Semgrep for security & code scanning
For security and code scanning, Semgrep's official server is the top pick. It runs fast, semantic, rule-based scanning across a broad set of languages and can apply custom rules or pull existing AppSec Platform findings right where the code is being written, which is exactly the shift-left loop this task is about.
It leads here because catching a vulnerability while the code is still in the editor beats finding it weeks later, and Semgrep's scanning is built for that immediacy. The agent scans what it just generated, reads the finding, and fixes it before it lands, in one pass.
How Semgrep fits
semgrep_scan runs locally on file paths and semgrep_scan_remote on provided code content, returning findings as JSON for the agent to triage. semgrep_scan_with_custom_rule handles vulnerabilities the default rulesets do not cover, and semgrep_rule_schema with get_abstract_syntax_tree help author and verify those rules against real code structure. semgrep_scan_supply_chain identifies vulnerable third-party dependencies in a workspace, semgrep_findings pulls security, quality, and supply-chain results from the AppSec Platform when authenticated, and get_supported_languages reports the languages a scan covers.
The honest scope: this is static analysis, so it reasons about code and dependencies, not live exploitation or runtime behavior. Snyk fits better when developer-security across dependencies and container images is the center of the work, and SonarQube when you want a full code-quality-and-security platform with coverage tracking and merge gates over time. The picks overlap on purpose, so choose by what you already run. Reach for Semgrep first when fast, semantic, rule-backed scanning inside the assistant is the priority.
Tools you would use
| Tool | What it does |
|---|---|
| semgrep_scan | Runs a Semgrep scan locally on the provided code files (absolute paths) and returns the findings in JSON format. |
| semgrep_scan_remote | Runs a Semgrep scan on provided code content (rather than local file paths) and returns the findings in JSON format. |
| semgrep_scan_with_custom_rule | Runs a Semgrep scan with a custom rule against provided code content, for vulnerabilities not covered by the default rulesets. |
| semgrep_scan_supply_chain | Runs a Semgrep supply-chain scan on a workspace directory to identify third-party (dependency) security vulnerabilities. |
| semgrep_rule_schema | Returns the schema for a Semgrep rule, showing the fields available when writing or verifying a rule. |
| semgrep_findings | Fetches existing security, code-quality, and supply-chain findings from the Semgrep AppSec Platform Findings API (requires authentication). |
| get_supported_languages | Returns the list of programming languages supported by Semgrep. |
| get_abstract_syntax_tree | Returns the abstract syntax tree (AST) for a provided code file in JSON format, to understand its structure. |
| semgrep_whoami | Returns the identity of the currently authenticated user (works with JWTs, not API tokens). |
FAQ
- How many languages does Semgrep scan?
- It supports a broad set, and get_supported_languages returns the current list so an agent can confirm coverage before a scan. The scanning itself runs through semgrep_scan and semgrep_scan_remote, with semgrep_scan_with_custom_rule for patterns the defaults miss.
- Does Semgrep cover dependency and supply-chain risk?
- Yes. semgrep_scan_supply_chain identifies vulnerable third-party dependencies in a workspace, and semgrep_findings pulls existing supply-chain results from the AppSec Platform. For dependency and container security as the main focus, though, Snyk is the stronger sibling.