Skip to main content

Supported languages

This document provides information about supported languages and language maturity definitions for the following products:

  • Semgrep Code
  • Semgrep OSS
  • Semgrep Supply Chain

Semgrep Code and OSS

Semgrep OSS is a fast, lightweight program analysis tool that can help you detect security issues in your code. It makes use of Semgrep's LGPL 2.1 open source engine.

Semgrep Code is a static application security testing (SAST) solution that makes use of proprietary Semgrep analyses, such as cross-file (interfile) and cross-function (intrafile) data flow, in addition to Semgrep OSS. This results in a higher true positive rate than Semgrep OSS.

Use either tool to scan local code or integrate it into your CI/CD pipeline to automate the continuous scanning of your repositories.

ProductAnalysis
Semgrep OSS
  • Single-function analysis
  • Single-file analysis
Semgrep Code
  • All analyses in the OSS Engine
  • Cross-file (interfile) analysis
  • Cross-function (interprocedural) analysis

Language maturity levels

Semgrep Code languages can be classified into four maturity levels:

  • Generally available (GA)
  • Beta
  • Experimental
  • Community supported*

*Community supported languages meet the parse rate and syntax requirements of Experimental languages. Users can still access community rules or write their own rules.

Their differences are outlined in the following table:

FeatureGABetaExperimentalCommunity supported
Parse Rate99%+95%+90%+
Number of rules10+5+0+. Query the Registry to see if any rules exist for your language.
Semgrep syntaxRegex, equivalence, deep expression operators, types and typing. All features supported in Beta.Complete metavariable support, metavariable equality. All features supported in Experimental.Syntax, ellipsis operator, basic metavariable functionality.
SupportHighest quality support by the Semgrep team. Reported issues are resolved promptly.Supported by the Semgrep team. Reported issues are fixed after GA languages.There are limitations to this language's functionality. Reported issues are tracked and prioritized with best effort.These languages are supported by the Semgrep community. While Semgrep may develop rules or engine updates for these languages, they are not prioritized.

Semgrep Code language support

Semgrep Code supports over 30 languages and counting! 🚀

LanguageMaturity levelCross-function analysisCross-file analysis
CGA
C++GA
C#GA
GoGA
JavaGA
JavaScriptGA
KotlinGA
PythonGA
TypeScriptGA
RubyGA--
RustGA--
JSXGA--
PHPGA--
ScalaGA--
SwiftGA--
GenericGA----
JSONGA----
TerraformGA----
ApexBeta--
ElixirBeta--

The following languages are Experimental:

  • Bash
  • Cairo
  • Clojure
  • Dart
  • Dockerfile
  • Hack
  • HTML
  • Jsonnet
  • Julia
  • Lisp
  • Lua
  • Ocaml
  • R
  • Scheme
  • Solidity
  • YAML
  • XML

If you'd like to request a language not shown here, please create an issue on the Semgrep GitHub repo.

Semgrep OSS language support

All Semgrep OSS languages are community supported. Community supported languages must meet the parse rate and syntax requirements of experimental support in Semgrep Code to be listed here. Semgrep OSS uses Semgrep's open source engine.

Community supported languages have varying levels of rule coverage - view the registry and filter out Pro rules to see the level of coverage for OSS.

Click to view Semgrep OSS languages.
  • Bash
  • C
  • C++
  • C#
  • Cairo
  • Clojure
  • Dart
  • Dockerfile
  • JavaScript
  • JSON
  • Jsonnet
  • Julia
  • Lisp
  • Lua
  • Kotlin
  • Ruby
  • Rust
  • JSX
  • OCaml
  • PHP
  • Python
  • R
  • Scala
  • Scheme
  • Solidity
  • Swift
  • TypeScript
  • YAML
  • XML

More information

Visit the cheat sheet generation script and associated semgrep-core test files to learn more about each feature:

Visit the Semgrep public language dashboard to see the parse rates for each language

Semgrep Supply Chain

Semgrep Supply Chain is a software composition analysis (SCA) tool that detects security vulnerabilities in your codebase introduced by open source dependencies. It can also:

  • Generate a software bill of materials (SBOM) that provides a complete inventory of your open source components
  • Query for information about your dependencies
  • Support the enforcement of your business' open source package licensing requirements

Semgrep Supply Chain parses lockfiles for dependencies, then scans your codebase for reachable findings based on the lockfiles. Some languages, such as Java, have several lockfiles, depending on your repository's package manager. For some languages, such as JavaScript and Python, a manifest file is also parsed to determine transitivity.

LanguageSupported package managersLockfileReachability support level‡License detection supportTime period of reachability rule coverage for CVEs/GHSAs
C#NuGetpackages.lock.jsonGASince May 2022
GoGo modules (go mod)go.modGA
JavaGradlegradle.lockfileGA
MavenMaven-generated dependency tree (See Setting up SSC scans for Apache Maven for instructions.)GA
JavaScript or TypeScriptnpm (Node.js)package-lock.jsonGA
Yarn, Yarn 2, Yarn 3yarn.lockGA--
pnpmpnpm-lock.yamlGA--
Pythonpiprequirements.txt†† (generated by pip freeze for example)GA✅ (PyPI packages only)
pip-toolsrequirements.txtGA
PipenvPipfile.lockGA
Poetrypoetry.lockGA
RubyRubyGemsGemfile.lockGA
RustCargo§cargo.lockLockfile-onlyNot applicable due to reachability support level
DartPubpubspec.lockLockfile-only--
ElixirHexmix.lockLockfile-only--
KotlinGradlegradle.lockfile§Lockfile-only--
MavenMaven-generated dependency tree (See Setting up SSC scans for Apache Maven for instructions.)Lockfile-only--
PHPComposercomposer.lockLockfile-only--
ScalaMavenMaven-generated dependency tree (See Setting up SSC scans for Apache Maven for instructions.)Lockfile-only--
SwiftSwiftPMPackage.swift file and Swift-generated Package.resolved file. (See Swift documentation for instructions.)Lockfile-only--

*Semgrep Supply Chain scans transitive dependencies for all supported languages but does not perform reachability analysis on transitive dependencies.
‡Reachability support level refers to the level of support for reachability analysis for the language. At the minimum, Semgrep Supply Chain uses lockfile-only rules, which compare a package's version against versions with known vulnerabilities.
**††**Semgrep Supply Chain supports requirements.txt when it is used as a lockfile. This means that requirements.txt must be set to exact versions (pinned dependencies) and the file must be generated automatically.
§ Supply Chain does not analyze the transitivity of packages for these language or lockfile combinations. All dependencies are listed as Unknown transitivity.

info

Semgrep ingests CVE information and security advisories from sources such as Reviewed GitHub Security Advisories to ensure effective rule coverage. Semgrep processes new information at least once per day to:

  • Generate rules for new security advisories;
  • Update rules based on changes to existing security advisories.
Transitivity support

For more information on transitivity, see Transitive dependencies and reachability analysis.

Maturity levels

Semgrep Supply Chain has two maturity levels:

  • General Availability (GA)
  • Beta

Their differences are outlined in the following table:

FeatureGABeta
Number of reachability rules10+1+
Semgrep, Inc. rule-writing supportQuickly release new rules for all critical and high vulnerabilities based on the latest security advisories.No commitment for new rules based on the latest security advisories.
Semgrep OSS Engine language supportSemgrep OSS Engine support is GA.Semgrep OSS Engine support is at least Beta.
Feature and product maturity levels
  • The detailed specifications previously provided apply only to language support. Language maturity levels differ from feature and product maturity levels.
  • Semgrep features and products documented as experimental, beta, or GA generally follow the definitions in a Software release life cycle.

Not finding what you need in this doc? Ask questions in our Community Slack group, or see Support for other ways to get help.