Semgrep scans code for security vulnerabilities, bugs, and policy violations using pattern-matching rules written in the same language as the code being scanned. Its 3,000+ open-source rules cover OWASP Top 10 and supply chain risks across 30+ languages.
Semgrep is recognized as a functional security scanning tool but criticized for generating excessive noise and false positives that reduce actionable insights. Users appreciate its capabilities but struggle with alert fatigue and integration complexity in multi-tool environments.
“Semgrep for security, dependabot for deps, snyk for vulnerabilities... we're running 7 and i'm losing it”
RedditAnalyzed from community discussions on reddit.com · May 2026
