Review

Semgrep: credible AppSec platform, with pricing that scales fast

Semgrep is worth using for teams that need SAST, SCA, secrets detection, and AI-assisted triage in one platform, but contributor-based pricing and the AI data path make the tradeoffs real.

Last updated April 2026 · Pricing and features verified against official documentation

Semgrep began as the sort of tool security teams used because they were tired of slower, noisier scanners. That original appeal still matters, but the product around it has changed. What used to feel like a sharp static-analysis engine is now a broader AppSec platform with code, supply chain, and secrets scanning, plus an AI layer for triage and remediation.

That change is mostly a good one. Semgrep is strongest when a team wants one security system that can live in the CLI, CI/CD, IDE, pull requests, and a hosted review workflow without forcing everyone into a heavyweight security console. The free edition is also unusually legitimate for evaluation and for small teams that want real scanning rather than a toy plan.

The catch is that Semgrep now sells a platform, not just a scanner. Pricing is contributor-based, the feature matrix is split across product lines, and the AI features introduce a separate privacy and retention path that security-conscious buyers need to understand before they roll it out broadly.

So the honest verdict is straightforward: Semgrep is a serious AppSec buy for teams that will actually use the platform layer. It is a less attractive default for people who only want local scanning or who are allergic to commercial complexity creeping into a once-clean open-source story.

What the product actually is now

Semgrep is not just a CLI scanner with nicer branding. The current product spans Semgrep Code, Semgrep Supply Chain, Semgrep Secrets, and Semgrep Assistant, with a hosted AppSec platform on top of the local and CI-based scanning workflows. The company now also talks about Semgrep Multimodal and AI-assisted security workflows, which is a sign that the product has moved from pure detection toward detection plus judgment.

That matters because the product’s center of gravity is no longer the open-source engine by itself. Semgrep now wants to be the place where findings are triaged, prioritized, remediated, and governed. For organizations with multiple repos and real security process, that is a meaningful upgrade. For smaller teams, it can feel like a lot of machine for a job that only needed a sharp scanner.

Strengths

It keeps scanning close to the code. Semgrep still does the thing good security tooling should do: it finds issues without making developers leave their workflow. The company says local or fully CI-based scans keep source code in your computer or CI environment, with only metadata sent to Semgrep’s service, and the product runs through the CLI, IDE plugins, PR/MR checks, and CI/CD workflows.

The platform covers the whole AppSec stack instead of one slice of it. Semgrep Code, Supply Chain, and Secrets are now presented as one system rather than three disconnected tools. That makes it a better fit for teams that want SAST, dependency risk, and secret detection to feed the same triage process, especially when they also want SSO, RBAC, APIs, and managed onboarding.

The AI layer is more than a marketing sticker. Semgrep Assistant includes AI memories, remediation guidance, dependency upgrade guidance, auto-triage, and autofix. Semgrep says it reached 96% agreement with its own researchers on true-positive triage decisions in 2025, which is not the same as perfection, but it is strong enough to matter when the alternative is drowning developers in alerts.

The free edition is good enough to matter. Free covers up to 10 contributors and 50 repositories, and it includes Code and Supply Chain scanning with AI-powered triage and remediation. That is a real evaluation tier, not a pressure campaign disguised as one, and it lowers the cost of checking whether Semgrep fits your team before procurement gets involved.

Weaknesses

The pricing model scales in a way buyers will feel. Teams start at $30 per contributor per month for Code or Supply Chain, Secrets starts at $15, and the free plan caps out at 10 contributors. Contributor-based billing is easy to explain in a sales deck and harder to love once a team starts scanning more private repositories and the count keeps rising.

The open-source story is less clean than it used to be. In early 2025, The New Stack reported on Opengrep, a fork created after Semgrep’s license shift. That does not make Semgrep unusable, but it does mean the product now carries some of the friction that comes with a commercial platform pulling away from the cleanest version of its open-source roots.

The AI features add a real data path to think about. Semgrep’s pricing page says AI-powered detection, triage, and remediation can send part of a file with a finding to a model provider, even though the vendor is not allowed to train on the submitted code. The assistant privacy docs also say prompts and responses can be logged, relevant lines of code are sent to OpenAI or Amazon Bedrock, and uploaded context documents plus AI scan reports are stored in Semgrep-managed S3. That is manageable, but it is not invisible.

This is still a platform, which means overhead. If all you want is a local scanner or a lightweight rule engine, Semgrep’s hosted workflow can feel like more product than problem. The platform makes sense when you need governance and shared triage; it is less compelling if the whole job is “find the issue and move on.”

Pricing

Semgrep’s pricing is best understood as a platform price, not a scanner price. The free edition is genuinely useful, but it is bounded by 10 contributors and 50 repositories, so it is mostly an evaluation or small-team tier. The real commercial line starts at $30 per contributor per month for Code or Supply Chain, with Secrets at $15 per contributor per month.

That means Semgrep is most attractive when a team values the workflow around the findings. If you are paying for SSO, RBAC, APIs, managed scans, and AI-assisted triage, the contributor model makes sense. If you only need to catch bad patterns in a few repositories, the pricing becomes harder to defend because the platform cost arrives before the workflow benefits do.

Enterprise is the obvious tier for teams with on-prem SCM, custom CI/CD integrations, dedicated infrastructure, or a need for volume pricing. The pricing trap is not that Semgrep is expensive in abstract terms; it is that contributor billing turns the bill into something that grows with your engineering footprint rather than with the narrow value of the scanner itself.

Privacy

Semgrep’s privacy posture is decent for a security product, but it is not a one-line yes/no answer. The general privacy notice says Semgrep collects submitted, device, and usage data, uses third-party service providers, stores data in the United States, and keeps personal information for no more than two years unless a longer legal retention period applies. The main notice was last updated in September 2024.

The AI path is where buyers need to pay attention. Semgrep’s assistant privacy docs say the current model subprocessors include OpenAI and Amazon Bedrock, both with zero data retention, and that Semgrep stores prompts and responses for performance evaluation, with source snippets retained for that purpose. The same docs say customers can opt into a minimal data retention policy, and the trust portal says customers can choose or opt out of specific AI providers.

On compliance, Semgrep says Semgrep Inc. is SOC 2 Type II certified, and its compliance docs also cover GDPR and list ISO 27001 and ISO 27017 as supported standards. That is a respectable baseline for a product that may touch source code, but the practical rule remains simple: if your team does not want code snippets leaving your environment in any form, do not turn on the AI features casually.

Who it is best for

AppSec teams that need one system for scanning and triage. Semgrep is a good fit when security engineers want SAST, SCA, secrets detection, and remediation workflows to live in one place instead of being split across separate tools.

Engineering orgs that want security to sit inside the developer loop. Teams using GitHub, GitLab, VS Code, JetBrains, and CI/CD integrations can get value from Semgrep without asking developers to learn a new security-first workspace.

Smaller teams that want a real free tier before they buy. The free edition is good enough for evaluation and limited production use, which makes it a practical way to test the platform before committing to contributor-based pricing.

Teams with enough backlog to benefit from AI triage. If your AppSec group is already overwhelmed by noisy findings, Semgrep Assistant can reduce the amount of human review needed, especially when the main problem is prioritization rather than detection.

Who should look elsewhere

Developers who mainly want AI code review or fix suggestions should look at CodeRabbit, Qodo, or Sweep. Those products are closer to review automation than AppSec policy, which is a different job.

Teams that only need a local scanner should stay with the free CLI workflow or compare a simpler security tool. Semgrep’s hosted platform is useful, but it is not free of operational overhead.

Buyers who dislike code leaving the environment for AI processing should either keep the AI features off or choose a workflow that never introduces that path in the first place. Semgrep is transparent enough about the tradeoff; the question is whether you want the tradeoff at all.

Bottom line

Semgrep is one of the more serious AppSec platforms in the market because it does more than detect problems. It tries to reduce noise, route findings into the right workflows, and give security teams enough structure to act without turning every repo into a governance project.

That makes it worth buying for the teams that need exactly that. It is less compelling as a default choice for people who only want a fast local scanner, or for organizations that will resent contributor pricing the moment the platform starts to work as intended.