Sold by: Semgrep, Inc.Â
Application Security Testing
Overview
Semgrep is a highly customizable application security platform built for security engineers and developers. Semgrep scans first and third-party code to find security issues unique to an organization, with an emphasis on surfacing actionable, low-noise, and developer friendly results at lightning speed.
Semgrep's focus on confidence rating and reachability means that security teams can feel comfortable engaging developers directly in their workflows (e.g surfacing findings in PR comments), and Semgrep integrates seamlessly with CI and SCM tooling to automate these policies.
With Semgrep, security teams can shift left and scale their programs with zero impact on developer velocity. With 3400+ out-of-the-box rules and the ability to easily create custom rules, Semgrep accelerates the time it takes to implement and scale a best-in-class AppSec program - all while adding value from Day 1.
Highlights
- Lightning fast code scanning that detects security vulnerabilities in 30+ languages with results prioritized for remediation
- Reachability analysis of known vulnerabilities in used 3rd party software components make results actionable for developers
- Easy-to-write custom rules to augment detection of security vulnerabilities, enforce coding standards, and improve code quality
Details
Sold by
Delivery method
Deployed on AWS
Unlock automation with AI agent solutions
Fast-track AI initiatives with agents, tools, and solutions from AWS Partners.
Features and programs
Financing for AWS Marketplace purchases
AWS Marketplace now accepts line of credit payments through the PNC Vendor Finance program. This program is available to select AWS customers in the US, excluding NV, NC, ND, TN, & VT.
Pricing
Pricing is based on the duration and terms of your contract with the vendor, and additional usage. You pay upfront or in installments according to your contract terms with the vendor. This entitles you to a specified quantity of use for the contract duration. Usage-based pricing is in effect for overages or additional usage not covered in the contract. These charges are applied on top of the contract price. If you choose not to renew or replace your contract before the contract end date, access to your entitlements will expire.
Additional AWS infrastructure costs may apply. Use the AWS Pricing Calculator to estimate your infrastructure costs.
Dimension | Description | Cost/12 months |
|---|---|---|
Code (SAST) | Pro Engine + Pro Rules + Cloud Platform | $480.00 |
Supply Chain (SCA) | Reachability + Dependency Search + License Compliance + Cloud Platform | $480.00 |
Secrets | Secrets Scanning | $720.00 |
Dimension | Cost/user/hour |
|---|---|
Additional SAST Users | $0.05 |
Additional SCA Users | $0.05 |
Additional Secrets Users | $0.08 |
Vendor refund policy
No refunds
Legal
Vendor terms and conditions
Upon subscribing to this product, you must acknowledge and agree to the terms and conditions outlined in the vendor's End User License Agreement (EULA)Â .
Content disclaimer
Vendors are responsible for their product descriptions and other product content. AWS does not warrant that vendors' product descriptions or other product content are accurate, complete, reliable, current, or error-free.
Delivery details
Software as a Service (SaaS)
SaaS delivers cloud-based software applications directly to customers over the internet. You can access these applications through a subscription model. You will pay recurring monthly usage fees through your AWS bill, while AWS handles deployment and infrastructure management, ensuring scalability, reliability, and seamless integration with other AWS services.
Support
Vendor support
AWS infrastructure support
AWS Support is a one-on-one, fast-response support channel that is staffed 24x7x365 with experienced and technical support engineers. The service helps customers of all sizes and technical abilities to successfully utilize the products and features provided by Amazon Web Services.
Updated weekly
By Semgrep, Inc.
By Checkmarx
By Mend.io
Top
25
In Continuous Integration and Continuous Delivery
Top
10
In Testing
Top
25
In Generative AI
Sentiment is AI generated from actual customer reviews on AWS and G2
Functionality
Ease of use
Customer service
Cost effectiveness
Positive reviews
Mixed reviews
Negative reviews
AI generated from product descriptions
Code Analysis
"Static code scanning capability across 30+ programming languages with comprehensive vulnerability detection"
Vulnerability Detection
"Reachability analysis of known vulnerabilities in third-party software components with prioritized remediation"
Rule Customization
"Extensible rule creation mechanism for detecting security vulnerabilities and enforcing coding standards"
Security Integration
"Seamless integration with continuous integration and source code management toolchains"
Multi-Language Support
"Native scanning capabilities supporting multiple programming languages with consistent analysis approach"
Static Application Security Testing
Flexible solution capable of identifying vulnerabilities across 25+ programming languages and frameworks
Software Composition Analysis
Comprehensive scanning of open source software and third-party libraries to identify and prioritize potential vulnerabilities and license risks
Infrastructure as Code Analysis
Detection of security misconfigurations in infrastructure templates to prevent potential deployment errors and security risks
Multi-Scan Integration
Single event trigger for simultaneous scanning of source code, dependencies, and infrastructure templates with centralized result aggregation
Vulnerability Detection Mechanism
Advanced scanning of uncompiled code with targeted re-scanning of new or modified code segments for efficient threat identification
Static Code Analysis
AI-powered static code analysis with rapid scanning at code generation and deep repository-level analysis
Open Source Security
Comprehensive open source security coverage with detection, prioritization, and automated remediation capabilities
Container Security
End-to-end container security including image scanning, reachability analysis, secret detection, and Kubernetes integration
AI Component Governance
Comprehensive inventory, risk insights, policy enforcement, and threat simulation for AI components and models
Dependency Management
Automated dependency updates and vulnerability reduction across distributed development environments
Standard contract
No
No
No
Customer reviews
0 ratings
0 AWS reviews
|
32 external reviews
Star ratings include only reviews from verified AWS customers. External reviews can also include a star rating, but star ratings from external reviews are not averaged in with the AWS customer star ratings.
Computer Software
An easy to use and fun to customize SAST tool
Reviewed on Dec 04, 2024
Review provided by G2
What do you like best about the product?
That the SAST engine returns a very small number of false positives. And the rules are fun to write. I also like the reachability analysis of the supply chain tool so you don't get overwhelmed by false positives
What do you dislike about the product?
There is no export report feature. Moreover it would be useful a toggle to tell the supply chain tool to report all the vulnerable dependencies, regardless of their reachability.
What problems is the product solving and how is that benefiting you?
Helping to build secure products by writing more secure code
Computer & Network Security
Semgrep experience
Reviewed on Dec 04, 2024
Review provided by G2
What do you like best about the product?
The easy customisation, custom rule creation and fast feedback for devs
What do you dislike about the product?
More products like IaC scanning or DAST, I would love to have full capabilities to scan apps
What problems is the product solving and how is that benefiting you?
Shifting left vulnerabilities
Henry Mwawai
Automated code reviews and good scalability with custom rule adaptability
Reviewed on Sep 23, 2024
Review provided by PeerSpot
">
What is our primary use case?
We use Semgrep  to check custom user pipelines and test their claims for any vulnerabilities. We process the code by passing it through the testing process for any operability issues before sending feedback to the developers and providing the final product. This is part of the static testing analysis of code analysis.
How has it helped my organization?
Semgrep has supported our team in automating code reviews and allowed us to catch vulnerabilities before the final product stage. This has improved both our development cost and development speed.
What is most valuable?
The most valuable feature is the ability to write our custom rules. This adaptability allows us to cater specifically to our needs.
What needs improvement?
There should be more information on how to acquire the system, catering to beginners in application security, to make it more user-friendly.
For how long have I used the solution?
My experience with Semgrep is very recent since we started integrating it into our processes.
What do I think about the stability of the solution?
There haven't been any severe stability issues from my end.
What do I think about the scalability of the solution?
We have not faced any scalability issues. Since we are a team of only two users, Semgrep scales well for our current requirements.
How are customer service and support?
There was some difficulty in hearing the questions due to static noise, implying potential issues with communication or support on the call. However, rejoining the call resolved the problem.
How would you rate customer service and support?
Positive
Which solution did I use previously and why did I switch?
We did not switch from another product to Semgrep.
How was the initial setup?
The initial setup was straightforward, involving connecting the digital product to Semgrep. I am mainly involved in the usage aspect, and thus, I provided information from my perspective.
What about the implementation team?
We handled the setup internally within our team, and I particularly addressed it.
What was our ROI?
Semgrep has positively impacted our ROI by improving development speed and cost efficiency.
What other advice do I have?
I'd rate the solution eight out of ten.
Which deployment model are you using for this solution?
Public Cloud
If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?
Other
Shivam J.
Perfect code security analysis tool to check and eliminate vulnerabilities
Reviewed on Feb 20, 2024
Review provided by G2
What do you like best about the product?
The sast engine and the wholesome dashboard makes everything looks great and crisp
What do you dislike about the product?
I am not satisfied with the accuracy of the integration tools with it
What problems is the product solving and how is that benefiting you?
Making it easy to go shift left in security and in supply chain management security
Abhineet S.
Just a right way to test and catch your code vulnerability
Reviewed on Feb 20, 2024
Review provided by G2
What do you like best about the product?
I like the SAST engine, it is powerful and capable alongwith less % of false positives. Apart from it, the pro and lot other built rules make it easy to integrate with any DevSecOps process.
What do you dislike about the product?
Currently the newer offering like SEMGREP AI and secrets manager does not add up perfectly
What problems is the product solving and how is that benefiting you?
It is catching the essential, critical and tainted in nature vulnerabilities in day to day code making it is good way to follow shift left practices.