Semgrep is a fast, open-source, static analysis engine for finding bugs, detecting dependency vulnerabilities, and enforcing code standards. With 2,000+ built-in rules and easy-to-create custom ones, it finds the bugs that matter.

• Open source engine, works on 25+ languages
• Scan with 2,000+ community rules
• Write rules that look like your code
• Quickly get results in the terminal, editor, or CI/CD
• Flag issues and get results in pull requests, Slack, + more

This GitHub App allows you to get Semgrep results as PR comments, add Semgrep to your projects with one-click, and manage rules and results across multiple projects from one centralized place. Learn more at semgrep.dev.

Semgrep is supported by Semgrep, Inc. It is an evolution of pfff, which began at Facebook in 2009, which itself was an evolution of the Linux refactoring tool Coccinelle.