{"id":"semgrep-api","name":"Semgrep API","homepage":"https://semgrep.dev","repo_url":"https://github.com/semgrep/semgrep","category":"security","subcategories":["sast","static-analysis","code-security","supply-chain-security"],"tags":["semgrep","sast","static-analysis","security","code-scanning","devsecops","owasp","secrets","supply-chain"],"what_it_does":"Semgrep is a fast, open-source static analysis engine with a cloud platform (Semgrep AppSec Platform) for managing findings across codebases at scale. The REST API provides programmatic access to scan findings, project management, deployment configuration, and supply chain vulnerability data. Semgrep's rule language enables custom pattern matching without complex ASTs, making it popular for both security research and DevSecOps automation. The API is the automation layer for teams running Semgrep in CI/CD and wanting to build custom triage, reporting, or remediation workflows.","use_cases":["Querying SAST findings across all projects in a deployment for security posture reporting","Triaging and bulk-closing false positives programmatically based on custom criteria","Integrating Semgrep scan results into JIRA, Slack, or ticketing systems via API","Monitoring supply chain vulnerability alerts across dependencies using Semgrep Supply Chain","Fetching secrets detection findings for credential rotation workflows","Building custom dashboards showing vulnerability trends over time by project or rule"],"not_for":["Dynamic application security testing (DAST) — Semgrep only analyzes source code statically","Binary analysis or runtime security monitoring","Teams on Free tier — API access requires Team or Enterprise subscription","Deep dataflow analysis across microservices (Semgrep Pro Engine helps, but has limits)","Language ecosystems with limited Semgrep rule coverage (some niche languages have few community rules)"],"best_when":"You run Semgrep in CI/CD and need to programmatically access findings, manage policy, or build automated triage and reporting workflows on top of code scanning results.","avoid_when":"You need API access but are on the Free plan (no API access), or you need runtime/DAST capabilities rather than static source analysis.","alternatives":[{"id":"snyk-api","reason":"Better for dependency/container/IaC vulnerability management alongside code scanning"},{"id":"socket-api","reason":"Better for third-party package supply chain risk scoring rather than first-party code analysis"},{"id":"github-rest-api","reason":"GitHub Code Scanning API provides similar SAST findings access if using CodeQL within GitHub Actions"}],"af_score":77.6,"security_score":null,"reliability_score":null,"package_type":"mcp_server","discovery_source":["github","github_awesome"],"priority":"low","status":"evaluated","version_evaluated":"current","last_evaluated":"2026-03-01T09:50:06.175816+00:00","performance":{"latency_p50_ms":300,"latency_p99_ms":1500,"uptime_sla_percent":99.5,"rate_limits":"Rate limits apply; not publicly documented — Enterprise customers get higher limits","data_source":"llm_estimated","measured_on":null}}