Semgrep docs

Deploy static application security testing (SAST), software composition analysis (SCA), and secrets scans from one platform.

Run your first Semgrep scan.

Deploy Semgrep to your organization quickly and at scale.

Triage and remediate findings; fine-tune guardrails for developers.

Enforce your organization’s coding standards with custom rules.

Product	Languages
Semgrep Code	Generally available (GA) C and C++ • C# • Generic • Go • Java • JavaScript • JSON • Kotlin • Python • TypeScript • Ruby • Rust • JSX • PHP • Scala • Swift • Terraform Beta APEX • Elixir Experimental Bash • Cairo • Circom • Clojure • Dart • Dockerfile • Hack • HTML • Jsonnet • Julia • Lisp • Lua • Move on Aptos • Move on Sui • OCaml• R • Scheme • Solidity • YAML • XML
Semgrep Supply Chain	Generally available reachability C# • Go • Java • JavaScript and TypeScript • Kotlin • PHP • Python • Ruby • Scala • Swift Languages without support for reachability analysis Dart • Elixir • Rust
Semgrep Secrets	Language-agnostic; can detect 630+ types of credentials or keys.

See the Supported languages documentation for more details.

Semgrep's AI-powered detection is now available in beta. With AI-powered detection, you can automatically identify complex business logic flaws, such as insecure direct object references (IDORs) and broken authorization.
Click to Fix is renamed Autofix (beta) with AI-generated PRs for Code and Supply Chain.
Semgrep Workflows (beta) is a new framework to automate code security pipelines across Code, Supply Chain, Secrets, and Multimodal. See Workflows.
Semgrep Assistant is renamed Semgrep Multimodal to better reflect all its AI-powered capabilities.
Semgrep is available as a Cursor and Claude Code plugin for scanning as files change.

Not finding what you need in this doc? Ask questions in our Community Slack group, or see Support for other ways to get help.