Semgrep, Inc. (formerly r2c[3]) is a cybersecurity company based in San Francisco. The company develops the Semgrep AppSec Platform (a commercial offering for SAST, SCA, and secrets scanning) and actively maintains the open-sourcestatic code analysis tool semgrep OSS.
Semgrep has stable support for over 30 languages including C#, C, C++, Go, Java, JavaScript, JSON, Python, PHP, Ruby, and Scala. Language support on semgrep OSS is community driven and does not support interprocedural or interfile analysis.[4]
The name is a combination of semantic and grep, referring to semgrep being a text search command-line utility that is aware of source code semantics.[5]
Services
Semgrep, Inc. provides a continuous integration service (called Semgrep CI), rule-writing tools (called the Semgrep Playground and editor), and a rule library (called Semgrep Registry) free of charge for both commercial and open source users.[6]
Semgrep rules are similar to source code and do not require knowledge of a domain specific language to write. Both open source and commercial rules can be forked and customized to a user's codebase, however only commercial users are able to customize commercial rules. All users are free to fork and modify open source (community) rules.[7]
History
Semgrep was based on sgrep, an open source part of pfff, a program analysis library developed at Facebook in 2009. Pfff was inspired by Coccinelle, an open-source utility for programs written in C. Yoann Padioleau, the original author of sgrep and a contributor to Coccinelle, joined r2c in 2019.[8][9][10]sgrep was forked from pfff by r2c, and in 2020 the sgrep fork was renamed semgrep to avoid name collisions with existing projects.[11][12][13]
Redpoint Ventures and Sequoia Capital backed r2c in an unannounced seed round and later funded a $13 million Series A round in 2020. The company's product portfolio consisted only of Semgrep OSS and its ecosystem at the time.[14][15]
Semgrep, Inc. announced in 2023 that it had raised a $53 million Series C funding round with Lightspeed Venture Partners leading the investment and participation from previous investors Felicis Ventures, Redpoint Ventures, and Sequoia Capital. The company has raised a total of $93 million, including their Series C financing.[3]
The Open Web Application Security Project (OWASP) listed Semgrep in its source code analysis tools list.[16] As of 2023 April, Semgrep has 132 contributors and over 9000 stars on GitHub.[17] From Docker Hub the Docker image has been pulled more than 60 million times.[18]
Usage
Semgrep can be installed with Homebrew[19] or pip.[20] Additionally it can run without installation on Docker. Analysis can be done without the need of custom configuration, and by utilizing rulesets created by Semgrep Inc. and open source contributors. The tool also allows users to write their own patterns and rules through the CLI using a pattern language unique to semgrep. A free online rule editor and a tutorial are also available.[21][22]