How much does Semgrep cost?

Semgrep pricing ranges from $0 to $40 per month across 2 published tiers. Higher tiers require contact with sales for a quote.

What rank does Semgrep hold in the Code Quality and Static Analysis category?

Semgrep ranks #7 of 10 code quality and static analysis platforms in the Zendikt editorial ranking, last updated 2026-05-10.

Semgrep review, pricing, and verified intelligence

Best for

Security teams that want to write and version custom SAST rules without learning CodeQL, and engineering organizations wanting open-source-first credibility with a credible commercial upgrade path. Particularly strong for buyers rejecting legacy SAST procurement.

Worst for

Buyers wanting deepest semantic analysis on data-flow-heavy bugs (CodeQL better), broadest language coverage (SonarQube better), or one-vendor SAST plus DAST plus SCA bundling (Veracode or Checkmarx better).

Vendor Trust Score

Is Semgrep a trustworthy vendor?

7.9/10

Mixed

Pricing transparency

Published rates; no hidden fees

7.5

Contract fairness

Reasonable terms; no auto-renew traps

8.0

Incident response

How they handle outages and breaches

7.5

Post-acquisition behavior

Customer treatment after M&A or PE

8.5

Executive stability

Leadership churn over 24 months

8.0

Roadmap honesty

Public commitments held

8.0

Trust signal log

2021-03-15

r2c (Semgrep) Y Combinator W21

Y Combinator-backed; founded the open-source-first credibility that defines the product line.
2023-11-15

Semgrep AppSec Platform launched

Commercial tier expansion with managed triage, dashboards, and enterprise SSO.
2024-09-22

Semgrep Registry passed 2,500 community rules

Active community contribution; defensible signal for open-source-first credibility.

Vendor Trust is scored independently of product quality. A great product from an unfair vendor still earns a low trust score.

Review Intelligence

What 340 reviews actually say

Synthesized from G2, Capterra, Reddit, Trustpilot. Patterns >15% prevalence shown.

Last synthesized

2026-04-29

Praise patterns

Open-source-first credibility
87% →
Readable rule language; security teams write rules
78% ↑
Fast scan times; realistic PR-time feedback
71% →
Strong community in Semgrep Registry
64% ↑

Complaint patterns

Semantic depth lags CodeQL on data-flow-heavy bugs
47% →
Enterprise features gated to commercial tier
41% →
Smaller vendor footprint; procurement pushback at large enterprises
38% →
Documentation quality uneven on advanced rules
31% →

Sentiment trend (6 months)

84/100 0 pts

Patterns are extracted from review corpus and human-verified. We surface trends, not anecdotes.

Verified Pricing

What buyers actually pay

184 anonymized deal disclosures · last updated 2026-05-01

Contribute your deal price

Company size	Median annual	Sample	vs. listed floor
Community Edition (open-source)	$0	98	-
Cloud Team (mid-market)	$4,800	62	-
AppSec Platform Enterprise	$96,000	24	-

Verified pricing is crowdsourced from buyers under anonymity guarantees. Vendor-listed prices are validated against actual deals quarterly.

Compliance & Security

Auto-verified certifications

Verified 2026-05-01

SOC 2 Type II

ISO 27001

HIPAA

GDPR

CCPA

PCI DSS

◐ FedRAMP In-Process

Editorial: Strengths

Open-source-first credibility; permissively licensed Community Edition
Readable rule language; security teams write rules without query-language overhead
2,500+ rules in Semgrep Registry; strong community contribution
Fast scan times; PR-time feedback realistic
Strong fit for security teams that want custom-rule velocity
Y Combinator W21 backing and credible roadmap
Excludes the false-positive overhead common to legacy SAST

Editorial: Weaknesses

Semantic depth lags CodeQL on data-flow-heavy vulnerability classes
Commercial product surface younger than Veracode or Checkmarx
Enterprise features (SSO, audit, RBAC) gated to commercial tier
Smaller vendor footprint; procurement pushback at large enterprises
Documentation quality uneven on advanced rule features
Pricing transparency partial; quote-only at Enterprise

Key features & integrations

+Open-source CLI with permissive license
+Readable Semgrep rule syntax (pattern-matching)
+2,500+ rules in Semgrep Registry
+PR decoration on GitHub, GitLab, Bitbucket
+Custom-rule velocity for security teams
+OWASP Top 10, CWE Top 25 mapping
+IDE plugins for VS Code, IntelliJ
+SAML SSO, audit, RBAC at Enterprise
+REST API plus CLI
+Active community on the Semgrep Registry

60+ integrations

GitHubGitLabBitbucketAzure DevOpsJenkinsCircleCIJiraSlackVS Code

Geography supported

Global; strongest in US, EU, UK

Best fit

20 to 50,000+ employees · Security teams wanting custom-rule velocity and engineering orgs rejecting legacy SAST

Editorial deep-dive

Read our full ranking of Code Quality and Static Analysis

Semgrep ranks #7 in our editorial review of 10 code quality and static analysis platforms. The deep-dive covers methodology, comparison tables, decision matrix, migration scoring, and FAQs.

Read the full ranking

Closest alternatives in Code Quality and Static Analysis

Checkmarx

Legacy enterprise SAST plus SCA plus IaC under PE control.

★ 4.2 opaque

CodeQL

Deepest semantic SAST engine, bundled with GitHub Advanced Security.

★ 4.5 public

Veracode

Legacy enterprise SAST plus DAST plus SCA, now under Thoma Bravo.

★ 4.2 opaque

Help the next buyer

Contribute your verified deal price

Pricing in B2B software is opaque because vendors want it that way. Verified buyer prices fix that, anonymously. Share what you actually paid for Semgrep; we’ll add it to the verified pricing dataset on this page (with company size band only, no identifying details).

Submit anonymously