Application Security Platform
Semgrep, Inc.Reviews from AWS customer
0 AWS reviews
-
5 star0
-
4 star0
-
3 star0
-
2 star0
-
1 star0
External reviews
54 reviews
from
and
External reviews are not included in the AWS star rating for the product.
Powerful Rule Engine and Autofix, but Governance at Scale Needs Work
What do you like best about the product?
Flexible, transparent rule engine with clear YAML syntax and data‑flow patterns, plus an extensive public registry for quick wins and customization.
• Smooth CI/CD integration and lightweight runtime, enabling frequent scans without major impact on developer velocity.
• Autofix capabilities (deterministic rule‑based and Assistant AI‑assisted) that propose or apply safe code changes, reducing mean time to remediate
• Smooth CI/CD integration and lightweight runtime, enabling frequent scans without major impact on developer velocity.
• Autofix capabilities (deterministic rule‑based and Assistant AI‑assisted) that propose or apply safe code changes, reducing mean time to remediate
What do you dislike about the product?
Governance overhead at scale; maintaining org‑wide rule sets, exceptions, and updates across many repos becomes an operational burden without a dedicated owner.
• Autofix and AI noise filtering are helpful but still evolving; effectiveness varies by language and codebase, and some teams remain cautious about applying fixes automatically.
• Autofix and AI noise filtering are helpful but still evolving; effectiveness varies by language and codebase, and some teams remain cautious about applying fixes automatically.
What problems is the product solving and how is that benefiting you?
Semgrep is helping embed security into daily development by catching risky patterns early in pull requests and CI, which reduces rework and keeps release velocity high. Transparent, customizable rules let the team encode our own guardrails and quickly add checks for new frameworks, so coverage improves without waiting on vendor updates. AI‑assisted noise filtering and autofix guidance cut triage time and help developers resolve issues faster, which lowers MTTR and helps us meet remediation SLAs more consistently.
Operationally, fast scans and easy CI/SCM integration mean developers see actionable feedback where they work, not in a separate portal, increasing adoption and fixing rates. As a result, we’ve moved from sporadic security reviews to consistent, automated checks across services, with measurable gains in fix rate and fewer high‑risk patterns reaching production. The net benefit is stronger secure‑by‑default practices with minimal productivity tax, plus lower compliance risk thanks to policy‑as‑code rules we can audit and evolve over time.
Operationally, fast scans and easy CI/SCM integration mean developers see actionable feedback where they work, not in a separate portal, increasing adoption and fixing rates. As a result, we’ve moved from sporadic security reviews to consistent, automated checks across services, with measurable gains in fix rate and fewer high‑risk patterns reaching production. The net benefit is stronger secure‑by‑default practices with minimal productivity tax, plus lower compliance risk thanks to policy‑as‑code rules we can audit and evolve over time.
Easy to Use with Great Functional Testing Capabilities
What do you like best about the product?
I appreciate how Semgrep excels in validating and QA testing capabilities, showing good efficacy in performing these tasks. The ease of use is particularly notable, requiring less scripting compared to other alternatives, and the initial setup process was straightforward and effortless. I value its functionality in conducting functional testing, which simplifies my tasks significantly. The test case design and resulting outcomes are particularly pleasing, enhancing my testing process. Whenever I encounter issues that other tools cannot resolve, Semgrep becomes an indispensable resource, allowing me to progress by utilizing its features effectively. Overall, I find Semgrep a worthy exploration for its functionality and user-friendly approach.
What do you dislike about the product?
Nothing
What problems is the product solving and how is that benefiting you?
I find Semgrep improves my workflow for functional testing, making it easy to use and reducing scripting. It solves problems when other tools fail, helping me proceed further and block issues effectively.
Flexible Rules and GitHub Integration Shine, But Needs Better Product Segmentation
What do you like best about the product?
Semgrep offers a single platform for SAST and SCA solutions which is good, but the best part is semgrep rules they are so flexible and easy to write that you dont need to manually do filtering or removing.
The tool has another feature I personally like is github actions that will show bugs in git itself with an AI reviewed fixed version.
The tool has another feature I personally like is github actions that will show bugs in git itself with an AI reviewed fixed version.
What do you dislike about the product?
Semgrep doesnt have Product wise segmentation like for organizations with multiple products you will have only projects and have to use labels to categorise those products.
What problems is the product solving and how is that benefiting you?
It provides great SCA and SAST solutioning.
Effortless Code Scanning—Much Easier Than Our Old Tool
What do you like best about the product?
It's a very user-friendly tool for scanning code repositories, and I find it much easier to use compared to our previous Checkmarx scan.
Its quiet easy to integrate with our existing code repository and can also be filtered based on the need.
Its quiet easy to integrate with our existing code repository and can also be filtered based on the need.
What do you dislike about the product?
Since we have only recently started using this tool, there is nothing we dislike about it so far.
What problems is the product solving and how is that benefiting you?
Its helping to find out the vulnerability with open-source softwares and implemented in our pipelines for code deployment has helped us a lot to proactively finding out the vulnerability before reaching of any environment.
Excellent Tool for Code Quality and Security.
What do you like best about the product?
It is a good tool to identify the issues and security in code which can impact the quality and security.
What do you dislike about the product?
The UI is not as efficient. Also code setup creates some issues.
What problems is the product solving and how is that benefiting you?
This product is excellent when it comes to handling. I am quite satisfied with how well it manages tasks.
Powerful, Customizable Static Analysis with Fast Scans—Some Learning Curve and Tuning Needed
What do you like best about the product?
Semgrep is a static analysis tool that enables developers to create custom rules using an intuitive pattern-matching syntax, which closely mirrors the code being reviewed. It offers support for a variety of programming languages, including Python, JavaScript, Java, and Go, among others. With Semgrep, users can identify security vulnerabilities, address code quality concerns, and enforce coding standards effectively. Many developers value its seamless integration with CI/CD pipelines, the ability to run scans locally during development, and the flexibility to craft rules tailored to their organization's codebase. The tool is known for its rapid scanning capabilities and lower false positive rates when compared to more traditional static analysis solutions. Additionally, Semgrep is available in both open-source and commercial versions, with advanced features such as centralized rule management and options for team collaboration.
What do you dislike about the product?
Static analysis tools can present certain limitations, such as generating false positives that must be manually reviewed. They may also struggle to identify complex runtime vulnerabilities or logic flaws that only become apparent during execution. Maintaining and tuning rules to keep up with evolving codebases is an ongoing requirement. Some users note that creating custom rules involves a learning curve, particularly when mastering the pattern-matching syntax. Comprehensive scans of large codebases can also affect CI/CD pipeline performance. While these tools are strong in pattern matching, they might overlook context-dependent vulnerabilities that require more advanced semantic analysis. As a result, teams often need to dedicate time to configuring rules in order to minimize noise and prioritize findings relevant to their specific technology stack.
What problems is the product solving and how is that benefiting you?
It lacks the option to manually trigger a code scan, specifically for static scans.
Fast, Accurate, and Seamless Integration with GitHub
What do you like best about the product?
The feedback is fast and actionable, which makes it easy to address issues quickly. I also appreciate the reduced number of false positives, as it saves time and effort. Integration with GitHub and Actions is seamless, making the workflow smooth. The accuracy is high, and the support for a wide range of languages is another strong point.
What do you dislike about the product?
Semgrep is quite narrowly focused, concentrating primarily on security and lacking built-in scanning capabilities for other important areas such as secrets detection, infrastructure as code, or container security. There is also a learning curve to consider; crafting effective and custom rules demands a certain level of expertise, which can be particularly challenging when dealing with more complex vulnerabilities. Additionally, Semgrep on its own provides limited context, so without supplementary tools, it can be difficult to determine if a vulnerability is truly exploitable or reachable at runtime. This limitation can make it harder to properly prioritize issues.
What problems is the product solving and how is that benefiting you?
Semgrep helps assisting developers and security teams in identifying bugs, vulnerabilities, and enforcing coding standards. It analyzes source code to detect patterns that correspond to predefined rules, which makes it valuable for code reviews, security audits, and maintaining overall code quality. Semgrep will be our new default SAST tool as we begin to phase out the current tool which is outdated and cumbersome to use.
Great Experience, But UI Could Be More User-Friendly
What do you like best about the product?
Semgrep is one of the super easy and most lightweight tools for detecting security vulnerabilities in our codebase. It also enables us to scan our local repositories and can be integrated with our CI/CD pipeline to provide continuous code scanning. We prefer using it with almost all of our applications to feel more confident.
What do you dislike about the product?
There isn't much to complain about, but I do think the user interface could be cleaner and more user-friendly.
What problems is the product solving and how is that benefiting you?
The platform offers vulnerability scanning and helps keep applications free of bugs. It also provides automated code scanning through the CI/CD pipeline and supports scanning for multiple programming languages.
Insightful Vulnerability Analysis, But Needs Automatic Analysis
What do you like best about the product?
The tool provides an analysis of detected vulnerabilities in the code and also offers suggested fixes. This feature is helpful for identifying potential issues and understanding how to address them.
What do you dislike about the product?
Currently, I have to manually trigger the analysis each time a new detection occurs, but I would prefer if the analysis happened automatically as soon as something is detected.
What problems is the product solving and how is that benefiting you?
This tool has been useful in identifying security issues within my code. It helps me catch vulnerabilities that I might have otherwise missed.
Speeds Up Bug Detection, But Rule Syntax Can Be Limiting for Complex Code
What do you like best about the product?
The best thing about Semgrep is that it helps catch bugs and enforce code standards early in development, without slowing engineers down. It’s quick, understandable, and fits naturally into the developer workflow.
What do you dislike about the product?
My main dislike is that Semgrep’s rule syntax can feel restrictive when dealing with dynamic code or frameworks that rely heavily on metaprogramming. It’s great for straightforward patterns, but deeper semantic analysis sometimes needs more manual effort.
What problems is the product solving and how is that benefiting you?
Semgrep helps catch bugs and security issues early by running fast, customizable static analysis directly in the developer workflow. It helps me maintain consistent, secure code and saves time by preventing late-stage fixes.
showing 1 - 10