Context-aware code analysis has reduced noise and now improves developer experience with actionable security findings
What is our primary use case?
I have been working with Semgrep for almost a year, approximately six to eight months on and off. In my current organization, I have a strong experience for SAST solution POCs, and I have conducted POCs for Semgrep, Checkmarx, Snyk, and SonarQube to evaluate SAST capabilities.
Our primary use case for Semgrep is to identify static code vulnerabilities and SAST vulnerabilities. Every other organization or vendor claims to offer this capability, but Semgrep is built differently compared to all these traditional tools. I have almost a decade of experience using various SAST tools, and Semgrep not only looks at particular code but understands the entire code to get context around whether an issue is real or not through context analysis.
One of the primary use case for us is also the shift-left approach, which means improving our developer experience. Our developers do not want to wait until they commit changes to GitHub or build it. They want synchronous feedback directly within their IDE. Semgrep provides an IDE integration and also supports MCP gateway. Additionally, secrets scanning is another important use case for us.
What is most valuable?
The seamless integration of Semgrep into our existing platform is what I really appreciate. It is very easy, I was able to integrate and onboard it in just 10 to 15 minutes. This is in stark contrast to dealing with different SAST tools about integration across thousands of repos.
Another great feature is that Semgrep greatly reduces the noise compared to other SAST tools. After scanning through the codebase and understanding it, Semgrep has a capability called AI analysis or AI triage. When you triage with AI, it gathers context around the finding and reduces the noise about 80 to 90 percent of the time, asking you to focus only on findings that really matter.
Another excellent experience I had with Semgrep is when there was a finding that AI was not able to correctly diagnose or identify whether it was an actual finding or not. It reported it as a vulnerability, but when I verified it as a security engineer, I determined it was not a vulnerability in our case because we have compensatory controls in place. When I indicate this, Semgrep asks if it can apply the same logic to other similar findings. With a single click, it reduces a lot of noise for me, saving a huge amount of my time and effort.
The results are also impressive. Most solutions identify a static query like raw SQL and simply say there is a SQL injection that is critical. Semgrep, however, looks into the query file and understands the context. It recognizes that this is a SQL query without any user input or database migration script, and it assigns appropriate risk. This intelligent capability of Semgrep is what impressed me.
Semgrep will easily fit into the ecosystem you are building or the ecosystem you are working with. It is going to increase the developer experience in terms of how easily developers are able to understand the findings. It will also increase the security posture because developers are easily able to understand and fix those findings. Overall, the application security posture and the relationship between the development community and the security engineering will improve because Semgrep integrates so seamlessly and functions very smoothly.
What needs improvement?
I have consistently observed that their scan time is an issue for mono repos. Sometimes with their AI-based scanning, when you triage that scan, the scan never completes or finishes(, which makes it difficult. Another consistent issue is that whenever you have a new repo to onboard to the platform, the tool ideally should detect the master branch by default. However, sometimes the tool fails to identify it and will never scan it unless manually somebody looks into it and fixes the issue. Although their support team is really good, this issue was present six or eight months ago during the POC and is still present now. If it is affecting multiple customers, it should be prioritized and fixed.
I would say that their integration aspects could have been improved. I see a lot of different security solutions that provide flexibility to the security teams based on Jira project, team divisions, Slack, and all those can be very much easily customized. Semgrep needs to work on the enhancement of their notification capabilities. Currently, they are working on identifying business logic vulnerabilities or privilege escalation vulnerabilities by looking at the code, and they should continue to focus on and improve this effort.
Regarding stability, whenever you have a mono-repo which is a very large repository, the scan never finishes or the scan never kicks in. At that time, you have to reach out to the support team and ask them to expand the resources in the back end to fix it. This is an issue I keep seeing often on that platform.
For how long have I used the solution?
I have been working with Semgrep on and off for almost a year, approximately six to eight months.
What do I think about the stability of the solution?
I have consistently observed that their scan time is an issue. Sometimes with their AI-based scanning, when you triage that scan, the scan never completes or finishes, which makes it difficult. Another consistent issue is that whenever you have a new repo to onboard to the platform, the tool ideally should detect the master branch by default. However, if there is no master branch or default branch, the tool fails to identify it and will never scan it unless manually somebody looks into it and fixes the issue. Although their support team is really good, this issue was present six or eight months ago during the POC and is still present now. If it is affecting multiple customers, it should be prioritized and fixed.
I would say that their integration aspects could have been improved. I see a lot of different security solutions that provide flexibility to the security teams based on Jira project, team divisions, Slack, and all those can be very much easily customized. Semgrep needs to work on the enhancement of their notification capabilities. Currently, they are working on identifying business logic vulnerabilities or privilege escalation vulnerabilities by looking at the code, and they should continue to focus on and improve this effort.
Regarding stability, whenever you have a mono-repo which is a very large repository, the scan never finishes or the scan never kicks in. At that time, you have to reach out to the support team and ask them to expand the resources in the back end to fix it. This is an issue I keep seeing often on that platform.
What do I think about the scalability of the solution?
It is very easy to scale. When you say scaling, that means the number of users or organizations you need to onboard. I was able to control it from 10 repositories or 10 services to thousands of repositories in a couple of minutes very simply. They could potentially add some enhancements, but the platform is very much easily scalable.
What other advice do I have?
You should primarily focus on what your use case is and why you are moving out. If you are moving out just from the perspective of cost, I do not think Semgrep is the best solution for you. However, if you are looking for value for investment and want to have the complete visibility into your code with less noise, if you are not just looking for a SAST but are really looking for actionable results and want to improve your developer experience and feedback, then you should go for Semgrep. In my organization, it is not only me who selects the solution; I bring in developers from junior and senior levels of all experience and ask them to take a hands-on experience and give me feedback. If you want to improve the developer experience, then go for Semgrep.
Compared to other competitors in the market, the AI-backed capability is the biggest strength of Semgrep. The seamless integration is another major advantage because I have done it for a few other solutions, some of which are extremely difficult and some are okay, but the Semgrep integration with the code repository was the smoothest. The quality of results and reduction in noise are also strengths compared to other competitors. Semgrep also has a great strength in the number of rule sets they have compared to all other vendors. While all other vendors have very limited numbers even though they claim to be enterprise, their community edition itself has close to 4,000 rules and the enterprise edition has around 20,000 rules. That is a really strong advantage.
As for limitations, I would say that Semgrep currently just supports Jira and Slack for integrations. They should expand to different integrations like ServiceNow and other CNAP and CSPM solutions where all results can be brought into one place.
I would rate this review an 8 out of 10.
Powerful Rule Engine and Autofix, but Governance at Scale Needs Work
What do you like best about the product?
Flexible, transparent rule engine with clear YAML syntax and data‑flow patterns, plus an extensive public registry for quick wins and customization.
• Smooth CI/CD integration and lightweight runtime, enabling frequent scans without major impact on developer velocity.
• Autofix capabilities (deterministic rule‑based and Assistant AI‑assisted) that propose or apply safe code changes, reducing mean time to remediate
What do you dislike about the product?
Governance overhead at scale; maintaining org‑wide rule sets, exceptions, and updates across many repos becomes an operational burden without a dedicated owner.
• Autofix and AI noise filtering are helpful but still evolving; effectiveness varies by language and codebase, and some teams remain cautious about applying fixes automatically.
What problems is the product solving and how is that benefiting you?
Semgrep is helping embed security into daily development by catching risky patterns early in pull requests and CI, which reduces rework and keeps release velocity high. Transparent, customizable rules let the team encode our own guardrails and quickly add checks for new frameworks, so coverage improves without waiting on vendor updates. AI‑assisted noise filtering and autofix guidance cut triage time and help developers resolve issues faster, which lowers MTTR and helps us meet remediation SLAs more consistently.
Operationally, fast scans and easy CI/SCM integration mean developers see actionable feedback where they work, not in a separate portal, increasing adoption and fixing rates. As a result, we’ve moved from sporadic security reviews to consistent, automated checks across services, with measurable gains in fix rate and fewer high‑risk patterns reaching production. The net benefit is stronger secure‑by‑default practices with minimal productivity tax, plus lower compliance risk thanks to policy‑as‑code rules we can audit and evolve over time.
Flexible Rules and GitHub Integration Shine, But Needs Better Product Segmentation
What do you like best about the product?
Semgrep offers a single platform for SAST and SCA solutions which is good, but the best part is semgrep rules they are so flexible and easy to write that you dont need to manually do filtering or removing.
The tool has another feature I personally like is github actions that will show bugs in git itself with an AI reviewed fixed version.
What do you dislike about the product?
Semgrep doesnt have Product wise segmentation like for organizations with multiple products you will have only projects and have to use labels to categorise those products.
What problems is the product solving and how is that benefiting you?
It provides great SCA and SAST solutioning.
Fast, Accurate, and Seamless Integration with GitHub
What do you like best about the product?
The feedback is fast and actionable, which makes it easy to address issues quickly. I also appreciate the reduced number of false positives, as it saves time and effort. Integration with GitHub and Actions is seamless, making the workflow smooth. The accuracy is high, and the support for a wide range of languages is another strong point.
What do you dislike about the product?
Semgrep is quite narrowly focused, concentrating primarily on security and lacking built-in scanning capabilities for other important areas such as secrets detection, infrastructure as code, or container security. There is also a learning curve to consider; crafting effective and custom rules demands a certain level of expertise, which can be particularly challenging when dealing with more complex vulnerabilities. Additionally, Semgrep on its own provides limited context, so without supplementary tools, it can be difficult to determine if a vulnerability is truly exploitable or reachable at runtime. This limitation can make it harder to properly prioritize issues.
What problems is the product solving and how is that benefiting you?
Semgrep helps assisting developers and security teams in identifying bugs, vulnerabilities, and enforcing coding standards. It analyzes source code to detect patterns that correspond to predefined rules, which makes it valuable for code reviews, security audits, and maintaining overall code quality. Semgrep will be our new default SAST tool as we begin to phase out the current tool which is outdated and cumbersome to use.
Great Experience, But UI Could Be More User-Friendly
What do you like best about the product?
Semgrep is one of the super easy and most lightweight tools for detecting security vulnerabilities in our codebase. It also enables us to scan our local repositories and can be integrated with our CI/CD pipeline to provide continuous code scanning. We prefer using it with almost all of our applications to feel more confident.
What do you dislike about the product?
There isn't much to complain about, but I do think the user interface could be cleaner and more user-friendly.
What problems is the product solving and how is that benefiting you?
The platform offers vulnerability scanning and helps keep applications free of bugs. It also provides automated code scanning through the CI/CD pipeline and supports scanning for multiple programming languages.
Speeds Up Bug Detection, But Rule Syntax Can Be Limiting for Complex Code
What do you like best about the product?
The best thing about Semgrep is that it helps catch bugs and enforce code standards early in development, without slowing engineers down. It’s quick, understandable, and fits naturally into the developer workflow.
What do you dislike about the product?
My main dislike is that Semgrep’s rule syntax can feel restrictive when dealing with dynamic code or frameworks that rely heavily on metaprogramming. It’s great for straightforward patterns, but deeper semantic analysis sometimes needs more manual effort.
What problems is the product solving and how is that benefiting you?
Semgrep helps catch bugs and security issues early by running fast, customizable static analysis directly in the developer workflow. It helps me maintain consistent, secure code and saves time by preventing late-stage fixes.
Clean Interface and Clear Insights, But Setup Can Be Frustrating
What do you like best about the product?
The interface is extremely clean, and all vulnerabilities are clearly highlighted.
What do you dislike about the product?
Setting up the system for the first time was quite frustrating, as I found myself needing assistance from the IT agent on several occasions.
What problems is the product solving and how is that benefiting you?
This tool was useful in identifying vulnerabilities within the code and assisted in resolving issues that appeared in production.
I think Semgrep is a must have for every Software Company
What do you like best about the product?
The fact that it can scan dependencies and has so many rules configured on the spot, with a very friendly and easy to use UI for the SemGrep pro.
What do you dislike about the product?
I think what semgrep needs is a feature that summarizes the overall security standing of a repository/project. And to allow the user to be able to tell the platform the links between different repos/ if there are any.
What problems is the product solving and how is that benefiting you?
I am a security official in a company with over 300 repos. The fact that semgrep can seamlessly scan all lines of code with each change is amazing for me. It makes my work so much easier.
Enhancing Security with Semgrep
What do you like best about the product?
Since it runs fast and integrates directly into CI/CD, my team can surface issues early — from insecure function use to misconfigured patterns — before they ever hit production.
What do you dislike about the product?
Filter limitations and changing some settings at the global level using UI. Having more advanced filtering and project-level controls would make it easier to manage findings across different environments, prioritize risks.
What problems is the product solving and how is that benefiting you?
The biggest benefit for us is automation and consistency. By integrating Semgrep into CI/CD pipelines, I can enforce secure coding practices at scale and ensure that every pull request is checked for common vulnerabilities. This reduces reliance on manual reviews, lowers the chance of critical bugs slipping into production, and frees me up to focus on more complex security work like pentesting and cloud security design.
Hands-off setup could not be easier
What do you like best about the product?
Very little had to be done on our end to set up managed scans for the entire GitHub organization. Aside from Semgrep staff adjusting things to get a scan to complete, or large codebase was running SAST scans in a few days.
Github PR comments show users what to do, and AI can classify many reports correctly as not needing mitigation.
What do you dislike about the product?
Semgrep's features are designed around preventing new problems from being introduced in pull requests, but those same features are not available for issues found on trunk branches - these have to be dealt with manually.
What problems is the product solving and how is that benefiting you?
Identifying potential security flaws in existing code as part of compliance for security certifications.
