Supported languages
The following table lists all Generally available (GA) and Beta languages for Semgrep Code (SAST) and Semgrep Supply Chain (SCA).
Languages are arranged by feature completeness from most to least. If applicable, click on the language name to learn more.
Cross-file (interfile) analysis for Semgrep Code and reachability analysis for Semgrep Supply Chain are the most advanced analyses that Semgrep provides. See Feature definitions for more details.
Supported languages table
| Languages | Semgrep Code Supports 35+ languages | Semgrep Supply Chain Supports 14 languages |
| C# | Generally available • Cross-file dataflow analysis • Supports up to C# 13 • 170+ Pro rules | Generally available • Reachability analysis • Can detect open source licenses • Can detect malicious dependencies |
| Go | Generally available • Cross-file dataflow analysis • 80+ Pro rules | Generally available • Reachability analysis • Can detect open source licenses • Can detect malicious dependencies |
| Java | Generally available • Cross-file dataflow analysis • Framework-specific control flow analysis • 190+ Pro rules | Generally available • Reachability analysis • Can detect open source licenses |
| JavaScript | Generally available • Cross-file dataflow analysis • Framework-specific control flow analysis • 250+ Pro rules | Generally available • Reachability analysis • Can detect open source licenses • Can detect malicious dependencies |
| Kotlin | Generally available • Cross-file dataflow analysis • 60+ Pro rules | Generally available • Reachability analysis • Can detect open source licenses |
| Python | Generally available • Cross-file dataflow analysis • Framework-specific control flow analysis • 710+ Pro rules • See Python-specific support details | Generally available • Reachability analysis • Can detect open source licenses • Can detect malicious dependencies |
| Typescript | Generally available • Cross-file dataflow analysis • Framework-specific control flow analysis • 230+ Pro rules | Generally available • Reachability analysis • Can detect malicious dependencies • Can detect open source licenses |
| C / C++ | Generally available • Cross-file dataflow analysis • 150+ Pro rules | N/a |
| JSX | Generally available • Cross-function dataflow analysis • 70+ Pro rules | Generally available • Reachability analysis • Can detect open source licenses |
| Ruby | Generally available • Cross-function dataflow analysis • 40+ Pro rules | Generally available • Reachability analysis • Can detect open source licenses • Can detect malicious dependencies |
| Scala | Generally available • Cross-function dataflow analysis • Community rules | Generally available • Reachability analysis • Can detect open source licenses |
| Swift | Generally available • Cross-function dataflow analysis • 60+ Pro rules | Generally available • Reachability analysis • Can detect open source licenses |
| Rust | Generally available • Cross-function dataflow analysis • 40+ Pro rules | Beta • Can detect open source licenses • Can detect malicious dependencies |
| PHP | Generally available • Cross-function dataflow analysis • 50+ Pro rules | Generally available • Reachability analysis • Can detect open source licenses |
| Terraform | Generally available • Cross-function dataflow analysis • Community rules | N/a |
| Generic | Generally available | N/a |
| JSON | Generally available | N/a |
| Elixir | Beta | Beta |
| APEX | Beta | -- |
| Dart | Experimental | Beta |
Click to view experimental languages for Semgrep Code.
- Bash
- Cairo
- Circom
- Clojure
- Dockerfile
- Hack
- HTML
- Jsonnet
- Julia
- Lisp
- Lua
- Move on Aptos
- Move on Sui
- OCaml
- R
- Scheme
- Solidity
- YAML
- XML
More information
Language maturity levels differ from feature and product maturity levels.
Where to look:
- See Language maturity levels for maturity definitions used on the supported languages pages.
- See Feature definitions for analysis terminology referenced on the supported languages pages.
- For Supply Chain dependency metadata support, see Package manager support.
- For Supply Chain feature coverage by language, see Supply Chain feature support.
Visit the cheat sheet generation script and associated semgrep-core test files to learn more about each feature:
Not finding what you need in this doc? Ask questions in our Community Slack group, or see Support for other ways to get help.