Semmle
Static code analysis tools
DevSecOps software
- Features
- Ease of use
- Ease of management
- Quality of support
- Affordability
- Market presence
Take the quiz to check if Semmle and its alternatives fit your requirements.
Pay-as-you-go
Free TrialFree version
Small
Medium
Large
- Information technology and software
- Professional services (engineering, legal, consulting, etc.)
- Public sector and nonprofit organizations
What is Semmle
Semmle is a static code analysis product best known for its CodeQL-based approach to finding security vulnerabilities and code quality issues through semantic queries over codebases. It is used by security engineers and development teams to identify and triage issues in source code and to build custom queries for organization-specific patterns. Semmle’s differentiator is its query language and database representation of code, which supports deep, cross-file analysis and reusable query packs. Semmle technology is now part of GitHub’s code scanning and security offerings rather than a standalone, independently sold product.
Semantic, query-based analysis
Semmle models code as a database and uses CodeQL queries to detect patterns that are difficult to express with rule-only linters. This supports dataflow and taint-style analysis across functions and files, which is useful for security use cases. Teams can write and maintain their own queries to match internal frameworks and coding patterns.
Strong security vulnerability focus
The product is designed around identifying security-relevant code paths such as injection, unsafe deserialization, and misuse of cryptography APIs. It supports workflows where security teams curate queries and developers remediate findings in pull requests. This aligns well with DevSecOps practices that shift security checks earlier in the SDLC.
Integrates into GitHub workflows
As part of GitHub’s ecosystem, Semmle/CodeQL can be run in CI and surface results in code review and repository security views. This reduces friction for teams already standardizing on GitHub for source control and automation. Centralized reporting and alert management benefit organizations managing many repositories.
Not a standalone product
Semmle is no longer positioned primarily as an independent commercial tool; it is delivered through GitHub’s security and code scanning capabilities. Organizations not using GitHub may face constraints or need alternative deployment approaches. Procurement and support are typically handled under GitHub’s product structure rather than a separate Semmle offering.
Query authoring learning curve
Effective customization requires learning CodeQL and understanding the underlying code database schema. Security teams may need time to build expertise to avoid noisy or incomplete queries. Maintaining custom query packs can become an ongoing engineering task.
Compute and pipeline overhead
Deep semantic analysis can increase CI runtime and resource usage compared with lighter-weight static analyzers. Large monorepos or many repositories may require careful scheduling, caching, or incremental scanning strategies. Tuning is often needed to balance coverage with developer feedback speed.
Plan & Pricing
Pricing model: Pay-as-you-go (per active committer)
Free tier/trial: Code scanning (CodeQL) and many Advanced Security features are free for public repositories; a 30-day free trial for Enterprise (including Advanced Security) is advertised.
Example costs (official GitHub pages):
- GitHub Code Security (CodeQL/code scanning, commercial offering tied to Semmle technology): $30 USD per active committer/month. (Requires GitHub Team or Enterprise and is an add-on for private repositories.)
- GitHub Secret Protection (related security add-on): $19 USD per active committer/month. (Requires GitHub Team or Enterprise.)
- GitHub Team plan: $4 USD per user/month (base plan required to enable some features for organizations).
- GitHub Enterprise: Starts at $21 USD per user/month (required for Enterprise deployment/entitlements).
Notes & key constraints:
- Code scanning (CodeQL) is explicitly free for public repositories on GitHub; for private repositories, GitHub Code Security (CodeQL-based product) requires the paid add-on license.
- Advanced Security features are available as add-ons billed per "active committer" (unique committers in last 90 days).
- Pricing and billing details are provided on GitHub's official pricing, security plans, and docs pages; some licensing requires contacting sales/requesting a demo for enterprise setups.
Seller details
GitHub, Inc.
San Francisco, California, United States
2009
Subsidiary
https://www.npmjs.com/
https://x.com/npmjs
https://www.linkedin.com/company/npm-inc-
