Semgrep
Static analysis engine matching AST patterns—rules for OWASP classes, secrets, and custom policies.
Why it is included
Developer-native SAST that fits PR gates and purple-team pipelines.
Best for
Shifting security left on repos you own with custom rule packs.
Strengths
- Fast
- Rule marketplace
- CI integrations
Limitations
- Not a replacement for full manual review
Good alternatives
CodeQL (other model) · Bandit (Python-only)
Related tools
Security & Privacy
OWASP ZAP
OWASP flagship web app scanner and proxy: automated checks, manual request tampering, scripting, and CI integrations.
Security & Privacy
Gitleaks
Secret scanning for git repos and CI pipelines.
Security & Privacy
OWASP Amass
Attack surface mapping engine: DNS, certificates, APIs, scraping, and graphing for deep asset discovery.
Security & Privacy
Trivy
All-in-one scanner for container images, IaC, Kubernetes manifests, SBOMs, and VM OS packages with CI integrations.
Security & Privacy
ModSecurity
Web application firewall engine for Apache, nginx, and IIS with OWASP CRS rule sets and audit logging.
Security & Privacy
DefectDojo
Application vulnerability management: ingest findings from scanners, dedupe, risk scoring, metrics, and Jira/CI hooks.