semgrep/semgrep

52/100
// permanent record of scan from 2026-05-10 · classified as cli tool · stack: OCaml · Python · Dune · GitHub Actions · Docker · Jsonnet · uv · Depot
// permalink — this URL always shows scan hmRIYnlj from 2026-05-10, even if a newer public scan exists for this repo.

Nine dimensions

DevOps
55
Full CI across x86, arm64, and macOS; Depot-based Docker builds; Jsonnet-generated workflows with a linting check; artifact upload/download pipeline is solid.
Security
50
No secrets in committed files, no OSV vulnerabilities in declared deps, but LGPL-2.1 copyleft license creates legal exposure for redistribution scenarios.
Cost & infra
18
LGPL-2.1 copyleft license on the core engine forces source disclosure on redistribution; Apache 2.0 on Python CLI only helps the wrapper, not the engine underneath.
QA & testing
44
7965 test files indicate massive coverage, but most are snapshot-based e2e tests; OCaml unit test coverage for core engine logic is not independently visible.
Performance
45
Benchmarks exist (perf/run-benchmarks) proving performance is measured, but no benchmarks visible in fetched files; static binary compilation confirms profiling consideration.
Architecture
50
Clean separation between OCaml core engine (semgrep-core) and Python CLI wrapper; language-specific parsers in dedicated directories; clear module boundaries with .mli interface files.
Code quality
46
OCaml core is well-structured with proper dune build files and type signatures, but CLI logic mixes concerns with no visible linter enforcement on the Python wrapper.
Observability
35
No error tracking service (Sentry/Bugsnag) visible in CLI output; telemetry/Logging.mli exists but no evidence of structured telemetry endpoint or crash reporting integration.
Maintainability
48
Clear directory structure and language-specific modules exist, but autogenerated workflow files (jsonnet) create a two-source-of-truth maintenance burden.

Deterministic findings

medium

Copyleft license: LGPL-2.1

Derivative works may need to be open-sourced under the same terms — review compatibility with your business model.

Top findings (AI)

high

LGPL-2.1 copyleft license creates legal red zone for commercial redistribution

License file declares LGPL-2.1 for the project. LGPL requires anyone distributing linked binaries to provide source code or a written offer. For a venture building a SaaS or paid product using semgrep as a core engine, this is a significant legal liability. The Apache-2.0 Python wrapper alone does not solve this because the OCaml core is the actual analysis engine.

high

Autogenerated CI workflows hide real configuration, creating maintenance risk

Every workflow file begins '# AUTOGENERATED FROM *.jsonnet DO NOT MODIFY'. A lint job exists (.github/workflows/lint.yml) to detect drift, but jsonnet-to-YAML is a two-source-of-truth pattern. If the jsonnet build breaks or diverges, CI behavior becomes opaque to anyone reading the YAML directly.

medium

No observable error tracking or structured telemetry endpoint

libs/telemetry/Logging.mli exists as a signal that telemetry was considered, but no error tracking service (Sentry, Bugsnag, Rollbar) is integrated. For a CLI tool that runs in customer environments, this means failures are silent unless the user reports them. observability < 12 is the hard ceiling for CLI tools with no structured error output visible.

medium

Snapshot tests dominate the test suite, obscuring actual unit coverage

7965 test files are present, but examination of the file tree shows massive use of snapshot directories (cli/tests/default/e2e-other/snapshots/, cli/tests/default/e2e/snapshots/). These verify output fidelity, not logic correctness. OCaml unit tests for the core engine in src/ are not independently visible.

medium

Repository bloat from 7965 test files and snapshot artifacts

Massive test artifact count (7965 test files) inflates repo size and clone time. The .codemapignore file suggests this is a known problem. Large snapshot directories slow CI and make the repo harder to audit for actual code quality signals.

Scan your own repo

Free 60-second scan. No signup.

Run a free scan →