Semgrep API
Semgrep is a fast, open-source static analysis engine with a cloud platform (Semgrep AppSec Platform) for managing findings across codebases at scale. The REST API provides programmatic access to scan findings, project management, deployment configuration, and supply chain vulnerability data. Semgrep's rule language enables custom pattern matching without complex ASTs, making it popular for both security research and DevSecOps automation. The API is the automation layer for teams running Semgrep in CI/CD and wanting to build custom triage, reporting, or remediation workflows.
Score Breakdown
⚙ Agent Friendliness
🔒 Security
SAST/code scanning platform. API token auth. Scan results contain vulnerability details — restrict access. Code sent to Semgrep cloud — self-hosted for sensitive IP.
⚡ Reliability
Best When
You run Semgrep in CI/CD and need to programmatically access findings, manage policy, or build automated triage and reporting workflows on top of code scanning results.
Avoid When
You need API access but are on the Free plan (no API access), or you need runtime/DAST capabilities rather than static source analysis.
Use Cases
- • Querying SAST findings across all projects in a deployment for security posture reporting
- • Triaging and bulk-closing false positives programmatically based on custom criteria
- • Integrating Semgrep scan results into JIRA, Slack, or ticketing systems via API
- • Monitoring supply chain vulnerability alerts across dependencies using Semgrep Supply Chain
- • Fetching secrets detection findings for credential rotation workflows
- • Building custom dashboards showing vulnerability trends over time by project or rule
Not For
- • Dynamic application security testing (DAST) — Semgrep only analyzes source code statically
- • Binary analysis or runtime security monitoring
- • Teams on Free tier — API access requires Team or Enterprise subscription
- • Deep dataflow analysis across microservices (Semgrep Pro Engine helps, but has limits)
- • Language ecosystems with limited Semgrep rule coverage (some niche languages have few community rules)
Interface
Authentication
Bearer token authentication using API tokens generated in the Semgrep AppSec Platform settings. Token is org-scoped. No fine-grained RBAC scopes on tokens — access level determined by the token owner's role in the organization.
Pricing
REST API access requires Teams or Enterprise tier. Free tier supports CLI and GitHub Actions integration without API. Enterprise adds SSO, advanced RBAC, and dedicated support.
Agent Metadata
Known Gotchas
- ⚠ API access requires Teams or Enterprise subscription — agents on Free accounts will get 403 errors with no clear upgrade path in the error message
- ⚠ Findings have complex triage state machine (open, ignored, fixed, reviewing) — agents must understand valid state transitions before updating
- ⚠ Semgrep rule IDs are composite strings (e.g., 'p/javascript.lang.security.audit.path-traversal') — must be URL-encoded in query params
- ⚠ Scan trigger via API is not supported — scans are initiated through CI/CD integration; the API only reads results, not starts new scans
- ⚠ Supply Chain and Code findings use different schemas — agents querying both need schema-aware response handling
- ⚠ Deployment ID is required for most endpoints — fetch from /deployments first and cache it
Alternatives
Full Evaluation Report
Detailed scoring breakdown, competitive positioning, security analysis, and improvement recommendations for Semgrep API.
Scores are editorial opinions as of 2026-03-06.