semgrep
diff --git a/‎docs/faq/comparisons/codeql.md
+30 b/‎docs/faq/comparisons/codeql.md
+30
diff --git a/‎docs/faq/comparisons/endor-labs.md
+98 b/‎docs/faq/comparisons/endor-labs.md
+98
diff --git a/‎docs/faq/comparisons/opengrep.md
+41 b/‎docs/faq/comparisons/opengrep.md
+41
diff --git a/‎docs/faq/comparisons/snyk.md
+55 b/‎docs/faq/comparisons/snyk.md
+55
diff --git a/‎docs/faq/comparisons/sonarqube.md
+27 b/‎docs/faq/comparisons/sonarqube.md
+27
@@ -0,0 +1,30 @@
+---
+slug: codeql
+append_help_link: true
+hide_table_of_contents: true
+displayed_sidebar: aboutSidebar
+tags:
+  - Support
+description: >-
+  See how Semgrep compares to CodeQL.
+---
+
+import TOCInline from "@theme/TOCInline"
+
+# Compare Semrep to CodeQL
+
+<TOCInline toc={toc} />
+
+Both Semgrep and CodeQL use static analysis to find bugs, but there are a few differences:
+
+<!-- vale off -->
+- Semgrep operates directly on source code, whereas CodeQL requires a buildable environment.
+- Semgrep provides both proprietary and open source options that can be run anywhere; CodeQL is not open source and you must pay to run it on any non-open-source code.
+- Semgrep focuses on speed and ease of use. and doesn’t require compiled code.
+  - Semgrep Community Edition (CE) provides [intraprocedural dataflow](/writing-rules/data-flow/data-flow-overview). [Semgrep Code](/semgrep-code/overview)'s cross-file and cross-function analysis has similar capabilities as CodeQL in terms of cross-function dataflow analysis for a subset of supported languages.
+- Both have publicly available rules.
+- Semgrep rules look like the source code you’re writing; CodeQL has a separate domain-specific-language for writing queries.
+- Semgrep has an online, hosted free plan for up to ten contributors to private repositories; both have a hosted paid plan.
+<!-- vale on -->
+
+See [Semgrep versus GitHub Advanced Security](https://semgrep.dev/resources/semgrep-github/) for more about what makes Semgrep different.
@@ -0,0 +1,98 @@
+---
+slug: endor-labs
+append_help_link: true
+hide_table_of_contents: true
+displayed_sidebar: aboutSidebar
+tags:
+  - Support
+description: >-
+  See how Semgrep compares to Endor Labs.
+---
+
+import TOCInline from "@theme/TOCInline"
+
+# Compare Semgrep to Endor Labs
+
+<TOCInline toc={toc} />
+
+## Prioritization
+
+Both Endor Labs and Semgrep support the prioritization of findings so that AppSec teams focus on the most impactful findings. While both companies offer findings filters based on criteria like reachability and EPSS scores, Semgrep offers support for statuses in addition to the basic reachability statuses of **reachable** and **not reachable**, such as **always reachable** and **conditionally reachable**.
+
+Furthermore, Semgrep Assistant uses AI to help organization admins receive information on top backlog tasks, allowing them to prioritize findings from all products, including the SAST and SCA products, not just those resulting from dependency vulnerability scans.
+
+## Reachability for transitive dependencies
+
+Reachability has been a fundamental part of Semgrep Supply Chain from the beginning. Supply Chain offers advanced reachability analysis for direct dependencies in the form of dataflow reachability, offering accuracy beyond that offered by Endor Labs. This coverage is offered for seven languages and counting.
+
+## Vulnerable functions
+
+Semgrep doesn't just identify a vulnerability as reachable when a vulnerable function is called -- it also takes into account *how* the vulnerable function is called and what data flows into that function. These functions are achieved through the use of Semgrep's rule syntax; when a rule is written, all possible permutations of the vulnerability are encapsulated in the rule. This functionality is something that Endor Labs doesn't have.
+
+Semgrep's security research team doesn't just focus on analyzing a vulnerable function when writing rules. The team extends the scope of analysis to all the third-party callers of the vulnerable functions, not just the reported third-party function that's vulnerable. This extends the set of vulnerable functions greatly. The following rule demonstrates this functionality:
+
+```yaml
+---
+rules:
+  - id: ssc-a462c702-1797-4f92-a577-2232cc25ab08
+    message: Affected versions of paddlepaddle are vulnerable to Improper Limitation
+      Of A Pathname To A Restricted Directory ('Path Traversal') in the
+      `download` and `_check_exists_and_download` of `paddle.dataset.common`.
+    severity: ERROR
+    metadata:
+      confidence: HIGH
+      category: security
+      cve: CVE-2024-0818
+      cwe:
+        - "CWE-22: Improper Limitation of a Pathname to a Restricted Directory
+          ('Path Traversal')"
+      ghsa: GHSA-2rp8-hff9-c5wr
+      owasp:
+        - A01:2021 - Broken Access Control
+        - A05:2017 - Broken Access Control
+        - A06:2021 - Vulnerable and Outdated Components
+      publish-date: 2024-03-07T15:30:38Z
+      references:
+        - https://github.com/advisories/GHSA-2rp8-hff9-c5wr
+        - https://nvd.nist.gov/vuln/detail/CVE-2024-0818
+      sca-fix-versions: []
+      sca-kind: reachable
+      sca-schema: 20230302
+      sca-severity: CRITICAL
+      sca-vuln-database-identifier: CVE-2024-0818
+      technology:
+        - python
+    r2c-internal-project-depends-on:
+      depends-on-either:
+        - namespace: pypi
+          package: paddlepaddle
+          version: <=2.6.0
+    languages:
+      - python
+    patterns:
+      - pattern-either:
+          - pattern: paddle.dataset.common.download(...)
+          - pattern: paddle.dataset.common._check_exists_and_download(...)
+```
+
+The vulnerable function is `download`, as shown by the [fix commit](https://github.com/PaddlePaddle/Paddle/commit/5c50d1a8b97b310cbc36560ec36d8377d6f29d7c). The function `_check_exists_and_download` calls `download`, which you can see in the [source code](https://github.com/PaddlePaddle/Paddle/blob/5c50d1a8b97b310cbc36560ec36d8377d6f29d7c/python/paddle/dataset/common.py#L223). Thus, both functions are flagged in the rule in the final three lines.
+
+Learn more about how the security research team writes rules in [A day in the life: Supply Chain Security Researcher](https://semgrep.dev/blog/2024/a-day-in-the-life-supply-chain-security-researcher)
+
+## Policies and flexibility
+
+Semgrep Supply Chain results in a failed CI job only when there are critical or high-severity findings. However, Semgrep supports notifications and integration with Jira to create tickets for all Supply Chain findings, and it offers the ability to only leave comments on PRs or block a change regarding license detection.
+
+The policies for Semgrep's other products, Semgrep Code and Semgrep Secrets, provide extensive flexibility, especially with respect to a developer's workflow, by allowing results to appear:
+
+- Only in the AppSec team’s view (monitor mode)
+- In the AppSec team's view **and** in the developer’s workflow, while not failing the CI job (comment mode)
+- In the AppSec team's view **and** in the developer’s workflow, while also failing the CI job (block mode)
+
+## Dependency lifecycle management
+
+To help you manage your findings, Semgrep provides information, including EPSS probabilities, severity levels, transitivity information, and multiple levels of dataflow reachability.
+
+## Accuracy of results
+
+Semgrep has reachability analysis for over 80% of critical CVEs dating back to 2017 and 100% of critical and high severity CVEs dating back to May 2022. Endor Labs' reachability data, however, dates back to 2018.
@@ -0,0 +1,41 @@
+---
+slug: opengrep
+append_help_link: true
+hide_table_of_contents: true
+displayed_sidebar: aboutSidebar
+tags:
+  - Support
+description: >-
+  See how Semgrep compares to Opengrep.
+---
+
+import TOCInline from "@theme/TOCInline"
+
+# Compare Semgrep to Opengrep
+
+<TOCInline toc={toc} />
+
+## What is Opengrep?
+
+Opengrep is a fork of the Semgrep Community Edition (CE) engine, formerly known as Semgrep OSS (Semgrep Open Source).
+
+## How is Opengrep licensed?
+
+The Opengrep engine is licensed under LGPL 2.1. This means that any copies of the Opengrep engine must include a copy of the full license text and the original copyright notice, must make available the source code when a derivative work is distributed, and such derivative works must be licensed under the same or later version of the LGPL.
+
+## What is Semgrep Community Edition (CE)?
+
+Semgrep Community Edition is the collective name for the open source Semgrep engine (formerly known as the Semgrep OSS engine) and the collection of rules published and maintained by the Semgrep community and Semgrep, Inc.
+
+## How is Semgrep CE licensed?
+
+
+The Semgrep CE engine is licensed under LGPL 2.1. This license has remained unchanged since Semgrep, Inc. began development on the Semgrep engine in early 2020.
+
+Semgrep maintains a collection of rules written by the community and Semgrep, Inc., and they are licensed under the [Semgrep Rules License](https://semgrep.dev/legal/rules-license/). This license limits their use to internal, non-competing, and non-SaaS contexts, and explicitly limits certain commercial usage. This applies to all rules authored by Semgrep and those contributed to our public repositories.
+
+## What changed with Semgrep’s licensing in December, 2024?
+
+The license for Semgrep's Community Edition engine remains unchanged: LGPL 2.1.
+
+Licensing for Semgrep-maintained rules changed from Commons Clause w/ LGPL 2.1 to the [Semgrep Rules License](https://semgrep.dev/legal/rules-license/).
@@ -0,0 +1,55 @@
+---
+slug: snyk
+append_help_link: true
+hide_table_of_contents: true
+displayed_sidebar: aboutSidebar
+tags:
+  - Support
+description: >-
+  See how Semgrep compares to Snyk.
+---
+
+import TOCInline from "@theme/TOCInline"
+
+
+# Compare Semgrep to Snyk
+
+<TOCInline toc={toc} />
+
+## SAST
+
+Both Semgrep and Snyk offer out-of-the-box SAST solutions. Semgrep makes it easier to customize the rules that run against your code. Because these rules are visible and customizable, you can analyze your results to see if the relevant vulnerabilities were caught.
+
+In addition to selecting your rules, Semgrep allows you to write custom rules to capture use cases driven by your organization's goals. To help you write rules, [Semgrep Editor](https://semgrep.dev/playground) provides a structure mode to guide you through the process, allows you to test your in-progress rules, and adds them to your organization’s [Policies page](/semgrep-code/policies). Semgrep offers rule-writing capabilities to all users, while Snyk limits it to Enterprise users.
+
+Both Semgrep and Snyk offer remediation advice for findings identified during scans. Snyk displays its recommendations in its web app, in supported IDEs, and CLI, while Semgrep displays remediation advice and guidance in its web app, CLI, supported IDEs, and in the form of PR or MR comments.
+
+Snyk and Semgrep both display prioritization metrics to help you decide which findings you should work on first. For SAST, Snyk encapsulates this information into a priority score, which provides you with information on the impact and actionability related to the finding. Semgrep, on the other hand, provides severity information, confidence in the rule to detect findings that are true positives, and likelihood that an attacker can exploit the issues found.
+
+Additionally, Semgrep provides action recommendations through Assistant, which offers AI-powered security recommendations to help you review, triage, and remediate your Semgrep findings.
+
+Snyk offers autofix capability for its SCA product, but not its SAST product. Semgrep offers autofix suggestions for SAST and SCA, where its [rules contain suggested fixes to resolve findings](/writing-rules/autofix). In the event of a true positive where the rule doesn't have a human-written autofix, [Assistant can generate an autofix](/semgrep-assistant/overview#autofix).
+
+## SCA
+
+Snyk offers reachability analysis for Java, JavaScript, and TypeScript, while Semgrep offers reachability analysis for [multiple languages, including Java, JavaScript, and Ruby](/supported-languages/#semgrep-supply-chain)
+
+Snyk can detect whether dependencies are direct or transitive. However, this information is only available with Enterprise plans, and the information is limited to projects using Maven or Node.js, specifically npm and Yarn packages. Semgrep Supply Chain offers advanced reachability analysis for direct dependencies in the form of dataflow reachability. Semgrep offers this coverage for seven languages and counting.
+
+Semgrep and Snyk both offer license compliance features, ensuring that the dependencies that your developers use meet the requirements set by your organization.
+
+To help you manage your findings, Semgrep provides you with the findings' EPSS probabilities, severity levels and transitivity information. Snyk assesses impact and likelihood and encapsulates this information into a risk score.
+
+## Policies and rules management
+
+Semgrep Code and Semgrep Secret's policies management feature provides extensive flexibility, especially with respect to a developer's workflow, by allowing results to appear:
+
+- Only in the AppSec team’s view (monitor mode)
+- In the AppSec team's view **and** in the developer’s workflow, while not failing the CI job (comment mode)
+- In the AppSec team's view **and** in the developer’s workflow, while also failing the CI job (block mode)
+
+Semgrep Supply Chain results in a failed CI job only when there are critical or high-severity findings.
+
+## Secrets detection
+
+Semgrep Secrets leverages semantic analysis, entropy analysis, and validation to accurately detect and fix secrets. Snyk maintains a [business partnership with GitGuardian](https://blog.gitguardian.com/were-teaming-up-with-snyk-to-strengthen-developer-security/) to offer secrets scanning as part of Snyk Code.
@@ -0,0 +1,27 @@
+---
+slug: sonarqube
+append_help_link: true
+hide_table_of_contents: true
+displayed_sidebar: aboutSidebar
+tags:
+  - Support
+description: >-
+  See how Semgrep compares to SonarQube.
+---
+
+import TOCInline from "@theme/TOCInline"
+
+# Compare Semgrep to SonarQube
+
+<TOCInline toc={toc} />
+
+Both Semgrep and SonarQube use static analysis to find bugs, but there are a few differences:
+
+- Extending Semgrep with custom rules is simple since Semgrep rules look like the source code you’re writing. Writing custom rules with SonarQube is [<i class="fas fa-external-link fa-xs"></i> restricted to a handful of languages](https://docs.sonarqube.org/latest/extend/adding-coding-rules/) and requires familiarity with Java and abstract syntax trees (ASTs).
+- Semgrep supports user-defined autofixes; SonarQube does not.
+- Semgrep focuses on speed and ease-of-use, making analysis possible at up to 20K-100K loc/sec per rule. SonarQube authors [report approximately 0.4K loc/sec for rulesets in production](https://web.archive.org/web/20221109203440/https://community.sonarsource.com/t/performance-guide-for-large-project-analysis/148/2).
+- Semgrep supports scanning only changed files (differential analysis), SonarQube does not.
+- Both have publicly available rules
+- Semgrep has an online, hosted free plan for up to ten contributors to private repositories; both have a hosted paid plan.
+
+See [the Semgrep development philosophy](/contributing/semgrep-philosophy) for more about what makes Semgrep different.