Article · Wikipedia archive · Last revised Jul 13, 2026

Semgrep

Semgrep, Inc. is a cybersecurity company based in San Francisco. The company develops the Semgrep AppSec Platform, a commercial offering for SAST, SCA, and secrets scanning, and maintains the open-source static code analysis tool semgrep, which supports over 30 programming languages.

Last revised
Jul 13, 2026
Read time
≈ 3 min
Length
694 w
Citations
23
Source
Semgrep, Inc
Formerlyr2c
IndustryComputer Security
Founded2017
Founder
  • Isaac Evans
  • Luke O'Malley
  • Drew Dennison
Websitesemgrep.dev Edit this on Wikidata
Semgrep OSS
DevelopersSemgrep, Inc.
ReleaseFebruary 6, 2020 (2020-02-06)1
Stable release
1.169.0 Edit this on Wikidata / July 8, 2026; 5 days ago 2
Written inOCaml (core) and Python (CLI)
TypeStatic program analysis
LicenseLGPL v2.1
Websitesemgrep.dev Edit this on Wikidata
Repository

Semgrep, Inc. (formerly r2c3) is a cybersecurity company based in San Francisco. The company develops the Semgrep AppSec Platform, a commercial offering for SAST, SCA, and secrets scanning, and maintains the open-source static code analysis tool semgrep, which supports over 30 programming languages.4

The name is a combination of semantic and grep, which refers to semgrep being a text search utility that is aware of source code semantics.5

Services

Semgrep, Inc. provides a continuous integration service (Semgrep CI), rule-writing tools (the Semgrep Playground), and a rule library (the Semgrep Registry) free of charge for both commercial and open source users.6

Semgrep rules are typically written in YAML. Rules can be forked and customized to a user's codebase, however only commercial users can customize commercial rules. All users are free to fork and modify open source (community) rules.7

History

Semgrep was based on sgrep, an open source part of pfff, a program analysis library developed at Facebook in 2009. Pfff was inspired by Coccinelle, an open-source utility for programs written in C. Yoann Padioleau, the original author of sgrep and a contributor to Coccinelle, joined r2c in 2019.8910 sgrep was forked from pfff by r2c, and in 2020 the sgrep fork was renamed semgrep to avoid name collisions with existing projects.111213

Redpoint Ventures and Sequoia Capital backed r2c in an unannounced seed round and later funded a $13 million Series A round in 2020. The company's product portfolio consisted only of Semgrep OSS and its ecosystem at the time.1415

Semgrep, Inc. announced in 2023 that it had raised a $53 million Series C funding round with Lightspeed Venture Partners leading the investment and participation from previous investors Felicis Ventures, Redpoint Ventures, and Sequoia Capital. The company has raised a total of $93 million, including their Series C financing.3

The Open Web Application Security Project (OWASP) listed Semgrep in its source code analysis tools list.16 As of 2023 April, Semgrep has 132 contributors and over 9000 stars on GitHub.17 From Docker Hub the Docker image has been pulled more than 60 million times.18

Usage

Semgrep can be installed with Homebrew19 or pip.20 Additionally it can run without installation on Docker. Analysis can be done without the need of custom configuration, and by utilizing rulesets created by Semgrep Inc. and open source contributors. The tool also allows users to write their own patterns and rules through the CLI using a pattern language unique to semgrep. A free online rule editor and a tutorial are also available.2122

See also

See also

References

References

  1. "Release – sgrep 0.4.0 – returntocorp/semgrep". Github.com. Retrieved 2021-02-03.
  2. "Release 1.169.0". 8 July 2026. Retrieved 9 July 2026.
  3. Miller, Ron (2023-04-18). "Semgrep (formerly r2c) lands $53M investment to grow code security platform". TechCrunch. Retrieved 2023-04-19.
  4. "Supported languages | Semgrep". semgrep.dev. 2024-05-22. Retrieved 2024-05-29.
  5. Nagy, Bence. "Detect complex code patterns using semantic grep" (PDF). owasp.org (Presentation). p. 2. Retrieved 2021-02-02.
  6. "Write custom rules | Semgrep". semgrep.dev. 2024-05-16. Retrieved 2024-05-29.
  7. "Write custom rules | Semgrep". semgrep.dev. 2024-05-16. Retrieved 2024-05-29.
  8. Lauerman, Alex (2020-10-29). "A Brief Introduction to Semgrep (part 1)". TrustFoundry.
  9. "Previous version of Semgrep's README.md file on GitHub". GitHub. Retrieved 2021-02-02.
  10. "Semgrep: Lightweight static analysis for many languages". Hacker News. Retrieved 2021-02-02.
  11. "Pull request of Semgrep on GitHub". GitHub. Retrieved 2021-02-02.
  12. "Previous version of Semgrep's README.md on GitHub". GitHub. Retrieved 2021-02-02.
  13. Salecha, Rohit (2020-08-13). "Semgrep A Practical Introduction". NotSoSecure.com.
  14. "Redpoint and Sequoia are backing a startup to copyedit your shit code". TechCrunch.com. 2020-10-29. Retrieved 2021-02-02.
  15. "Forbes Cybersecurity Awards 2020: Corellium, The Tiny Startup Driving Apple Crazy". Forbes.com. 2020-12-27. Retrieved 2021-02-02.
  16. "OWASP Source Code Analysis Tools". Owasp.com. Retrieved 2020-02-02.
  17. "Semgrep on GitHub". GitHub.
  18. "Semgrep on Docker Hub". Retrieved 2023-04-19.
  19. "Semgrep on Homebrew Formulae". Retrieved 2021-02-03.
  20. "Semgrep on pypi.org". Python Package Index. Retrieved 2021-02-03.
  21. "Semgrep Documentation – Getting started". semgrep.dev. Retrieved 2021-02-02.
  22. Lancini, Marco (2020-12-12). "Semgrep for Cloud Security". marcolancini.it.
External links