Although their support team is really good, this issue was present six or eight months ago during the POC and is still present now. If it is affecting multiple customers, it should be prioritized and fixed. I would say that their integration aspects could have been improved. I see a lot of different security solutions that provide flexibility to the security teams based on Jira project, team divisions, Slack, and all those can be very much easily customized. Semgrep needs to work on the enhancement of their notification capabilities. Currently, they are working on identifying business logic vulnerabilities or privilege escalation vulnerabilities by looking at the code, and they should continue to focus on and improve this effort. Regarding stability, whenever you have a mono-repo which is a very large repository, the scan never finishes or the scan never kicks in. At that time, you have to reach out to the support team and ask them to expand the resources in the back end to fix it. This is an issue I keep seeing often on that platform.
report
Use our free recommendation engine to learn which Static Application Security Testing (SAST) solutions are best for your needs.
902,894 professionals have used our research since 2012.
 

Top Industries

By visitors reading reviews
Financial Services Firm
11%
Manufacturing Company
9%
Government
9%
Computer Software Company
8%
Financial Services Firm
16%
Manufacturing Company
11%
Computer Software Company
8%
Comms Service Provider
7%
 

Company Size

By reviewers
Large Enterprise
Midsize Enterprise
Small Business
By reviewers
Company SizeCount
Small Business14
Midsize Enterprise6
Large Enterprise31
By reviewers
Company SizeCount
Small Business4
Large Enterprise3
 

Questions from the Community

What needs improvement with HCL AppScan?
During the learning curve of onboarding HCL AppScan, we learned that HCL has altered the portfolio and now offers HCL AppScan 360, which has a much better look and feel with an improved user interf...
What is your primary use case for HCL AppScan?
I'm currently working with BigFix and HCL AppScan. At least three people in my company are using HCL AppScan. Since we are a reseller, we run it in both lab environments and live production applica...
What is your experience regarding pricing and costs for HCL AppScan?
AppScan is considered more cost-effective than Veracode, although I have not updated the exact pricing details. Companies often choose based on budget constraints, with Veracode being on the higher...
What needs improvement with Semgrep?
As we use Semgrep for secret scanning, I know it is an open-source tool. Oftentimes, that leads to the refinement of the engine, but oftentimes Semgrep ends up flagging a lot of false positive valu...
What is your primary use case for Semgrep?
I have used Semgrep more as a testing and a POC tool. So, there is no consistent usage of Semgrep, but I have used the tool multiple times for POC purposes. As a DevSecOps Security Engineer, my mai...
What advice do you have for others considering Semgrep?
My advice to others looking into using Semgrep is to keep in mind that this is an open-source tool. I gave Semgrep an overall rating of 6.5 out of 10.
 

Comparisons

 

Also Known As

IBM Security AppScan, Rational AppScan, AppScan
Semgrep Code, Semgrep Supply Chain, Semgrep AppSec Platform
 

Overview

 

Sample Customers

Essex Technology Group Inc., Cisco, West Virginia University, APIS IT
Policygenius, Tide, Lyft, Thinkific, FloQast, Vanta, and Fareportal
Find out what your peers are saying about HCL AppScan vs. Semgrep and other solutions. Updated: June 2026.
902,894 professionals have used our research since 2012.