> ## Documentation Index
> Fetch the complete documentation index at: https://semgrep-ee9d73d8-mintlify-b75b9a88.mintlify.site/llms.txt
> Use this file to discover all available pages before exploring further.

# Semgrep Code overview

Semgrep Code is a static application security testing (SAST) tool that detects security vulnerabilities in your first-party code.

You can use Semgrep Code to scan local repositories or integrate it into your CI/CD pipeline to automate the continuous scanning of your code.

## Rules

Semgrep Code uses **rules**, which encapsulate pattern matching logic and data flow analysis, to scan your code for security issues, style violations, bugs, and more. Semgrep generates and reports **findings** to you whenever it finds code that matches the patterns defined by rules.

Semgrep performs SAST scans using rules that define the patterns to detect in your code.

Rules used by the Semgrep Pro Engine are available in the [Registry](https://semgrep.dev/r). Additionally, you can [write custom rules](/writing-rules/overview) to determine what Semgrep Code detects in your repositories.

Whether you use pre-existing rules or write custom rules, knowing *which* rules Semgrep Code runs can help you understand how it detects security issues.

Semgrep Code is transparent; you can configure the rules it runs and inspect its syntax to understand how the finding was detected. You can also customize the content of a rule to improve the true positive rate of a rule or have Semgrep send a relevant message to developers.

## AI-powered detection (beta)

Semgrep’s AI-powered detection combines the precision of static analysis with the contextual reasoning of large language models (LLMs). With AI-Powered Detection, you can automatically identify complex business logic flaws, such as IDORs and broken authorization.

LLMs excel at understanding code context: variable names, class structures, function intent, and even comments. By pairing that reasoning power with structured scanning, Semgrep can:

* Enumerate key attack surfaces, such as routes or controllers.
* Check for missing safeguards, such as authentication, role checks, and permissions.
* Flag potential logic gaps for review before attackers ever find them.

Learn how to run an [AI-powered detection scan](/deployment/add-ai-to-scans).

## Findings

Semgrep AppSec Platform displays Semgrep Code's findings. Additionally, the platform allows you to:

* Triage findings
* Send alerts and notifications or create tickets to track findings identified by Semgrep Code
* Customize how Semgrep Code scans your repositories
* Manage your users and facilitate team collaboration in remediating security issues

## Language support and integrations

Semgrep Code supports a broad set of programming languages, with varying levels of analysis capabilities and language maturity.

* See the full list of [supported programming languages](/supported-languages)
* For definitions of language maturity levels, see the [Language maturity levels](/references/language-maturity-levels) page.
* For analysis terminology, see [Feature definitions](/references/feature-definitions).
* For a list of supported source code managers (SCM), see [Supported source code managers](/getting-started/scm-support) or learn how to [Connect a source code manager](/deployment/connect-scm).

## Semgrep Community Edition (CE) versus Semgrep Code analysis

By default, Semgrep Code can analyze interactions beyond a single function but within a single file, a process known as **cross-function or interprocedural analysis**. This smaller scope of analysis makes it faster and easier to integrate into developer workflows.

Semgrep CE can only analyze interactions within a single function, known as intraprocedural or single-function analysis. However, this means that Semgrep CE is slightly faster than Semgrep Code.

Semgrep Code also supports **[cross-file analysis](/semgrep-code/semgrep-pro-engine-intro/)** (interfile) analysis. These scans produce fewer false positives and more true positives, but take longer to complete.

## Enable Semgrep Code

<Steps>
  <Step>
    Sign in to [Semgrep AppSec Platform](https://semgrep.dev/login).
  </Step>

  <Step>
    Go to **[Settings > General > Code](https://semgrep.dev/orgs/-/settings/general/code)**.
  </Step>

  <Step>
    Click the **<Icon icon="toggle-large-on" iconType="solid" /> Code scans** toggle if it is not already enabled.
  </Step>
</Steps>

Subsequent scans now include Code scans.

### Run Semgrep Code scans with single-function analysis

In some cases, you may want to scan using Semgrep CE's single-function analysis. To do this, edit your `semgrep ci` command in your CI provider's configuration file with either the `--pro-languages` or `--oss-only` flags:

```yaml theme={null}
# Preferred; includes support for all Semgrep Code languages
semgrep ci --pro-languages

# Does not include all Semgrep Code language features
semgrep ci --oss-only
```

## Augment Semgrep Code with Semgrep Multimodal

[Semgrep Multimodal](/semgrep-multimodal/overview) provides AI-powered security recommendations to help you review, triage, and remediate your Semgrep findings. More specifically, Multimodal can:

* Provide [remediation guidance](/semgrep-multimodal/overview#remediation):
  * [Guidance in PR and MR comments](/semgrep-multimodal/overview#guidance) with step-by-step remediation instructions.
  * [Suggested fix](/semgrep-multimodal/overview#suggested-fix) with prose-based suggestions on how to fix findings.
  * [Autofix](/semgrep-code/triage-remediation/autofix) by opening PRs or MRs with AI-suggested fixes.
* Multimodal supports the tailoring of remediation guidance using [Memories](/semgrep-multimodal/overview#memories).
* [Tag your findings](/semgrep-multimodal/overview#component-tags) in Semgrep AppSec Platform to help identify high-priority issues.
* [Auto-triage findings](/semgrep-multimodal/overview#auto-triage) and suggest whether a finding can safely be ignored.
* [Filter out potential false positives](/semgrep-multimodal/overview#noise-filtering-beta) to help increase developer velocity.

## Next steps

* [View your findings](/semgrep-code/findings).
* Customize how Semgrep Code scans your repository by modifying the [default rules set](https://semgrep.dev/p/default) or [writing your own rules](/semgrep-code/editor/#write-a-new-rule-by-forking-an-existing-rule).
* Enable [Suggested fix](/semgrep-multimodal/customize#suggested-fix) in pull request or merge request comments.
* Enable [Rule-defined fix](/writing-rules/rule-defined-fix) so that Semgrep can push code suggestions to GitHub or GitLab to help your developers resolve findings.
* Enable [Autofix](/semgrep-code/triage-remediation/autofix) to create AI-generated pull requests or merge requests with fixes.
* Enable [cross-file scanning](/semgrep-code/semgrep-pro-engine-intro/).
* Learn how to run an [AI-powered detection scan](/deployment/add-ai-to-scans)

## Further reading

* Read the [Trail of Bits Automated Testing Handbook](https://appsec.guide/) to learn about configuring and optimizing security tools, including Semgrep.
