Semgrep Docs

Get started

Run your first Semgrep scan.

Deploy Semgrep

Deploy Semgrep to your organization quickly and at scale.

Triage and remediate

Triage and remediate findings; fine-tune guardrails for developers.

Write rules

Enforce your organization’s coding standards with custom rules.

Supported languages

Product	Languages
Semgrep Code	Generally available (GA) C and C++ • C# • Generic • Go • Java • JavaScript • JSON • Kotlin • Python • TypeScript • Ruby • Rust • JSX • PHP • Scala • Swift • Terraform Beta APEX • Elixir Experimental Bash • Cairo • Circom • Clojure • Dart • Dockerfile • Hack • HTML • Jsonnet • Julia • Lisp • Lua • Move on Aptos • Move on Sui • OCaml • R • Scheme • Solidity • YAML • XML
Semgrep Supply Chain	Generally available reachability C# • Go • Java • JavaScript and TypeScript • Kotlin • PHP • Python • Ruby • Rust • Scala • Swift Languages without support for reachability analysis Dart • Elixir
Semgrep Secrets	Language-agnostic; can detect 630+ types of credentials or keys.

Product

Languages

Semgrep Code

Generally available (GA)
C and C++ • C# • Generic • Go • Java • JavaScript • JSON • Kotlin • Python • TypeScript • Ruby • Rust • JSX • PHP • Scala • Swift • Terraform

Beta
APEX • Elixir

Experimental
Bash • Cairo • Circom • Clojure • Dart • Dockerfile • Hack • HTML • Jsonnet • Julia • Lisp • Lua • Move on Aptos • Move on Sui • OCaml • R • Scheme • Solidity • YAML • XML

Semgrep Supply Chain

Generally available reachability
C# • Go • Java • JavaScript and TypeScript • Kotlin • PHP • Python • Ruby • Rust • Scala • Swift

Languages without support for reachability analysis
Dart • Elixir

Semgrep Secrets

Language-agnostic; can detect 630+ types of credentials or keys.

May 2026 release notes summary

Semgrep AppSec Platform’s Usage & billing page now allows you to download a report listing all contributors who have made commits in the last 90 days, as well as contributor identities, last contribution timestamp, and associated repository URL. This page also displays an alert if you exceed your contributor seat limit.

Autofix pull requests now post the email of the user who initiated the pull request.

Added indexes to file targeting to improve the performance of semgrepignore matching.

Improved support for taint tracking through nested functions.

Improved the parsing speed of JSON rules through the use of a new parser.

Dynamic Dependency Resolution is now in public beta for Java and Kotlin. With Dynamic Dependency Resolution, Supply Chain can now accurately inventory dependencies in projects without lockfiles or with incomplete lockfiles.