Semgrep docs

Deploy static application security testing (SAST), software composition analysis (SCA), and secrets scans from one platform.

Run your first Semgrep scan.

Deploy Semgrep to your organization quickly and at scale.

Triage and remediate findings; fine-tune guardrails for developers.

Create custom rules to enforce your organization's coding standards.

Product	Languages
Semgrep Code	Generally available (GA) C and C++ • C# • Generic • Go • Java • JavaScript • JSON • Kotlin • Python • TypeScript • Ruby • Rust • JSX • PHP • Scala • Swift • Terraform Beta APEX • Elixir Experimental Bash • Cairo • Circom • Clojure • Dart • Dockerfile • Hack • HTML • Jsonnet • Julia • Lisp • Lua • Move on Aptos • Move on Sui • OCaml• R • Scheme • Solidity • YAML • XML
Semgrep Supply Chain	Generally available reachability C# • Go • Java • JavaScript and TypeScript • Kotlin • PHP • Python • Ruby • Scala • Swift Languages without support for reachability analysis Dart • Elixir • Rust
Semgrep Secrets	Language-agnostic; can detect 630+ types of credentials or keys.

See the Supported languages documentation for more details.

Support for running Semgrep natively on Windows is now in public beta. This applies to running Semgrep through the CLI and an IDE such as Cursor, VS Code, and IntelliJ.
Supply Chain support for PHP reachability analysis is now generally available (GA).
Beginning with Semgrep v1.127.0, uv is a supported package manager for Dependency Paths. This means that uv is a supported package manager across all Supply Chain features.
You can now see which memories were used by Semgrep Assistant when it generated remediation guidance for a specific finding. Semgrep displays this information on the finding details page.
Semgrep Secrets now makes up to three attempts when validating Amazon Web Services (AWS) credentials that failed due to possibly transient reasons.

Not finding what you need in this doc? Ask questions in our Community Slack group, or see Support for other ways to get help.