Integrate Semgrep with Vulnetix. Run SAST scans across 35+ languages using community and custom rules, produce SARIF output, and upload for centralized vulnerability management.
Install & scan
$ # Recommended - run without global install uv run --with semgrep semgrep --version # Or install globally pip install semgrep # Or via Homebrew brew install semgrep $ uv run --with semgrep semgrep scan \ --config auto \ --sarif --sarif-output=semgrep.sarif .
Run Semgrep in CI
Scan on every push and upload the results to Vulnetix:
- name: Run Semgrep
run: |
pip install semgrep
semgrep scan --config auto --sarif --sarif-output=semgrep.sarif .
- name: Upload to Vulnetix
run: vulnetix upload --file semgrep.sarif
How Vulnetix compares — better together
Vulnetix does not replace Semgrep. Keep running it. Vulnetix sits on top of Semgrep — and every other scanner you already own — turning disconnected tool outputs into one prioritised, fixable queue.
Semgrep is strongest at its core category and also carries features in Secret Scanning, SCA — just like Vulnetix spans categories.
| Capability | Vulnetix | Semgrep |
|---|---|---|
| Security coverage | ||
| SAST (static code analysis) | ✓ Built-in rules + Semgrep augmentation | ✓ 35+ languages; pattern + taint, cross-file in Pro |
| SCA / dependencies | ✓ 40+ ecosystems, transitive graph | ~ Semgrep Supply Chain (Pro) — reachable dependency findings |
| DAST (dynamic testing) | ~ Ingests DAST results; no native dynamic engine | ✗ |
| Container & image | ✓ Image CVEs, base image, Dockerfile | ✗ |
| IaC / misconfiguration | ✓ Terraform, k8s, CloudFormation | ~ Community rules for k8s / Terraform |
| Secret scanning | ✓ 1,000+ rules, source + binary + git history | ~ p/secrets ruleset (validation via Pro) |
| Cloud / CSPM | ✓ Cloud-posture findings, compliance tab | ✗ |
| Mobile (MAST) | ~ Ingests mobile scanner output; no native mobile engine | ✗ |
| License compliance | ✓ SPDX, copyleft/AGPL/SSPL policy | ✗ |
| SBOM generation | ✓ CycloneDX 1.7 + SPDX 2.3, cosign-signable | ✗ |
| Malware / supply-chain | ✓ De-duplicated corpus + install-time firewall (25+ registries) | ✗ |
| Network / infra vuln | ~ Ingests network scanner output; no native network scanner | ✗ |
| Fuzzing | ✗ Ingests fuzzing crashes; no native fuzzer | ✗ |
| Pentest / bug bounty | ✗ Ingests pentest/bug-bounty findings; not a testing service | ✗ |
| The Vulnetix orchestration layer | ||
| Cross-scanner dedup & one queue (ASPM) | ✓ Correlates every scanner into one prioritised queue with ownership routing | ✗ |
| Exploit-intel prioritisation | ✓ EPSS, CISA KEV, Coalition ESS, CWSS, Vulnetix LEV | ✗ |
| Reachability analysis | ✓ Tree-sitter + CVEAffected; direct/transitive/semantic | ✗ |
| Versioned VEX + audit trail | ✓ Immutable OpenVEX/CycloneDX, cosign-signable | ✗ |
| Safe Harbour autofix | ✓ Resolves + applies the nearest safe version | ✗ |
| End-of-life policy | ✓ Flags/blocks past-EOL runtimes & packages | ✗ |
| SSVC / risk-based policy | ✓ SSVC v2 + CISA/FedRAMP/Essential-8 presets | ✗ |
✓ full · ~ partial · ✗ not covered
What Semgrep does well
- Fast pattern matching plus taint/dataflow tracking across 35+ languages, with rules that read like the code they match.
- Huge community + Semgrep-maintained registry (thousands of rules) and first-class custom-rule authoring in YAML.
- Clean CI story: SARIF and CycloneDX output, no build required, low-friction pre-merge scanning.
Where Vulnetix adds to it: Vulnetix ingests Semgrep SARIF and keeps it as your SAST engine, then deduplicates it against every other scanner, prioritises with EPSS/CISA KEV/Coalition ESS, adds reachability, versioned VEX and Safe Harbour autofix — the cross-tool layer a single SAST engine does not provide.
No migration, no rip-and-replace. Semgrep keeps doing what it does best; Vulnetix adds the orchestration, exploit-intelligence prioritisation and remediation layer built for the way AppSec works today.
Centralise Semgrep results in Vulnetix
Upload Semgrep SARIF, CycloneDX output to the Vulnetix platform to deduplicate findings, prioritise them with EPSS, CISA KEV and Coalition ESS exploit intelligence, and track remediation across every scanner in a single queue.