Semgrep Static Analysis

Semgrep is a fast, open-source static analysis tool for finding bugs, detecting vulnerabilities, and enforcing code standards across multiple programming languages. Developed by r2c (now Semgrep Inc.) and founded by Yoann Padioleau and Brendon Go in 2019, with over 11,000 stars as of 2026. Key features: multi-language support (analyzes code in Python, JavaScript, TypeScript, Go, Java, Ruby, C, C++, PHP, Swift, Kotlin, Scala, Rust, OCaml, Lua, YAML, JSON, and Docker). Pattern-based matching (uses Semgrep Pattern language with familiar syntax similar to the target language, enabling developers to write custom rules without learning complex query languages). No false positives design (Semgrep focuses on syntactic patterns rather than dataflow analysis by default, producing fewer false positives than traditional SAST tools, with optional dataflow analysis for deeper security scanning). Rule ecosystem (over 3,000 community-maintained rules in the Semgrep Registry covering security vulnerabilities including OWASP Top 10, code quality, and best practices). Custom rules (write custom Semgrep rules in YAML with metavariables, pattern-either, pattern-inside, and metavariable-pattern for complex matching logic). CI/CD integration (native GitHub Actions, GitLab CI, Bitbucket Pipelines, Jenkins, CircleCI, and pre-commit hooks for shift-left security). Semgrep CI (managed CI scanning with findings dashboard, PR comments, and suppression tracking for monitoring security posture across repositories). Autofix (automatic code fix suggestions for certain rule violations, enabling one-click remediation in pull requests). Supply chain security (Semgrep Supply Chain for detecting vulnerable dependencies with reachability analysis to prioritize actual exploitable vulnerabilities). Secrets detection (Semgrep Secrets for finding hardcoded credentials, API keys, and tokens using pattern matching and entropy analysis).