Four products are in scope. Semgrep Code (SAST with cross-file dataflow), Semgrep Supply Chain (SCA with dataflow reachability), Semgrep Secrets (secrets detection with active validation), and Semgrep AppSec Platform (the unifying SaaS console). The Team plan bundles Code, Supply Chain, Secrets, and the AI Assistant under the AppSec Platform. Merito sells every product and operates the rule authoring, calibration, and integration.
Semgrep portfolio
Developer-first AppSec, sold and operated by Merito.
Semgrep Code (SAST), Semgrep Supply Chain (SCA), Semgrep Secrets, and the AppSec Platform that unifies them. Per-contributor licensing, YAML custom rules, AI Assistant noise filtering, and cross-file dataflow that works across 30-plus programming languages.
Why Merito for Semgrep
A Semgrep engagement is custom rule authoring, AI Assistant calibration, and PR-time integration. Merito is the team that does the work after the AppSec Platform is up.
Semgrep is the developer-first AppSec vendor that grew out of an open-source program-analysis engine. The commercial Semgrep Code adds cross-file and cross-function dataflow analysis, 20,000-plus Pro Rules from Semgrep's security research team, and AI Assistant noise filtering. Semgrep Supply Chain extends the dataflow analysis into transitive dependency graphs to differentiate reachable-and-exploitable from reachable-but-safe paths. Semgrep Secrets combines semantic dataflow with active validation to filter expired or test secrets out of the backlog.
Semgrep AppSec Platform is the unifying SaaS console where Code, Supply Chain, and Secrets share policy, AI Assistant, and the centralized findings surface. The Team plan bundles all three analysis engines plus the AI Assistant and the dashboard at a per-contributor price. Free tier covers teams with up to 10 contributors and 10 private repositories. Enterprise plan adds higher-volume usage, SLAs, and on-prem deployment.
YAML custom rule authoring is the practical differentiator. Rules look like source code, which makes them easy for developers and AppSec architects to read and write without learning a domain-specific language. Programs that adopt Semgrep without authoring custom rules use it as a noisier substitute for other SAST tools rather than the better one.
Merito sells the Semgrep license and operates the program around it. We design the policy, author custom rules against the customer's internal coding standards, calibrate Pro Rules and AI Assistant Memories, integrate scanning into PR-time CI/CD and IDE workflows, and stay on the program through the false-positive review cycles that decide whether AppSec earns developer trust.
The Semgrep toolchain
The Semgrep AppSec portfolio Merito sells and operates
Analysis engines
SAST, SCA, and Secrets detection from a single vendor with shared dataflow analysis foundations.
SAST
Semgrep Code
Static application security testing across 30-plus programming languages with cross-file dataflow, 20,000-plus Pro Rules, YAML custom rules, and AI Assistant noise filtering.
See product pageSCA
Semgrep Supply Chain
Software composition analysis with dataflow reachability through transitive dependency graphs. Differentiates reachable-and-exploitable from reachable-but-safe paths.
See product pageSecrets
Semgrep Secrets
Secrets detection combining semantic dataflow analysis, entropy, regex, and active validation to filter expired and test secrets from the backlog.
See product pageUnified platform
The AppSec Platform that consolidates the analysis engines under one policy plane and per-contributor licensing.
Merito services
Merito services across the Semgrep portfolio
01
Implementation
AppSec Platform tenant setup, SCM integration onboarding, Pro Rules calibration, custom YAML rule authoring, and AI Assistant Memories configuration.
02MAPS Assessment
AppSec program scoping for Semgrep adoption alongside Checkmarx, Snyk, Black Duck Coverity, and OpenText Application Security.
03DevOps Consulting
PR-time scanning gates, IDE plugin rollout, and findings flowing into developer ticketing across GitHub, GitLab, Azure DevOps, and Bitbucket.
04CRAFT Enablement
Developer-facing AppSec adoption, custom rule authoring training, and AppSec champion programs.
05Premium Support
Named engineer, priority SLAs, and release-window coverage for Semgrep programs Merito implements.
06Managed Services
Long-term run support including ongoing custom rule maintenance, Pro Rules calibration, AI Assistant Memories tuning, and triage operating-model evolution.
07Training and Enablement
Role-based training for AppSec architects, developers, and security engineers using Semgrep output.
08Staff Augmentation
Merito-placed AppSec engineers and Semgrep specialists embedded on long-running programs.
Semgrep licensing
Buy Semgrep from the partner that authors the rules and calibrates the AI Assistant.
Custom rule authoring and AI Assistant Memories are the practical work of a Semgrep program. Buy through Merito and get the rules, the calibration, and the integration together.
Related solutions
Where Semgrep connects to the rest of the Merito program
Frequently Asked Questions
Semgrep FAQs
Consultation request
Talk to Merito about Semgrep
Share your AppSec maturity, current scanners, and custom rule authoring scope. A Merito Semgrep specialist follows up within one business day.
Per-contributor pricing
Aligns with developer-first adoption
Team plan. Free tier for teams with up to 10 contributors and 10 private repositories.
YAML custom rules
Internal standards as scanner policy
Rules look like source code. AppSec architects encode internal coding standards into the scanner directly without learning a domain-specific language.
Next step
Author the custom rules before the developer trust erodes.
A Semgrep conversation with Merito starts with the AppSec maturity assessment and the custom rule authoring scope. Programs that adopt Semgrep without rules use it as a noisier substitute for other SAST tools.