Docs home | Semgrep
Find bugs and reachable dependency vulnerabilities in code. Enforce your code standards on every commit.
Scan with Semgrep AppSec Platform
Deploy static application security testing (SAST), software composition analysis (SCA), and secrets scans from one platform.
Supported languages
| Product | Languages |
|---|---|
| Semgrep Code | Generally available (GA) C and C++ • C# • Generic • Go • Java • JavaScript • JSON • Kotlin • Python • TypeScript • Ruby • Rust • JSX • PHP • Scala • Swift • Terraform Beta Experimental |
| Semgrep Supply Chain | Generally available reachability C# • Go • Java • JavaScript and TypeScript • Kotlin • PHP • Python • Ruby • Scala • Swift Languages without support for reachability analysis |
| Semgrep Secrets | Language-agnostic; can detect 630+ types of credentials or keys. |
See the Supported languages documentation for more details.
February 2026 release notes summary
- MCP:
- Hooks for both Claude Code and Cursor now pull custom rules from the Semgrep Registry.
- Enabled DNS rebinding protection for the MCP server.
- Improved the accuracy of taint tracking through assignments, which helps reduce the number of false positive findings.
- Added support for case-insensitive string comparisons using
lower()andupper():- metavariable-comparison:
metavariable: $VALUE
comparison: upper(str($VALUE)) == "SEMGREP" - You can now pass environmental variables to third-party package managers using
SEMGREP_LOCAL_BUILD_ENV, which accepts a JSON object, as part of the dependency resolution process invoked by--allow-local-builds. - The feedback dialog for Assistant auto-triage now allows you to provide comments in addition to selecting whether you agree or disagree with the recommendation.
- Documentation updates and additions: