Application Security Platform
Semgrep, Inc.Reviews from AWS customer
0 AWS reviews
-
5 star0
-
4 star0
-
3 star0
-
2 star0
-
1 star0
External reviews
32 reviews
from
and
External reviews are not included in the AWS star rating for the product.
Good set of rules, but a bunch of false positives
What do you like best about the product?
The upsides are that code scanning is very fast, and the ruleset is complete. Rule management on the rule board is also very easy. Integrations and webhooks are a plus.
What do you dislike about the product?
The downsides are that the number of false positives for some of the rules is enormous due to the lack of taint tracking support for PHP. Improving this ruleset, or adding taint tracking for PHP would be most helpful.
What problems is the product solving and how is that benefiting you?
Semgrep is helping us scan our PHP code for first-party vulnerabilities. The most tangible benefit is better coding standards. Their SCA product is also very interesting.
Quick and effective SAST and Dependency Checking
What do you like best about the product?
Super easy to implement and manage. Seamless integration into our CI pipeline, and only gets in the developers' way when it needs to. Reachability testing of depenencies is nice.
What do you dislike about the product?
Not too much to dislike. The Supply Chain/dependency scanning is new and will need more rules for reachability, but these are gradually being built.
What problems is the product solving and how is that benefiting you?
Semgrep acts as an effective guardrail, allowing developers to write code and be guided when potential vulnerabilities are introduced.
Semgrep suited us very well
What do you like best about the product?
Easy integration and custom rules. The CLI makes it very easy to run tests locally.
What do you dislike about the product?
The new UI is a little confusing and the filter addition is a little slow
What problems is the product solving and how is that benefiting you?
Helped with our SAST program
Great community driven SAST
What do you like best about the product?
We were sold on the idea that Semgrep was Python based and detections were community driven. While still providing us with the ability to write custom detections.
What do you dislike about the product?
Nothing in particular. If anything, I'd like Semgrep to add GitHub Dependabot / Snyk like features so we can manage more controls around our source code through a single vendor. The latest Supply Chain feature is a new addition.
What problems is the product solving and how is that benefiting you?
Our static analysis needs - especially custom controls. Previously we had developed our own SAST tool, but as the company grew, we decided to move to something commercial and more robust.
Semgrep works really well in Devsecops environments
What do you like best about the product?
Semgrep is quick and allows us to write additional rules very easily.
This makes it very effective, and there is support for a lot of languages. The dashboard is user friendly and its easy to look for findings reported.
This makes it very effective, and there is support for a lot of languages. The dashboard is user friendly and its easy to look for findings reported.
What do you dislike about the product?
Semgrep does not show co-relation with multiple files. For example if an input is not filtered and is reflected on another page where it would get rendered it would be difficult to identify inSemgrep.
Finding a way to have co-relation between multiple files would be great to have.
Finding a way to have co-relation between multiple files would be great to have.
What problems is the product solving and how is that benefiting you?
Semgrep allows to run vast number of scans across a large set of repos. That helps in a devsecops environment.
No place for False Positives
What do you like best about the product?
It is the most efficient and simple to use integration for SAST.
Free, and community-driven
Discussions on Slack channels provide valuable help and insights.
Free, and community-driven
Discussions on Slack channels provide valuable help and insights.
What do you dislike about the product?
Nothing major. It is evolving in right direction.
But A trial version would be good.
But A trial version would be good.
What problems is the product solving and how is that benefiting you?
Mostly eliminating the use of multiple SAST scanners into one.
Semgrep helped us catch security bugs while scaling and supporting our code review processes
What do you like best about the product?
Semgrep's powerful rule language and engine blends usability with flexibility. Developers being able to write their own rules in Semgrep without knowing exactly how Semgrep works has helped us scale our deployment.
What do you dislike about the product?
Without fine-tuning, Semgrep (like any SAST) can be pretty noisy. I know they've been working on surfacing developer feedback to rule writers and maintainers, but I still wish there was a more scalable way to reduce noise (e.g. rule change suggestions based on where developers report false positives).
What problems is the product solving and how is that benefiting you?
We wanted to surface information about security to developers when they needed it in code review. Semgrep is helping us do that.
Semgrep's custom rules are the killer SAST feature
What do you like best about the product?
Custom rules and being able to fork + modify the existing rules make Semgrep a lot more valuable as a SAST tool. For certain rules, a couple of additional "pattern-not"s have reduced our false-positive rate by as much as 30%. That kind of thing is easy in Semgrep and pretty much impossible with all other SAST tools I've used. Many other providers claim that you don't need that capability with their tools; because they have teams of people who already improve their false-positive rate. In reality, I've found Semgrep's approach works much better to cut down on spurious results.
What do you dislike about the product?
Semgrep App is still noticeably immature. There are many minor bugs around the editor, creating private rules, and the rule board. I haven't found any without some sort of workaround thus far, and R2C's support team is extremely responsive. On balance, the upsides of centralizing your rule management and having a single pane of glass to view all findings are worth the sometimes buggy UI and lacking features (such as the inability to delete rules published via the CLI).
What problems is the product solving and how is that benefiting you?
Semgrep solves static analysis for us. We're using it across all of our repositories and using custom rules to catch common mistakes our team makes. Compared to our previous SAST tool (Veracode), Semgrep scans much more quickly, and our developers love how much easier it is to triage findings.
Extremely easy to setup and use resulting in immediate value.
What do you like best about the product?
Very easy to set up and the time to value is very short.
What do you dislike about the product?
I wish the rules had more information on remediation.
What problems is the product solving and how is that benefiting you?
Providing static application security analysis with high quality scanning
Semgrep is best in class for customizability, ease of use, and support
What do you like best about the product?
Semgrep makes it really easy to write rules. It's really straightforward and the UI also allows you to easily get feedback on rules as well. The dashboard is also convenient and simple to use. The customer support is also pretty amazing, in that they will help you over a meeting with issues you may have with implementation.
What do you dislike about the product?
The binary has been buggy in the past, and has required some debugging and patching to get working correctly. However, the Semgrep team was helpful with the entire process.
What problems is the product solving and how is that benefiting you?
It's a fantastic way to get static code analysis implemented into your CI/CD pipeline. The integration hooks seamlessly into your GitHub environment and provides a clean interface for engineers to use.
showing 21 - 30