Semgrep Reviews

Name: Semgrep
Brand: Semgrep
Rating: 3.5 (4 reviews)

Vendor: Semgrep

3.5 out of 5

4 reviews
100% willing to recommend

Leave a review

What is Semgrep?

Semgrep is an advanced static analysis tool designed to identify vulnerabilities and enforce coding standards, catering primarily to professionals with a focus on enhancing code security and quality.

Get the Static Application Security Testing (SAST) Buyer's Guide and find out what your peers are saying about Semgrep, SonarQube, Snyk and more!

Semgrep is the #6 ranked solution in top Supply Chain Management Software, #7 ranked solution in top Static Code Analysis solutions, #11 ranked solution in top Software Composition Analysis (SCA) solutions, and #18 ranked solution in AST tools. PeerSpot users give Semgrep an average rating of 7.0 out of 10. Semgrep is most commonly compared to SonarQube: Semgrep vs SonarQube. Semgrep is popular among the large enterprise segment, accounting for 59% of users researching this solution on PeerSpot. The top industry researching this solution are professionals from a financial services firm, accounting for 16% of all views.

Buyer's Guide

Static Application Security Testing (SAST)

May 2026

Get the category report

Helped 900,051 peers since 2012

Featured Semgrep reviews

Manjunath Maneppagol

Cloud & Application Security at Sixt SE

I have consistently observed that their scan time is an issue for mono repos. Sometimes with their AI-based scanning, when you triage that scan, the scan never completes or finishes(, which makes it difficult. Another consistent issue is that whenever you have a new repo to onboard to the platform, the tool ideally should detect the master branch by default. However, sometimes the tool fails to identify it and will never scan it unless manually somebody looks into it and fixes the issue. Although their support team is really good, this issue was present six or eight months ago during the POC and is still present now. If it is affecting multiple customers, it should be prioritized and fixed. I would say that their integration aspects could have been improved. I see a lot of different security solutions that provide flexibility to the security teams based on Jira project, team divisions, Slack, and all those can be very much easily customized. Semgrep needs to work on the enhancement of their notification capabilities. Currently, they are working on identifying business logic vulnerabilities or privilege escalation vulnerabilities by looking at the code, and they should continue to focus on and improve this effort. Regarding stability, whenever you have a mono-repo which is a very large repository, the scan never finishes or the scan never kicks in. At that time, you have to reach out to the support team and ask them to expand the resources in the back end to fix it. This is an issue I keep seeing often on that platform.

Read full review

reviewer2014131

DevSecOps Security Engineer at a manufacturing company with 10,001+ employees

As we use Semgrep for secret scanning, I know it is an open-source tool. Oftentimes, that leads to the refinement of the engine, but oftentimes Semgrep ends up flagging a lot of false positive values. If the name of a variable or any text in the code has the word secret in it, then it flags it as a secret violation or as a secret finding, which may not be the case. It might just be a false positive. It might just be a variable called secret but may not contain a value that is actually secret information. Of course, there are a bunch of additions and improvements that can be done on Semgrep, but it is an open-source tool. I have at least used the open-source version of it. Of course, that comes only with the CLI. The UI and additional dashboarding and other details would definitely make the tool more user-friendly and more of a candidate to be implemented in an enterprise such as the one that I work for. I have not seen any other areas where Semgrep could be improved, aside from the false positives and dashboarding mentioned earlier.

Read full review

Francisco Javier Vergara

SecOps Engineer at IriusRisk

The coverage of Semgrep could be a bit better, as there are other tools that are more specialized in other areas of security. Semgrep as an SCA tool is adequate, but if you want to use some other parts of it, you get a high price tag. More advanced dependency analysis features in the SCA part and deeper vulnerability databases would be beneficial. Semgrep is mostly used because it is considered an industry standard, and many of our customers use Semgrep, so they expect us to use it as well. However, as a tool it is really complex to maintain and to use, and it has a huge price tag.

Read full review

Semgrep mindshare

Product category:

As of June 2026, the mindshare of Semgrep in the Static Application Security Testing (SAST) category stands at 2.4%, down from 2.5% compared to the previous year, according to calculations based on PeerSpot user engagement data.

Static Application Security Testing (SAST) Mindshare Distribution
Product	Mindshare (%)
Semgrep	2.4%
SonarQube	14.5%
Checkmarx One	9.2%
Other	73.9%

Static Application Security Testing (SAST)

Key learnings from peers

Last updated Jun 7, 2026

Valuable Features

Semgrep allows users to write custom rules, easily integrates with CI/CD pipelines, and enhances developer experience with a clear interface. It automates vulnerability checks, supports various scanning types, reduces manual work, and intelligently analyzes findings, reducing noise by up to 90%. Its adaptability across repositories and standout features like SAST, secret scanning, and Software Composition Analysis make it valuable. Semgrep quickly fits into existing platforms and improves both security posture and developer-security relations.

"Semgrep flourishes with the SAST, secret scanning, and Software Composition Analysis types of scanning."
"The best part of Semgrep is its ease of integration with CI/CD pipelines and how it is a developer-friendly tool."
"Compared to other competitors in the market, the AI-backed capability is the biggest strength of Semgrep."

Room for Improvement

Semgrep needs more guidance for beginners in application security. Users suggest better documentation for setup and a more user-friendly UI. Enhanced integration and advanced dependency analysis features are expected. The tool flags many false positives, especially for variables named "secret." Scan times are long for large repositories, and issues with detecting the master branch exist. Improvements in vulnerability databases and notification capabilities are required for better functionality and user experience.

"I give Semgrep a six out of 10 simply because there are other tools that are better than this out there."
"However, as a tool it is really complex to maintain and to use, and it has a huge price tag."
"I have consistently observed that their scan time is an issue; sometimes with their AI-based scanning, when you triage that scan, the scan never completes or finishes, which makes it difficult."

Popular Use Cases

Organizations use Semgrep primarily for identifying vulnerabilities in code through static analysis, software composition analysis, and secret scanning. It aids in testing, SAST, and AppSec activities. With integration into CI/CD pipelines and IDEs, developers receive immediate feedback, enhancing the development process. Semgrep facilitates vulnerability detection in dependencies and supports shift-left strategies by allowing developers to address issues early, improving operational efficiency and ensuring thorough code analysis.

Scalability

Some users find Semgrep easily scalable, able to handle thousands of repositories swiftly without issues. They report no significant challenges when used for small teams. However, others feel it lacks scalability in larger enterprises compared to other options. It performs well for their requirements but adding enhancements could improve its scalability. Although open-source, it effectively fulfills its role within certain limits, while some consider its scalability as limited when compared to other solutions.

These insights are based on the in-depth reviews provided by peers to help you make a better buying decision.

Download our Static Application Security Testing (SAST) Buyer's Guide for additional reliable information.

Top industries

By visitors reading reviews

Financial Services Firm

16%

Manufacturing Company

11%

Computer Software Company

Comms Service Provider

Outsourcing Company

University

Retailer

Government

Construction Company

Educational Organization

Healthcare Company

Media Company

Insurance Company

Legal Firm

Transportation Company

Wholesaler/Distributor

Leisure / Travel Company

Hospitality Company

Real Estate/Law Firm

Pharma/Biotech Company

Performing Arts

Recreational Facilities/Services Company

Energy/Utilities Company

Non Profit

Marketing Services Firm

Agriculture

Consumer Goods Company

Aerospace/Defense Firm

Religious Institution

Compare Semgrep with alternative products

Learn more about Semgrep

Engineered for software development environments, Semgrep delivers efficient security feedback with minimal setup. By offering a rich collection of rule sets, it allows customization and integration into CI/CD pipelines, supporting continuous code examination. Semgrep not only uncovers hidden flaws but also enforces best practices, making it a valuable asset for development teams seeking to build secure and reliable software.

What are the most important features of Semgrep?

Customizable Rules: Allows users to define specific rules to match unique coding requirements.
Open Rule Repository: Provides access to a vast array of pre-defined rules covering common security issues.
CI/CD Integration: Seamlessly integrates into development workflows, providing immediate feedback.
Multi-language Support: Detects issues across different programming languages, enhancing its usability.

What benefits or ROI should users consider?

Enhanced Security Posture: Elevates the security standards of codebases.
Time Efficiency: Reduces time spent on manual code reviews.
Adaptability: Easily adapts to evolving coding standards and practices.
Cost-effectiveness: Minimizes the need for external security audits.

In industry applications, Semgrep is a popular choice for sectors such as finance and healthcare, where code integrity and security are paramount. Its integration capabilities allow for effective oversight of compliance and secure coding standards without disrupting existing workflows. This adaptability ensures it meets sector-specific requirements, making it a trusted tool in fields where data privacy and protection are critical.

Semgrep was previously known as Semgrep Code, Semgrep Supply Chain, Semgrep AppSec Platform.

Semgrep customers

Policygenius, Tide, Lyft, Thinkific, FloQast, Vanta, and Fareportal

Author info	Rating	Review Summary
Cloud & Application Security at Sixt SE	4.0	I've used Semgrep for several months and value its contextual analysis, seamless IDE integration, and minimal noise, though scan time and integration limitations persist; overall, it’s a strong, scalable tool improving developer experience and application security.
DevSecOps Security Engineer at a manufacturing company with 10,001+ employees	3.0	I use Semgrep for POCs in SAST, secret scanning, and SCA, valuable for benchmarking. It excels in SCA, but its open-source version has false positives and lacks enterprise UI/scalability. I rated it 6.5/10.
SecOps Engineer at IriusRisk	3.0	I primarily use Semgrep for SCA in CI/CD, finding its easy integration and automated checks reduce manual effort. However, its coverage, advanced features, and high price are areas for improvement, and it's complex to maintain.
Security Consultant \| Application Security at Jowatechs	4.0	We use Semgrep to check custom user pipelines for vulnerabilities, benefiting from its ability to write custom rules. It improves our development speed and cost efficiency, although more beginner-friendly information is needed. We didn't switch from another product.

Semgrep Reviews

What is Semgrep?

Featured Semgrep reviews

Semgrep mindshare

Valuable Features

Room for Improvement

Popular Use Cases

Scalability

Top industries

Compare Semgrep with alternative products

Learn more about Semgrep

Semgrep customers

Related questions

Product Categories

Popular Comparisons