Listing Thumbnail

    Application Security Platform

     Info
    Deployed on AWS
    Application Security Testing
    4.5

    Overview

    Semgrep is a highly customizable application security platform built for security engineers and developers. Semgrep scans first and third-party code to find security issues unique to an organization, with an emphasis on surfacing actionable, low-noise, and developer friendly results at lightning speed.

    Semgrep's focus on confidence rating and reachability means that security teams can feel comfortable engaging developers directly in their workflows (e.g surfacing findings in PR comments), and Semgrep integrates seamlessly with CI and SCM tooling to automate these policies.

    With Semgrep, security teams can shift left and scale their programs with zero impact on developer velocity. With 3400+ out-of-the-box rules and the ability to easily create custom rules, Semgrep accelerates the time it takes to implement and scale a best-in-class AppSec program - all while adding value from Day 1.

    Highlights

    • Lightning fast code scanning that detects security vulnerabilities in 30+ languages with results prioritized for remediation
    • Reachability analysis of known vulnerabilities in used 3rd party software components make results actionable for developers
    • Easy-to-write custom rules to augment detection of security vulnerabilities, enforce coding standards, and improve code quality

    Details

    Delivery method

    Deployed on AWS
    New

    Introducing multi-product solutions

    You can now purchase comprehensive solutions tailored to use cases and industries.

    Multi-product solutions

    Features and programs

    Trust Center

    Trust Center
    Access real-time vendor security and compliance information through their Trust Center powered by Drata or Vanta. Review certifications and security standards before purchase.

    Buyer guide

    Gain valuable insights from real users who purchased this product, powered by PeerSpot.
    Buyer guide

    Financing for AWS Marketplace purchases

    AWS Marketplace now accepts line of credit payments through the PNC Vendor Finance program. This program is available to select AWS customers in the US, excluding NV, NC, ND, TN, & VT.
    Financing for AWS Marketplace purchases

    Pricing

    Application Security Platform

     Info
    Pricing is based on the duration and terms of your contract with the vendor, and additional usage. You pay upfront or in installments according to your contract terms with the vendor. This entitles you to a specified quantity of use for the contract duration. Usage-based pricing is in effect for overages or additional usage not covered in the contract. These charges are applied on top of the contract price. If you choose not to renew or replace your contract before the contract end date, access to your entitlements will expire.
    Additional AWS infrastructure costs may apply. Use the AWS Pricing Calculator  to estimate your infrastructure costs.

    12-month contract (3)

     Info
    Dimension
    Description
    Cost/12 months
    Code (SAST)
    Pro Engine + Pro Rules + Cloud Platform
    $480.00
    Supply Chain (SCA)
    Reachability + Dependency Search + License Compliance + Cloud Platform
    $480.00
    Secrets
    Secrets Scanning
    $720.00

    Additional usage costs (3)

     Info

    The following dimensions are not included in the contract terms, which will be charged based on your usage.

    Dimension
    Cost/user/hour
    Additional SAST Users
    $0.05
    Additional SCA Users
    $0.05
    Additional Secrets Users
    $0.08

    Vendor refund policy

    No refunds

    How can we make this page better?

    Tell us how we can improve this page, or report an issue with this product.
    Tell us how we can improve this page, or report an issue with this product.

    Legal

    Vendor terms and conditions

    Upon subscribing to this product, you must acknowledge and agree to the terms and conditions outlined in the vendor's End User License Agreement (EULA) .

    Content disclaimer

    Vendors are responsible for their product descriptions and other product content. AWS does not warrant that vendors' product descriptions or other product content are accurate, complete, reliable, current, or error-free.

    Usage information

     Info

    Delivery details

    Software as a Service (SaaS)

    SaaS delivers cloud-based software applications directly to customers over the internet. You can access these applications through a subscription model. You will pay recurring monthly usage fees through your AWS bill, while AWS handles deployment and infrastructure management, ensuring scalability, reliability, and seamless integration with other AWS services.

    Support

    Vendor support

    AWS infrastructure support

    AWS Support is a one-on-one, fast-response support channel that is staffed 24x7x365 with experienced and technical support engineers. The service helps customers of all sizes and technical abilities to successfully utilize the products and features provided by Amazon Web Services.

    Product comparison

     Info
    Updated weekly

    Accolades

     Info
    Top
    25
    In Continuous Integration and Continuous Delivery
    Top
    10
    In Testing
    Top
    25
    In Generative AI

    Customer reviews

     Info
    Sentiment is AI generated from actual customer reviews on AWS and G2
    Reviews
    Functionality
    Ease of use
    Customer service
    Cost effectiveness
    Positive reviews
    Mixed reviews
    Negative reviews

    Overview

     Info
    AI generated from product descriptions
    Multi-Language Code Scanning
    Detects security vulnerabilities across 30+ programming languages with prioritized results for remediation
    Reachability Analysis
    Analyzes reachability of known vulnerabilities in third-party software components to determine actionable findings
    Custom Rule Creation
    Supports easy-to-write custom rules for detecting security vulnerabilities, enforcing coding standards, and improving code quality
    Pre-built Security Rules
    Includes 3400+ out-of-the-box rules for security vulnerability detection
    CI/SCM Integration
    Integrates with continuous integration and source control management tooling to automate security policies and embed findings in pull request workflows
    Static Application Security Testing
    Identifies vulnerabilities and weaknesses in custom code with support for 25+ languages and frameworks, scanning uncompiled code and re-scanning only new or modified code.
    Software Composition Analysis
    Identifies and prioritizes open source vulnerabilities, takes inventory of open source components and dependencies, and evaluates risks of open source licenses.
    Infrastructure as Code Analysis
    Detects security misconfigurations in IaC templates using KICS to prevent errors such as open storage buckets, insecure databases, and excessive privileges.
    Real-time IDE Security Scanning
    Provides real-time vulnerability detection during IDE development for both human-generated and AI-generated code, identifying vulnerabilities, unmasked secrets, vulnerable container images, and malicious open source packages.
    Agentic-AI Remediation
    Generates remediation suggestions using AI agents that access proprietary databases and customized AI models to provide context-aware code fixes with interactive refinement capabilities.
    AI-Generated Code Security
    Rapid AI-tuned scanning at the moment of code generation paired with deep static analysis to identify flaws across both AI-generated and human-written code.
    Open Source Vulnerability Management
    Detection, prioritization, and automated remediation of open source vulnerabilities with CVE reachability analysis and Exploitation Maturity scoring (EPSS).
    AI Component Governance
    Full visibility and governance over AI components including models, agents, RAGs, and MCPs with inventory generation, policy enforcement, and Shadow AI detection.
    Container and Supply Chain Security
    Container vulnerability scanning with full SBOM integration, malicious package protection, and automated dependency updates using trusted open source upgrade mechanisms.
    Unified Multi-Product Platform
    Single web UI managing SCA, SAST, Container, and AI security products with full SCM integrations including Azure DevOps, Bitbucket, GitHub, and GitLab, plus native IDE access.

    Contract

     Info
    Standard contract
    No
    No
    No

    Customer reviews

    Ratings and reviews

     Info
    4.5
    62 ratings
    5 star
    4 star
    3 star
    2 star
    1 star
    73%
    21%
    6%
    0%
    0%
    2 AWS reviews
    |
    60 external reviews
    External reviews are from G2  and PeerSpot .
    Hiten Nandasana

    Early detection has transformed our code reviews and makes our development process faster

    Reviewed on Jun 27, 2026
    Review from a verified AWS customer

    What is our primary use case?

    My primary use case for Semgrep  is for day-to-day code scanning and code reviewing during development, focusing on vulnerability detection. I am also migrating this tool into our CI/CD pipeline.

    The primary objective is to scan code, detect vulnerabilities, and integrate into CI/CD pipelines during the coding phase before deployment to production so we can identify all issues in the development phase.

    I currently use Semgrep  for our development process, CI/CD pipeline, and vulnerability detection, and it is a very good product.

    What is most valuable?

    In my current situation, when I work on any features or products, I find issues during my development phase while writing code. I can detect issues in a very early phase, which allows us to prevent forwarding them to production.

    This is very helpful for our development phase and it is very fast for our development process. I can save more time for developing and reviewing code, which makes it very helpful for our organization.

    Regarding Semgrep, I find it to be very user-friendly, easy to understand, and easy to integrate with any working tool. We use VS Code, and it integrates seamlessly with it. Additionally, I set up the CI/CD pipeline for the development phase, and it works well for all our needs.

    In my opinion, the best features Semgrep offers are for security vulnerability detection. I can find any vulnerabilities during my development phase, which helps my work and has many time-saving features.

    Whenever I use Semgrep, I have integrated it seamlessly into my experience. It integrates when I work with the development phase and the deployment model, allowing me to detect any security issues. I can detect these issues early and fix them as soon as possible, eliminating the need for manual line-by-line code checks. It quickly scans all the code and detects issues, saving me significant time.

    It can help my team very quickly, especially with large-scale projects. In my team, we use Semgrep, which is more efficient for coding purposes, time-saving, and quickly detects issues. I can say that weekly I save about six to seven hours because of this, making it very time-saving and fostering faster development for my team's products and environment.

    What needs improvement?

    I wish there were a bit more improvement in AI features, such as integrating some AI capabilities, so it can be more convenient and useful for users.

    For how long have I used the solution?

    I have been using Semgrep since last year.

    What do I think about the stability of the solution?

    Semgrep is very stable; since I have been using it, I have not experienced any downtime.

    What do I think about the scalability of the solution?

    Semgrep is highly scalable. It handles small projects well, and it is very useful for any large-scale project as well. It can be used by any organization for any project.

    How are customer service and support?

    Customer support and services for Semgrep are very reliable and good. Many times when I have had troubleshooting needs, I find most solutions in the documentation, so the support and customer service team is excellent.

    Which solution did I use previously and why did I switch?

    Previously, I used the SonarQube  solution but switched to Semgrep because Semgrep works faster and the code scannability is very good compared to SonarQube .

    What was our ROI?

    The return on investment is very evident. I can say it saves us time related to coding and also saves money, making it a very reliable tool for our organization with great features.

    What's my experience with pricing, setup cost, and licensing?

    For pricing and setup cost, Semgrep is very reliable for any type of organization, whether small or large. It offers very reasonable pricing and costs.

    Which other solutions did I evaluate?

    I did not evaluate other options before choosing Semgrep.

    What other advice do I have?

    I would not want to see anything changed.

    My advice for others considering Semgrep is that it is a very good product and a great tool to use. It has a very user-friendly environment and it is very time-saving, as I mentioned earlier. I do not have any additional thoughts about Semgrep. My overall review rating for Semgrep is nine out of ten.

    Which deployment model are you using for this solution?

    Public Cloud

    If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

    Aman Raj Pandey

    Automated security checks have transformed code reviews and save hours every development week

    Reviewed on Jun 21, 2026
    Review provided by PeerSpot

    What is our primary use case?

    My main use case is to perform SAST , static application security testing. I have been using it for the last 10 months. Initially, I was planning to use it just for the code review part so that developers can get secure code. However, it can also be integrated in CI/CD pipelines and other tools, which makes it robust.

    I deployed Semgrep  with my development team in their IDEs, such as VS Code and other notebook tools that my developers use. Semgrep  helps to identify code-level issues, such as the possibility of SQL injection, XSS, or hard-coded values. It initially triggers alerts and shows which aspects are not correct and need correction.

    What is most valuable?

    First, it is very easy to use. It has customization features that allow me to customize it to find particular types of vulnerabilities that I am looking for. There is scanning efficiency which allows for rapid issue detection early in the development process. The customizable rule engine is the best thing because I can customize it according to my needs.

    I can customize my rules according to my needs. The YAML file is easy to write. A person with good basic knowledge of coding can generate custom rules particular to the type of vulnerability they are targeting. Therefore, it is customizable.

    The feature is easy to use, saves a lot of time, and is streamlined in nature. That is the best aspect.

    It has helped my code review part significantly. It saves around two to three hours per day of going through each line of code to find mistakes and identify issues that are present at the code level. Code review is a tedious task for any security engineer or developer to do, so it helps tremendously while reviewing code.

    By avoiding these tedious tasks, my team gets to focus on other important tasks that are required. Sometimes there are urgent tasks that need to be done before code reviews can be completed. The time I save is utilized elsewhere, which effectively benefits my team.

    What needs improvement?

    Semgrep can be improved by making it more user-friendly. There are tools in the market, such as Aqua Security, that have features worth utilizing. However, there are some comprehensive scanning capabilities which I feel Semgrep lacks. For code-level review, it is very good.

    For how long have I used the solution?

    I have been using Semgrep for around nine to 10 months for detection of security flaws in the code.

    What do I think about the stability of the solution?

    It is stable in nature.

    What do I think about the scalability of the solution?

    It is also good. I can scale it for small to large-scale teams. I can use it with a small number of people or a large-sized team.

    How are customer service and support?

    Customer support is good because I have not needed much customer support until now, which is very good. I think that is a good part. Their documentation and community are very active, so most of the time when problems occur, I get a solution.

    Which solution did I use previously and why did I switch?

    I have used SonarQube . However, the results of Semgrep are much better. I compared them both, so I switched to Semgrep only, and it works very well. I do not have to pay any licensing fee or anything like that. It has been good to work with Semgrep.

    I evaluated a tool such as SonarQube , which is in the market and is also open-source. However, the results provided by Semgrep are much more effective and efficient with fewer false positives. The number of true positives is higher, which effectively saves time from checking whether false positives are right or wrong.

    How was the initial setup?

    The accuracy I would rate at 85 to 90%. Sometimes it gives false positives, but compared to its peers, it is better.

    What about the implementation team?

    At a team level, I can say that per day I save around two hours, which can result in eight hours a week. Monthly, I save around 30 to 35 hours because of this.

    What was our ROI?

    The best case is that it solves a lot of things, and for the vulnerabilities that will arise in the future, I solve them at the initial stage.

    What's my experience with pricing, setup cost, and licensing?

    It is basically open-source, so the cost to set up is no cost.

    Which other solutions did I evaluate?

    If you are looking for an open-source tool that can perform SAST  in your environment and you are a technical person with a team that can grasp new technologies in a short period of time, then you can use Semgrep directly to perform SAST and code reviews at the development level. Early detection of security issues and bugs can be fixed.

    What other advice do I have?

    It streamlines with the governance and compliance of the country where the company operates. It follows GDPR guidelines and EU guidelines. In India, I follow certain guidelines, so it also passes that criteria to go through those guidelines and follow the restrictions and suggestions provided at a national level.

    Olakunle Obasoro

    Code scans have accelerated remediation and keep development focused on security

    Reviewed on Jun 18, 2026
    Review provided by PeerSpot

    What is our primary use case?

    My main use case for Semgrep  is as a SAST  tool. Since I work with code directly, I use it to scan the code for vulnerabilities and relay information to developers so they can address any issues. This approach ensures I maintain a security focus as a DevOps person, which is crucial.

    Semgrep  fits into my workflow by allowing me to scan code and ensure there are no breaches before running it in containers.

    What is most valuable?

    The best feature of Semgrep is its ability to highlight high priority issues during scanning, making it critical for developers to address these vulnerabilities promptly. This seamless process enhances efficiency and expedites issue resolution within our systems.

    I find Semgrep's user-friendliness valuable, allowing me to run scans easily with simple commands, which clearly indicate vulnerabilities and their priority levels, effectively meeting my needs.

    When receiving high-priority findings, I act as a DevOps person who incorporates security into my culture by notifying developers about issues I find and urging them to check the code. I advocate that all developers have Semgrep installed on their laptops, ensuring they avoid pushing vulnerable code.

    The impact of Semgrep on my organization includes the recommendation I made as an external consultant to incorporate it into projects. It is easy for developers to use and helps monitor our security posture by scanning code before production pushes.

    Since implementing Semgrep, I have noticed significant outcomes. For example, I can resolve vulnerabilities that previously took four days in under a day, saving both time and money, thus enhancing our return on investment.

    What needs improvement?

    Semgrep needs ongoing improvements, and gathering user feedback will help enhance its effectiveness and provide better solutions globally.

    I suggest improving documentation and integrating agentic AI to help users get quicker answers to security problems when scanning.

    For how long have I used the solution?

    That first use was in 2022, so that is about four years now, and I continue to use Semgrep on my MacBook, finding it very useful, and I still recommend it to developers.

    What do I think about the stability of the solution?

    Semgrep is absolutely stable.

    What do I think about the scalability of the solution?

    Semgrep's scalability is impressive, being designed as cloud-native and cloud-agnostic, making it easy to integrate and grow within any environment without concern for crashes.

    How are customer service and support?

    I have not contacted Semgrep's customer service because their documentation usually provides solutions for my inquiries.

    Which solution did I use previously and why did I switch?

    I have not used any solution prior to Semgrep.

    How was the initial setup?

    I find Semgrep's pricing and setup reasonable and recommended its installation for developers to facilitate code scanning and avoid vulnerabilities.

    What was our ROI?

    The return on investment from using Semgrep is evident as I save time and money. For example, tasks that previously took days are completed in significantly less time, enabling faster business responses and improved profit margins.

    Which other solutions did I evaluate?

    I did not evaluate other options before choosing Semgrep. I found it through an online review and decided to try it based on that.

    What other advice do I have?

    My advice for others considering Semgrep is to adopt it, as it stands out in the open-source market and shows solid growth. You can trust it based on its innovative developments.

    I believe Semgrep will scale effectively with the rise of agentic AI and security needs, leading to broader adoption among companies. Sharing wins at open-source conferences will help demonstrate its potential impact.

    I rate this review an 8.

    reviewer2014131

    Benchmarking security testing has shaped our tool evaluations but still needs fewer false positives

    Reviewed on May 31, 2026
    Review provided by PeerSpot

    What is our primary use case?

    I have used Semgrep  more as a testing and a POC tool. So, there is no consistent usage of Semgrep , but I have used the tool multiple times for POC purposes.

    As a DevSecOps  Security Engineer, my main use case for Semgrep when I do use it for POCs or testing is to deal with SAST , secret scanning, and types of testing, white-box testing, AppSec, and those types of activities. Semgrep is a tool for that. Hence, when we perform POCs and try to understand what it is providing for such different types of scanning, Semgrep turns out to be useful in setting benchmarks.

    How has it helped my organization?

    Even if we mainly use Semgrep for POCs, it has positively impacted our organization. So when we are in the process of identifying new tools or trying to understand how to improve our existing tools, that is where Semgrep comes in handy.

    As a result of using Semgrep, it helped us compare tools more effectively. It helped us understand what are the expected must-haves of a tool in this domain. That way, other tools that were not even offering these were easily left out because Semgrep is an open-source tool, and when we are trying to acquire paid tools, it is almost definite they should be offering capabilities at least that an open-source tool is offering.

    What is most valuable?

    Semgrep flourishes with the SAST , secret scanning, and Software Composition Analysis types of scanning. That is where Semgrep shines. With SCA , it helps find vulnerabilities, SAST weaknesses, and secrets. These are three existing services that are there in my enterprise, and we have other tools that perform the same. Semgrep, as I said, helps us benchmark that while running POCs.

    The Software Composition Analysis is the most valuable feature in Semgrep.

    What needs improvement?

    As we use Semgrep for secret scanning, I know it is an open-source tool. Oftentimes, that leads to the refinement of the engine, but oftentimes Semgrep ends up flagging a lot of false positive values. If the name of a variable or any text in the code has the word secret in it, then it flags it as a secret violation or as a secret finding, which may not be the case. It might just be a false positive. It might just be a variable called secret but may not contain a value that is actually secret information.

    Of course, there are a bunch of additions and improvements that can be done on Semgrep, but it is an open-source tool. I have at least used the open-source version of it. Of course, that comes only with the CLI. The UI and additional dashboarding and other details would definitely make the tool more user-friendly and more of a candidate to be implemented in an enterprise such as the one that I work for. I have not seen any other areas where Semgrep could be improved, aside from the false positives and dashboarding mentioned earlier.

    What do I think about the scalability of the solution?

    I give Semgrep a six out of 10 simply because there are other tools that are better than this out there. This is an open-source tool, so it absolutely does the job, but if you were to implement a tool such as this in an enterprise, this would probably not be scalable.

    What other advice do I have?

    My advice to others looking into using Semgrep is to keep in mind that this is an open-source tool. I gave Semgrep an overall rating of 6.5 out of 10.

    Nitish U.

    Accurate Results and a Polished UI from Semgrep

    Reviewed on Apr 13, 2026
    Review provided by G2
    What do you like best about the product?
    Accuracy, UI. Semgrep AI assistant. Semgrep SCA reachability matrix
    What do you dislike about the product?
    Bugs, Crashes. Frequent issues in PR scans.
    What problems is the product solving and how is that benefiting you?
    SAST, Code Review, Supply Chain issues
    View all reviews