semgrep/semgrep

Item: semgrep/semgrep
Rating: 52
Author: CodeClanker

52/100

// latest public scan, scanned 2026-05-10 · classified as cli tool · stack: OCaml · Python · Dune · GitHub Actions · Docker · Jsonnet · uv · Depot

// this URL always shows the latest public scan for this repo. permanent permalink to this specific scan: www.codeclanker.com/scan/id/hmRIYnlj
// 4 public scans exist for this repo — view full history

Nine dimensions

DevOps

Full CI across x86, arm64, and macOS; Depot-based Docker builds; Jsonnet-generated workflows with a linting check; artifact upload/download pipeline is solid.

Security

No secrets in committed files, no OSV vulnerabilities in declared deps, but LGPL-2.1 copyleft license creates legal exposure for redistribution scenarios.

Cost & infra

LGPL-2.1 copyleft license on the core engine forces source disclosure on redistribution; Apache 2.0 on Python CLI only helps the wrapper, not the engine underneath.

QA & testing

7965 test files indicate massive coverage, but most are snapshot-based e2e tests; OCaml unit test coverage for core engine logic is not independently visible.

Performance

Benchmarks exist (perf/run-benchmarks) proving performance is measured, but no benchmarks visible in fetched files; static binary compilation confirms profiling consideration.

Architecture

Clean separation between OCaml core engine (semgrep-core) and Python CLI wrapper; language-specific parsers in dedicated directories; clear module boundaries with .mli interface files.

Code quality

OCaml core is well-structured with proper dune build files and type signatures, but CLI logic mixes concerns with no visible linter enforcement on the Python wrapper.

Observability

No error tracking service (Sentry/Bugsnag) visible in CLI output; telemetry/Logging.mli exists but no evidence of structured telemetry endpoint or crash reporting integration.

Maintainability

Clear directory structure and language-specific modules exist, but autogenerated workflow files (jsonnet) create a two-source-of-truth maintenance burden.

Deterministic findings

medium

Copyleft license: LGPL-2.1

Derivative works may need to be open-sourced under the same terms — review compatibility with your business model.

Top findings (AI)

high

LGPL-2.1 copyleft license creates legal red zone for commercial redistribution

License file declares LGPL-2.1 for the project. LGPL requires anyone distributing linked binaries to provide source code or a written offer. For a venture building a SaaS or paid product using semgrep as a core engine, this is a significant legal liability. The Apache-2.0 Python wrapper alone does not solve this because the OCaml core is the actual analysis engine.

high

Autogenerated CI workflows hide real configuration, creating maintenance risk

Every workflow file begins '# AUTOGENERATED FROM *.jsonnet DO NOT MODIFY'. A lint job exists (.github/workflows/lint.yml) to detect drift, but jsonnet-to-YAML is a two-source-of-truth pattern. If the jsonnet build breaks or diverges, CI behavior becomes opaque to anyone reading the YAML directly.

medium

No observable error tracking or structured telemetry endpoint

libs/telemetry/Logging.mli exists as a signal that telemetry was considered, but no error tracking service (Sentry, Bugsnag, Rollbar) is integrated. For a CLI tool that runs in customer environments, this means failures are silent unless the user reports them. observability < 12 is the hard ceiling for CLI tools with no structured error output visible.

medium

Snapshot tests dominate the test suite, obscuring actual unit coverage

7965 test files are present, but examination of the file tree shows massive use of snapshot directories (cli/tests/default/e2e-other/snapshots/, cli/tests/default/e2e/snapshots/). These verify output fidelity, not logic correctness. OCaml unit tests for the core engine in src/ are not independently visible.

medium

Repository bloat from 7965 test files and snapshot artifacts

Massive test artifact count (7965 test files) inflates repo size and clone time. The .codemapignore file suggests this is a known problem. Large snapshot directories slow CI and make the repo harder to audit for actual code quality signals.

Scan your own repo

Free 60-second scan. No signup.

Run a free scan →