Semgrep

Semgrep is a static analysis CLI for searching code with structural patterns and reusable rules, then running those checks locally or in CI. It covers code-quality, security, policy, supply-chain, and secrets workflows from the shell.

• Scan repositories with registry rules, local rule packs, or one-off patterns to find insecure APIs, policy violations, and refactor targets across many languages.
• Validate and iterate on custom Semgrep rules, then run them in CI or pull-request scans to gate changes and report only new findings.
• Emit JSON, SARIF, JUnit, or GitLab outputs and optionally apply supported autofixes, making it usable in pipelines and follow-up remediation loops.

• semgrep scan and semgrep ci are non-interactive and shell-friendly, with --json and --sarif, stable exit behavior, and file outputs that fit parse-and-act workflows.
• It works well for agents that need to inspect a codebase, test hypotheses with inline patterns, or verify remediations after edits without leaving the terminal.
• Coverage is uneven across editions: advanced cross-file security analysis, some secrets and supply-chain workflows, cloud findings, and parts of MCP depend on Semgrep login, tokens, or Pro and AppSec features.

• The open-source engine is explicitly limited for some security use cases and can miss true positives that require cross-function or cross-file analysis.
• MCP support is real but still beta and hosted or cloud-backed flows add authentication and deployment assumptions beyond a simple local scan.