Semgrep

Semgrep, Inc. (formerly r2c^[3] ) is a cybersecurity company based in San Francisco. The company develops the Semgrep AppSec Platform (a commercial offering for SAST, SCA, and secrets scanning) and actively maintains the open-source static code analysis tool semgrep OSS.

Semgrep has stable support for over 30 languages including C#, C, C++, Go, Java, JavaScript, JSON, Python, PHP, Ruby, and Scala. Language support on semgrep OSS is community driven and does not support interprocedural or interfile analysis.^[4]

The name is a combination of semantic and grep , referring to semgrep being a text search command-line utility that is aware of source code semantics.^[5]

Semgrep, Inc. provides a continuous integration service (called Semgrep CI), rule-writing tools (called the Semgrep Playground and editor), and a rule library (called Semgrep Registry) free of charge for both commercial and open source users.^[6]

Semgrep rules are similar to source code and do not require knowledge of a domain specific language to write. Both open source and commercial rules can be forked and customized to a user's codebase, however only commercial users are able to customize commercial rules. All users are free to fork and modify open source (community) rules.^[7]

Semgrep was based on sgrep, an open source part of pfff, a program analysis library developed at Facebook in 2009. Pfff was inspired by Coccinelle, an open-source utility for programs written in C. Yoann Padioleau, the original author of sgrep and a contributor to Coccinelle, joined r2c in 2019.^{[8] [9] [10]} sgrep was forked from pfff by r2c, and in 2020 the sgrep fork was renamed semgrep to avoid name collisions with existing projects.^{[11] [12] [13]}

Redpoint Ventures and Sequoia Capital backed r2c in an unannounced seed round and later funded a 13ドル million Series A round in 2020. The company's product portfolio consisted only of Semgrep OSS and its ecosystem at the time.^{[14] [15]}

Semgrep, Inc. announced in 2023 that it had raised a 53ドル million Series C funding round with Lightspeed Venture Partners leading the investment and participation from previous investors Felicis Ventures, Redpoint Ventures, and Sequoia Capital. The company has raised a total of 93ドル million, including their Series C financing.^[3]

The Open Web Application Security Project (OWASP) listed Semgrep in its source code analysis tools list.^[16] As of 2023 April, Semgrep has 132 contributors and over 9000 stars on GitHub.^[17] From Docker Hub the Docker image has been pulled more than 60 million times.^[18]

Semgrep can be installed with Homebrew ^[19] or pip.^[20] Additionally it can run without installation on Docker. Analysis can be done without the need of custom configuration, and by utilizing rulesets created by Semgrep Inc. and open source contributors. The tool also allows users to write their own patterns and rules through the CLI using a pattern language unique to semgrep. A free online rule editor and a tutorial are also available.^{[21] [22]}

• List of tools for static code analysis

• Official website , Semgrep, Inc.
• Semgrep on GitHub
• Pfff on GitHub
• Medium post on Semgrep by Isaac Evans, CEO of r2c

• Static program analysis tools
• Software review
• Free software testing tools
• OCaml software

• Articles with short description
• Short description matches Wikidata
• Official website different in Wikidata and Wikipedia