Sold by: Semgrep, Inc.Â
Overview
Semgrep is a highly customizable application security platform built for security engineers and developers. Semgrep scans first and third-party code to find security issues unique to an organization, with an emphasis on surfacing actionable, low-noise, and developer friendly results at lightning speed.
Semgrep's focus on confidence rating and reachability means that security teams can feel comfortable engaging developers directly in their workflows (e.g surfacing findings in PR comments), and Semgrep integrates seamlessly with CI and SCM tooling to automate these policies.
With Semgrep, security teams can shift left and scale their programs with zero impact on developer velocity. With 3400+ out-of-the-box rules and the ability to easily create custom rules, Semgrep accelerates the time it takes to implement and scale a best-in-class AppSec program - all while adding value from Day 1.
Highlights
- Lightning fast code scanning that detects security vulnerabilities in 30+ languages with results prioritized for remediation
- Reachability analysis of known vulnerabilities in used 3rd party software components make results actionable for developers
- Easy-to-write custom rules to augment detection of security vulnerabilities, enforce coding standards, and improve code quality
Details
Sold by
Delivery method
Deployed on AWS
Unlock automation with AI agent solutions
Fast-track AI initiatives with agents, tools, and solutions from AWS Partners.
Features and programs
Financing for AWS Marketplace purchases
AWS Marketplace now accepts line of credit payments through the PNC Vendor Finance program. This program is available to select AWS customers in the US, excluding NV, NC, ND, TN, & VT.
Pricing
Pricing is based on the duration and terms of your contract with the vendor, and additional usage. You pay upfront or in installments according to your contract terms with the vendor. This entitles you to a specified quantity of use for the contract duration. Usage-based pricing is in effect for overages or additional usage not covered in the contract. These charges are applied on top of the contract price. If you choose not to renew or replace your contract before the contract end date, access to your entitlements will expire.
Additional AWS infrastructure costs may apply. Use the AWS Pricing Calculator to estimate your infrastructure costs.
Dimension | Description | Cost/12 months |
|---|---|---|
Code (SAST) | Pro Engine + Pro Rules + Cloud Platform | $480.00 |
Supply Chain (SCA) | Reachability + Dependency Search + License Compliance + Cloud Platform | $480.00 |
Secrets | Secrets Scanning | $720.00 |
Dimension | Cost/user/hour |
|---|---|
Additional SAST Users | $0.05 |
Additional SCA Users | $0.05 |
Additional Secrets Users | $0.08 |
Vendor refund policy
No refunds
Legal
Vendor terms and conditions
Upon subscribing to this product, you must acknowledge and agree to the terms and conditions outlined in the vendor's End User License Agreement (EULA)Â .
Content disclaimer
Vendors are responsible for their product descriptions and other product content. AWS does not warrant that vendors' product descriptions or other product content are accurate, complete, reliable, current, or error-free.
Delivery details
Software as a Service (SaaS)
SaaS delivers cloud-based software applications directly to customers over the internet. You can access these applications through a subscription model. You will pay recurring monthly usage fees through your AWS bill, while AWS handles deployment and infrastructure management, ensuring scalability, reliability, and seamless integration with other AWS services.
Support
Vendor support
AWS infrastructure support
AWS Support is a one-on-one, fast-response support channel that is staffed 24x7x365 with experienced and technical support engineers. The service helps customers of all sizes and technical abilities to successfully utilize the products and features provided by Amazon Web Services.
Updated weekly
By Semgrep, Inc.
By Checkmarx
By Mend.io
Top
25
In Continuous Integration and Continuous Delivery
Top
10
In Testing
Top
25
In Generative AI
Sentiment is AI generated from actual customer reviews on AWS and G2
Functionality
Ease of use
Customer service
Cost effectiveness
Positive reviews
Mixed reviews
Negative reviews
AI generated from product descriptions
Code Analysis
"Static code scanning capability across 30+ programming languages with comprehensive vulnerability detection"
Vulnerability Detection
"Reachability analysis of known vulnerabilities in third-party software components with prioritized remediation"
Rule Customization
"Extensible rule creation mechanism for detecting security vulnerabilities and enforcing coding standards"
Security Integration
"Seamless integration with continuous integration and source code management toolchains"
Multi-Language Support
"Native scanning capabilities supporting multiple programming languages with consistent analysis approach"
Static Application Security Testing
Comprehensive vulnerability scanning for custom code across 25+ programming languages and frameworks
Software Composition Analysis
Automated identification and prioritization of vulnerabilities in open source software and third-party library dependencies
Infrastructure as Code Analysis
Detection of security misconfigurations in infrastructure template deployments to prevent potential security risks
Real-time IDE Security Scanning
Background vulnerability scanning during code development with immediate identification of risks in human and AI-generated code
AI-Powered Remediation
Context-aware AI agent that generates code remediation suggestions using proprietary databases and customized AI models
Static Application Security Testing
AI-tuned scanning at code generation with deep static analysis, identifying vulnerabilities across AI-generated and human-written code
Open Source Security Management
Comprehensive detection, prioritization, and automated remediation of open source component vulnerabilities
Container Security
End-to-end container security with image scanning, reachability analysis, secret detection, infrastructure-as-code scanning, and native Kubernetes integration
AI Component Governance
Inventory and risk assessment of AI components including models, agents, RAGs, with policy enforcement and Shadow AI detection
Threat Simulation
Proactive AI Red Teaming for simulating and identifying potential security risks in AI-powered applications
Standard contract
No
No
No
Customer reviews
0 ratings
0 AWS reviews
|
55 external reviews
Star ratings include only reviews from verified AWS customers. External reviews can also include a star rating, but star ratings from external reviews are not averaged in with the AWS customer star ratings.
Ayushi J.
Flexible, Fast, and Powerful Static Analysis for Secure Code
Reviewed on Nov 18, 2025
Review provided by G2
What do you like best about the product?
The best thing about Semgrep is its flexibility and speed as a static analysis tool. It allows me to define custom rules with clear, human-readable YAML syntax, making vulnerability detection and code standard enforcement highly adaptable to specific project needs. It integrates smoothly into CI/CD pipelines, providing fast feedback without slowing down development. I also appreciate the extensive public rule registry and AI-assisted features like noise filtering and autofix suggestions, which help improve fix rates and reduce remediation time, making it easier to maintain secure, high-quality code continuously
What do you dislike about the product?
I dislike about Semgrep is that it can produce noisy results with a lot of false positives out-of-the-box, requiring upfront tuning and rule customization to reduce irrelevant findings. This tuning process demands ongoing effort and security expertise, which can create operational overhead, especially at larger scales.
What problems is the product solving and how is that benefiting you?
Semgrep solves the problem of identifying security vulnerabilities and enforcing code standards early in the development cycle through a lightweight, semantic static code analysis tool.
It benefits me by enabling fast, contextual scans directly in CI pipelines without slowing down development. With easy-to-write custom rules and a large public registry, Semgrep helps catch bugs, insecure coding patterns, and deprecated APIs before they make it to production. This proactive detection and remediation improve code quality, reduce security risks, and streamline developer workflows by providing actionable feedback where it’s most needed.
It benefits me by enabling fast, contextual scans directly in CI pipelines without slowing down development. With easy-to-write custom rules and a large public registry, Semgrep helps catch bugs, insecure coding patterns, and deprecated APIs before they make it to production. This proactive detection and remediation improve code quality, reduce security risks, and streamline developer workflows by providing actionable feedback where it’s most needed.
Anupam J.
Powerful Rule Engine and Autofix, but Governance at Scale Needs Work
Reviewed on Nov 01, 2025
Review provided by G2
What do you like best about the product?
Flexible, transparent rule engine with clear YAML syntax and data‑flow patterns, plus an extensive public registry for quick wins and customization.
• Smooth CI/CD integration and lightweight runtime, enabling frequent scans without major impact on developer velocity.
• Autofix capabilities (deterministic rule‑based and Assistant AI‑assisted) that propose or apply safe code changes, reducing mean time to remediate
• Smooth CI/CD integration and lightweight runtime, enabling frequent scans without major impact on developer velocity.
• Autofix capabilities (deterministic rule‑based and Assistant AI‑assisted) that propose or apply safe code changes, reducing mean time to remediate
What do you dislike about the product?
Governance overhead at scale; maintaining org‑wide rule sets, exceptions, and updates across many repos becomes an operational burden without a dedicated owner.
• Autofix and AI noise filtering are helpful but still evolving; effectiveness varies by language and codebase, and some teams remain cautious about applying fixes automatically.
• Autofix and AI noise filtering are helpful but still evolving; effectiveness varies by language and codebase, and some teams remain cautious about applying fixes automatically.
What problems is the product solving and how is that benefiting you?
Semgrep is helping embed security into daily development by catching risky patterns early in pull requests and CI, which reduces rework and keeps release velocity high. Transparent, customizable rules let the team encode our own guardrails and quickly add checks for new frameworks, so coverage improves without waiting on vendor updates. AI‑assisted noise filtering and autofix guidance cut triage time and help developers resolve issues faster, which lowers MTTR and helps us meet remediation SLAs more consistently.
Operationally, fast scans and easy CI/SCM integration mean developers see actionable feedback where they work, not in a separate portal, increasing adoption and fixing rates. As a result, we’ve moved from sporadic security reviews to consistent, automated checks across services, with measurable gains in fix rate and fewer high‑risk patterns reaching production. The net benefit is stronger secure‑by‑default practices with minimal productivity tax, plus lower compliance risk thanks to policy‑as‑code rules we can audit and evolve over time.
Operationally, fast scans and easy CI/SCM integration mean developers see actionable feedback where they work, not in a separate portal, increasing adoption and fixing rates. As a result, we’ve moved from sporadic security reviews to consistent, automated checks across services, with measurable gains in fix rate and fewer high‑risk patterns reaching production. The net benefit is stronger secure‑by‑default practices with minimal productivity tax, plus lower compliance risk thanks to policy‑as‑code rules we can audit and evolve over time.
Nagaraju A.
Easy to Use with Great Functional Testing Capabilities
Reviewed on Oct 31, 2025
Review provided by G2
What do you like best about the product?
I appreciate how Semgrep excels in validating and QA testing capabilities, showing good efficacy in performing these tasks. The ease of use is particularly notable, requiring less scripting compared to other alternatives, and the initial setup process was straightforward and effortless. I value its functionality in conducting functional testing, which simplifies my tasks significantly. The test case design and resulting outcomes are particularly pleasing, enhancing my testing process. Whenever I encounter issues that other tools cannot resolve, Semgrep becomes an indispensable resource, allowing me to progress by utilizing its features effectively. Overall, I find Semgrep a worthy exploration for its functionality and user-friendly approach.
What do you dislike about the product?
Nothing
What problems is the product solving and how is that benefiting you?
I find Semgrep improves my workflow for functional testing, making it easy to use and reducing scripting. It solves problems when other tools fail, helping me proceed further and block issues effectively.
Hospital & Health Care
Flexible Rules and GitHub Integration Shine, But Needs Better Product Segmentation
Reviewed on Oct 31, 2025
Review provided by G2
What do you like best about the product?
Semgrep offers a single platform for SAST and SCA solutions which is good, but the best part is semgrep rules they are so flexible and easy to write that you dont need to manually do filtering or removing.
The tool has another feature I personally like is github actions that will show bugs in git itself with an AI reviewed fixed version.
The tool has another feature I personally like is github actions that will show bugs in git itself with an AI reviewed fixed version.
What do you dislike about the product?
Semgrep doesnt have Product wise segmentation like for organizations with multiple products you will have only projects and have to use labels to categorise those products.
What problems is the product solving and how is that benefiting you?
It provides great SCA and SAST solutioning.
Avneesh J.
Effortless Code Scanning—Much Easier Than Our Old Tool
Reviewed on Oct 28, 2025
Review provided by G2
What do you like best about the product?
It's a very user-friendly tool for scanning code repositories, and I find it much easier to use compared to our previous Checkmarx scan.
Its quiet easy to integrate with our existing code repository and can also be filtered based on the need.
Its quiet easy to integrate with our existing code repository and can also be filtered based on the need.
What do you dislike about the product?
Since we have only recently started using this tool, there is nothing we dislike about it so far.
What problems is the product solving and how is that benefiting you?
Its helping to find out the vulnerability with open-source softwares and implemented in our pipelines for code deployment has helped us a lot to proactively finding out the vulnerability before reaching of any environment.