Definition
Plain language
A static analysis tool for finding bug patterns in source code with simple rules.
As stated in the literature
A lightweight pattern-based static analysis engine that lets developers express vulnerability and bug patterns using code-like rule syntax.
Why it matters: It's how many security teams scale code review to large repos, and an AI agent that operates through Semgrep rules can therefore reach where humans can't.
For example, a Semgrep rule can flag every call to a deprecated crypto function across a million-line codebase in seconds.
Heard on the show
“The authors do an analysis of four other code-graph platforms — Sourcegraph, Semgrep, CodeQL, Qodana — and argue that the same preconditions exist there.”Episode 039 — When Smarter Agents Get Fooled by Three Extra Nodes in a Database