// Trust & Security Report

    Semgrep, Inc. logo

    Semgrep, Inc.

    Semgrep AppSec Platform - unified static application security testing (SAST), software composition analysis (SCA / Supply Chain), and secrets scanning, plus Semgrep Assistant (AI-assisted triage/autofix) and a Semgrep MCP server for AI coding agents. Semgrep Code, Supply Chain, and Secrets are sold together as the AppSec Platform; the underlying Semgrep CLI/engine is also available as a free, open-source, locally-run scanner.

    Certifications held

    2

    Maturity

    Growth

    Trains on your data

    No

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type II
    HELD

    Semgrep Inc. is SOC 2 Type II certified... our latest SOC 2 Type II report (covering December 1, 2023 - November 30, 2024)

    Verify on docs.semgrep.dev
    GDPR (posture)
    HELD

    In some regions (like the European Economic Area), you have certain rights under applicable data protection laws... GDPR badge is displayed on the trust portal; a 'Data Transfer Impact Assessment' and 'Data Processing Agreement' are published for customer request.

    Verify on semgrep.dev
    > Show 6 unconfirmed / not-held certifications
    ISO 27001
    NOT CONFIRMED

    Semgrep Inc. is not itself ISO 27001 certified, but the product can be used in deployment models that support an organization's ISO 27001 certification efforts.

    source: docs.semgrep.dev
    HIPAA
    NOT CONFIRMED

    Semgrep provides security tooling that can support compliance efforts, but does not guarantee compliance... PHI should not exist in code repositories, as Semgrep scans code repositories, not production systems or databases containing PHI data. No public evidence of a signed BAA or a HIPAA certification held by Semgrep Inc. itself.

    source: docs.semgrep.dev
    PCI DSS
    NOT CONFIRMED

    Semgrep can help address security requirements in compliance frameworks including... PCI DSS (page describes how the tool helps customers meet PCI DSS controls; no evidence Semgrep Inc. itself holds a PCI DSS attestation, and it is not listed on the trust portal).

    source: docs.semgrep.dev
    FedRAMP
    NOT CONFIRMED

    Semgrep can help address security requirements in compliance frameworks including FedRAMP, NIST 800-171... (framework the product helps customers with; not a FedRAMP authorization held by Semgrep Inc., and not listed on the trust portal).

    source: docs.semgrep.dev
    ISO/IEC 42001 (AI management)
    NOT CONFIRMED

    no public evidence - not referenced on the trust portal, compliance docs, or privacy pages

    source: trust.semgrep.dev
    CSA STAR
    NOT CONFIRMED

    no public evidence - not referenced on the trust portal or compliance docs

    source: trust.semgrep.dev

    // Privacy & AI training

    Trains on customer data

    No

    Data processing agreement

    Offered

    Data region

    Primary servers located in the United States per the Privacy Notice; a 'Data Transfer Impact Assessment' document is published on the trust portal for EU customers, but no explicit EU/other-region hosting option is documented publicly.

    Semgrep and its AI subprocessors (OpenAI, AWS Bedrock) operate under zero data retention agreements by default: 'AI subprocessors do not retain or use your data to train their models.' Semgrep maintains DPAs with all AI subprocessors, available via the trust portal on request. An 'Enterprise minimal data retention' option further limits code/prompt persistence within Semgrep's own systems for the Assistant/Multimodal feature. No contradiction found between the legacy Terms of Service and the current AI/Assistant privacy page.

    // Security controls

    Third-party penetration testing

    Annual full-scope, whitebox penetration test performed by Include Security; report available via the trust portal.

    trust.semgrep.dev

    SSO / SAML

    SAML 2.0 and OpenID Connect / OAuth 2.0 single sign-on supported on the Semgrep AppSec Platform (Enterprise), with documented setup guides for Google Workspace and Microsoft Entra ID.

    docs.semgrep.dev

    Self-assessment questionnaire

    CAIQ Lite self-assessment published on the trust portal.

    trust.semgrep.dev

    Subprocessor transparency

    Subprocessor list, including AI model vendors OpenAI and AWS Bedrock, published on the trust portal with associated DPAs (including an 'OpenAI DPA').

    trust.semgrep.dev

    Encryption in transit / at rest

    No public evidence found describing Semgrep's own infrastructure encryption specifics (e.g. TLS version, at-rest algorithm); not stated on the pages reviewed. Not graded as a claim.

    trust.semgrep.dev

    Responsible disclosure

    Responsible Disclosure program referenced on the trust portal and a vulnerability reporting process documented in the security docs.

    docs.semgrep.dev

    // Products & data scope

    Semgrep Code (SAST)Static application security testing

    data: Scans customer source code for vulnerabilities; combines static analysis rules with AI reasoning.

    Core product of the AppSec Platform; also runs via the free, open-source Semgrep CLI/engine, which can run entirely locally without sending code to Semgrep's cloud.

    Semgrep Supply Chain (SCA)Software composition analysis

    data: Analyzes project dependency manifests/lockfiles; reachability analysis to prioritize exploitable findings.

    Sold as part of the AppSec Platform alongside Code and Secrets.

    Semgrep SecretsSecrets detection

    data: Scans repositories for hardcoded secrets/credentials using semantic and entropy analysis, with validation.

    Blocks unsafe merges by default per marketing copy.

    Semgrep Assistant / Multimodal (AI triage & autofix)AI-assisted remediation

    data: Sends relevant code snippets/findings to AI subprocessors (OpenAI, AWS Bedrock) under zero-data-retention agreements to generate fix suggestions and triage false positives.

    Enterprise customers can bring their own OpenAI/Azure OpenAI API key or use AWS Bedrock; an 'Enterprise minimal data retention' mode is available.

    Semgrep MCP ServerAI agent / IDE integration

    data: Exposes Semgrep scanning to AI coding agents and IDEs (e.g. Cursor, Replit) via the Model Context Protocol.

    Positioned for securing AI-generated code at the point of authorship.

    // What to watch

    • Semgrep's own docs.semgrep.dev/compliance/* pages (SOC2, ISO27001, HIPAA, PCI DSS, FedRAMP, GDPR, ISO27017) are primarily written to describe how the Semgrep TOOL helps customers meet those frameworks, not Semgrep's own certification status - only the SOC 2 page contains an explicit self-certification claim ('Semgrep Inc. is SOC 2 Type II certified'), and only the ISO 27001 page contains an explicit self-disclaimer ('Semgrep Inc. is not itself ISO 27001 certified'). PCI DSS, FedRAMP, and HIPAA pages do not clearly state Semgrep's own certification status either way, so they are graded held=false as 'no public evidence' rather than a confirmed absence - this is a nuance an advisor should double check before listing.
    • No explicit EU/non-US data hosting option is documented for the standard SaaS product; only a Data Transfer Impact Assessment document is referenced for cross-border transfers.

    // At a glance

    Pricing model

    Freemium: Free Edition (up to 10 contributors), Teams (from $30/contributor/month), Enterprise (custom pricing via sales).

    Self-hostable

    Yes

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Semgrep, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-07-09. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    trust.semgrep.dev

    > Browse all vendor trust reports