Fast static analysis
for the DevSecOps workflow

We’re passionate about improving software security and reliability and make modern static analysis tools purpose-built for the modern DevSecOps workflow.

Easily write custom rules

No need to learn a complex DSL: a grep-like syntax makes it easy to find security and correctness issues in your code. Try the interactive online editor →

Find bugs that matter

Broad coverage across OWASP Top 10 issues for modern languages (Python, Go, JavaScript, Java, Ruby)

Automate security compliance

Centrally define policy, enforce scans via CI/CD, and connect to systems like Slack and Jira. Start in < 5 mins.

Find bugs and enforce code standards

Semgrep is a free, open-source tool that combines the convenient and iterative style of grep with the powerful features of an Abstract Syntax Tree (AST) matcher. It scans your entire project on-demand or automatically in CI/CD on every build or commit. And all analysis runs on your machine — your code isn’t sent anywhere.
Python logo
JavaScript logo
Java logo
Go logo
More soon
JSON logo
C logo
OCaml logo
Ruby logo

Easily write custom rules

Rules look like the code you’re searching — no static analysis PhD required. They don't require compiled code, only source, reducing iteration time.
Find function calls, class or method definitions, and more without having to understand ASTs or wrestle with regexes.
This Semgrep pattern
Matches this source code


exec (foo);

exec (

// exec(foo)

Semgrep’s syntax awareness goes beyond grep text-based matching.

View example in live editor →

Scan code with registry of pre-built rules

The Semgrep Registry contains rules for many programming errors, including security issues and correctness bugs. Security rules are annotated with CWE and OWASP metadata when applicable.
Rulesets group Semgrep rules by language, framework, or security tool, making it easy to scan code for a wide variety of issues using a single configuration.
Batteries are included: scan your code using one of the registry’s rulesets. You don’t have to spend a bunch of time DIY-ing anything.

Interested in the commercial version of Semgrep?

The commercial version of Semgrep enables AppSec teams to centrally define policy, enforce scans via CI/CD, and connect to systems like Slack and Jira.

Meet the team

We’re r2c, a software security startup. Our mission is to profoundly improve software security and reliability to safeguard human progress.

We make modern static analysis purpose-built for CI/CD. The team includes security engineers and researchers from Duo Security, Facebook, NCC Group, and Palantir. And yes, we’re hiring!

The r2c team