Application Security Platform
Semgrep, Inc.Reviews from AWS customer
0 AWS reviews
-
5 star0
-
4 star0
-
3 star0
-
2 star0
-
1 star0
External reviews
54 reviews
from
and
External reviews are not included in the AWS star rating for the product.
A Highly Customizable SAST
What do you like best about the product?
Semgrep is an easy-to-use and highly customizable static code analysis tool. Its intuitive interface and flexible rules library make running scans on any codebase effortless, big or small. With its active community of contributors and open-source nature, Semgrep is an essential tool for developers looking to enhance code quality and security quickly and efficiently.
What do you dislike about the product?
I have not encountered any major issues while using the product so far. During onboarding, I experienced some minor UI issues, but they did not significantly impact my overall experience.
What problems is the product solving and how is that benefiting you?
It helps identify potential issues before they become major problems, saving time and resources in the long run. By finding and fixing issues early on in the development process, developers can improve the overall quality of the codebase and reduce the likelihood of future problems.
A Seamless Static Analysis Tool
What do you like best about the product?
One of the things that I love most about Semgrep is how easy it is to use. As a static analysis tool, it has a reputation for being intimidating or difficult to integrate into existing workflows. But with Semgrep, developers don't have to worry about that at all. It seamlessly integrates with many popular code editors, version control systems, and continuous integration tools. This means that it's a breeze to set up and start using to detect potential security vulnerabilities, performance issues, and other code quality problems.
But what's really cool about Semgrep is how it feels like a tool that's designed with developers in mind. The pre-built rules are incredibly comprehensive and cover a wide range of potential issues. But if you need to customize them for your project, it's easy to do so. And if you ever get stuck, the community is always there to help you out.
All in all, Semgrep is a powerful tool that can help developers improve the quality of their code. But more importantly, it feels like a tool that was designed to make our lives easier. And who doesn't love that?
But what's really cool about Semgrep is how it feels like a tool that's designed with developers in mind. The pre-built rules are incredibly comprehensive and cover a wide range of potential issues. But if you need to customize them for your project, it's easy to do so. And if you ever get stuck, the community is always there to help you out.
All in all, Semgrep is a powerful tool that can help developers improve the quality of their code. But more importantly, it feels like a tool that was designed to make our lives easier. And who doesn't love that?
What do you dislike about the product?
As with any tool, Semgrep has some potential downsides to consider. Here are a few:
Learning curve: While Semgrep is generally considered to be user-friendly and easy to use, there is still a learning curve to using any new tool. Some developers may need to spend some time getting familiar with Semgrep's syntax and how to write and modify rules.
False positives/negatives: Like any static analysis tool, Semgrep can generate false positives (i.e., flagging code as problematic when it's not) or false negatives (i.e., failing to flag problematic code). This can be frustrating and may require some additional time and effort to sort out.
Resource-intensive: Depending on the size of your codebase, running Semgrep can be resource-intensive and may slow down your development process. It's important to consider this when integrating Semgrep into your workflow and ensure that your hardware and infrastructure can handle it.
Overall, these potential downsides are relatively minor compared to the benefits that Semgrep can provide. However, it's important to consider these factors when deciding whether or not Semgrep is the right tool for your project.
Learning curve: While Semgrep is generally considered to be user-friendly and easy to use, there is still a learning curve to using any new tool. Some developers may need to spend some time getting familiar with Semgrep's syntax and how to write and modify rules.
False positives/negatives: Like any static analysis tool, Semgrep can generate false positives (i.e., flagging code as problematic when it's not) or false negatives (i.e., failing to flag problematic code). This can be frustrating and may require some additional time and effort to sort out.
Resource-intensive: Depending on the size of your codebase, running Semgrep can be resource-intensive and may slow down your development process. It's important to consider this when integrating Semgrep into your workflow and ensure that your hardware and infrastructure can handle it.
Overall, these potential downsides are relatively minor compared to the benefits that Semgrep can provide. However, it's important to consider these factors when deciding whether or not Semgrep is the right tool for your project.
What problems is the product solving and how is that benefiting you?
The problem that Semgrep is solving is that it can be difficult for developers to manually review code for potential issues. With codebases that are constantly growing and changing, it can be easy to miss potential issues or introduce new ones. Semgrep automates this process and enables developers to quickly identify and address potential issues before they become larger problems.
Semgrep - future of SAST
What do you like best about the product?
context aware scanning that allows a security engineer to see true metrics on vulnerabilities in the code. Its offering of IaC shows how much context aware it can be with its custom data flows.
What do you dislike about the product?
It's hard to name anything in particular, but the one thing that is challenging is to get onboarded with this. There is definitely a learning curve to get started with writing your own rules.
What problems is the product solving and how is that benefiting you?
All things related to code security: putting security guardrails for developers in pre-commit stage, ensuring no secrets are ever committed, keeping our lockfiles with libraries up to date.
Game-changer for application security
What do you like best about the product?
The Semgrep supply chain is a boon for application and product security teams. Backed by the already solid Semgrep engine, it can quickly surface vulnerabilities that are *actually* vulnerabilities and materially improves our security and risk management. It feels like it gave me new superpowers. I would recommend this to any security team, along with the base product. Most importantly, the r2c engineers and support team are first-rate. They are incredibly supportive and responsive, and I felt like their most important customer every step of the way.
What do you dislike about the product?
There are very few downsides I can think of, but one that comes to mind is the ability to extend or templatize existing rules. The base rules and rulesets are good but may produce false positives without customization. I would love the ability for Semgrep to offer a way to further customize rules and layer on specificity that increase accuracy.
What problems is the product solving and how is that benefiting you?
Semgrep saves us innumerable hours of manual work and toil. It allows us to multiply our impact, "shift left," and free up valuable time that we can use to focus on higher-impact security efforts. I can't imagine running a security program without it.
Easy to use and powerful
What do you like best about the product?
Very easy to use, no matter which language you are using. Unlike more legacy static code analysis tools, there is no need to spend a lot of time learning rule types and syntaxes; new rules can be spun up and tested very quickly. Also, results are of high quality.
What do you dislike about the product?
Community support is not as developed as they are pretty new. The breadth of rules and integrations is not as extensive as some other tools. However, this is improving rapidly and the rules that are present have much lesser false positives.
What problems is the product solving and how is that benefiting you?
We use semgrep as part of our static code analysis process. We use a combination of community and custom rules to suit our purposes. This helps us automate finding of common pattern matches to look out for.
Semgrep is extremely customizable, efficient, and scalable
What do you like best about the product?
The customization helps teams shift left. I can create my own rules to avoid false positives and decide which rules block vs. comment vs. just monitor. This helps keep the noise down, makes it easy for software developers to fix findings immediately, and block vulnerabilities from production.
What do you dislike about the product?
I can't run different rulesets at different times. I'd like the ability to run a certain subset of rules in a CI/CD pipeline to block from deploying high-fidelity findings from production; while also running a larger set of best practices and lower-fidelity rules in a separate pipeline to help us with training and fixing less concerning issues that are more complex as tech debt.
What problems is the product solving and how is that benefiting you?
Securing code through static code analysis scanning efficiently in the CI/CD pipeline. Semgrep places the findings directly in PR comments, avoiding the need for software developers to access a different tool. We are able to customize rules to check for things that we care about and are more unique to our code base.
Semgrep is a plus with continuous management & tracking of open vulnerabilities.
What do you like best about the product?
Useful for tracking the open vulnerabilities, repository wise, until they're closed. I find the ability to create custom vulnerability config manually to be very useful, to extend the functionality beyond the vulnerabilities that could be picked up by existing available config templates.
What do you dislike about the product?
I think the findings could be improved. There's a limit to what static analysis tools can dig out from the code, and probably it's the limitation of technology itself, rather than semgrep.
What problems is the product solving and how is that benefiting you?
Picking up the bad patterns in the code very early during the development cycle. There are certain coding patterns that semgrep picks up, which could be leading to deeper or critical security issues later.
Effective, efficient and eng friendly scanner
What do you like best about the product?
It's a super customizable, fast and effective tool to have as an inline scanner on the CI/CD pipeline.
What do you dislike about the product?
Nothing really - support is amazing and while they are still early in developing their product suite, they are super receptive to feedback
What problems is the product solving and how is that benefiting you?
Shifting security left in an Eng friendly way
I got a really great experience using Semgrep to fix most vulnerabilities I had with my repo.
What do you like best about the product?
1 - Security inforcment.
2 - Finding common bugs in code.
2 - Finding common bugs in code.
What do you dislike about the product?
It was hard for to set it up with my GitHub repo, so things here can be improved for the future.
What problems is the product solving and how is that benefiting you?
- Like mentioned above the ability to scan for bugs and vulnerabilities in my public repo is one of the benefits.
- CI/CD life improvement.
- Improving code security.
- CI/CD life improvement.
- Improving code security.
Way better than any other tool *cough* verracode *cough*
What do you like best about the product?
It's super easy to use and doesn't get in the way. The ability to create custom rules and easily ignore existing rules makes this tool standout above any of the other "static analysis" tools I've used to date.
What do you dislike about the product?
Honestly, there isn't much I dislike. Perhaps having buttons directly interact with the github comments would be nice?
What problems is the product solving and how is that benefiting you?
It's solving a range of issues:
* Security checks (e.g. no open S3 bucktes)
* code quality (e.g. don't nest for loops or conditionals)
* Infra verification via terraform checks
* Security checks (e.g. no open S3 bucktes)
* code quality (e.g. don't nest for loops or conditionals)
* Infra verification via terraform checks
showing 31 - 40