Semgrep

Semgrep reads your source files as you edit and runs pattern-based rules to find security issues, logic errors, and bad practices. It watches edits and re-scans the changed files, reports matches with file/line pointers, and groups related findings. It recognizes common problems like injection flaws, hardcoded secrets, unsafe deserialization, and insecure use of crypto libraries, and it shows the specific code snippet that triggered each rule.

It runs built-in rule sets for languages and frameworks (Python, JavaScript/TypeScript, Java, Go, Ruby, etc.) and accepts custom rules written in Semgrep's YAML syntax. The plugin maps findings to severity, suggests relevant fixes or safer API calls, and lets you add suppressions with inline comments. It also exposes rule configuration so you can enable, disable, or tune checks per repo or folder.

The integration posts results as inline comments on pull requests, writes SARIF or JSON for CI, and returns quick feedback inside the editor so you don't need to run a separate scanner. It tracks which findings are new versus existing and lets you mark items as resolved. It can run on save, on interval, or on demand, and it caches results to avoid re-scanning unchanged files.

In a typical workflow, a developer fixes a flagged SQL injection during a code review with Semgrep comments already on the PR, without switching to a separate security console. That saves time by keeping the scan, discussion, and remediation in one place and prevents flipping between tools when triaging or patching issues.