Semgrep docs

Deploy static application security testing (SAST), software composition analysis (SCA), and secrets scans from one platform.

Run your first Semgrep scan.

Deploy Semgrep to your organization quickly and at scale.

Triage and remediate findings; fine-tune guardrails for developers.

Enforce your organization’s coding standards with custom rules.

Product	Languages
Semgrep Code	Generally available (GA) C and C++ • C# • Generic • Go • Java • JavaScript • JSON • Kotlin • Python • TypeScript • Ruby • Rust • JSX • PHP • Scala • Swift • Terraform Beta APEX • Elixir Experimental Bash • Cairo • Circom • Clojure • Dart • Dockerfile • Hack • HTML • Jsonnet • Julia • Lisp • Lua • Move on Aptos • Move on Sui • OCaml• R • Scheme • Solidity • YAML • XML
Semgrep Supply Chain	Generally available reachability C# • Go • Java • JavaScript and TypeScript • Kotlin • PHP • Python • Ruby • Scala • Swift Languages without support for reachability analysis Dart • Elixir • Rust
Semgrep Secrets	Language-agnostic; can detect 630+ types of credentials or keys.

See the Supported languages documentation for more details.

The Semgrep Jira integration now automatically creates Jira tickets for Semgrep Code and Semgrep Secrets findings with a critical severity level.
Added the semgrep mcp subcommand to the Semgrep CLI tool, which runs the Semgrep MCP server.
Improved pre-filtering for taint rules, primarily when taint labels are used.
Supply Chain's reachability analysis now covers all high severity CVEs from supported sources starting from 2017 for JavaScript packages.
Slack notifications for Semgrep Secrets is now generally available.

Not finding what you need in this doc? Ask questions in our Community Slack group, or see Support for other ways to get help.