Pricing type: Free
Static analysis at ludicrous speed.
See the website


Semgrep is a highly-configurable SAST tool that looks for recurring patterns in the syntax tree. It can either run locally using Docker or be integrated into the CI/CD pipeline with Github Actions. Results are delivered as JSON files, allowing you to pipe the results into other tools, like jq in order to manipulate them.

Related tools (Security Testing)

Static code analyzer for Infrastructure as Code

Scan git repos (or files) for secrets using regex and entropy 🔑

Identify vulnerabilities in running containers, images, hosts and repositories

A collection of awesome penetration testing and offensive cybersecurity resources.