Disclaimer: Semgrep provides security tooling that can support compliance efforts, but does not guarantee compliance. Organizations remain responsible for meeting all compliance requirements. Consult with your compliance team and auditors to determine how Semgrep fits into your compliance program. Last updated: November 2025 Organizations pursuing SOC 2 Type II certification need to demonstrate that security controls are operational and effective over time (typically 6-12 months), not just implemented at a point in time. When Semgrep scans your code, it generates audit logs that document every scan execution, security finding, remediation action, and status change with timestamps and user attribution. These logs provide evidence for SOC 2 Trust Services Criteria, including CC6.6 (vulnerabilities are identified and addressed), CC7.2 (system monitoring), and CC7.3 (evaluation of security events). When properly configured with CI/CD systems, Semgrep policy enforcement allows security teams to define custom security rules that can block code from merging when violations are detected. This demonstrates preventive controls (CC6.1, CC6.6) rather than detective controls. Auditors want to see that you stop security issues before they reach production, not just detect them afterward. Note that developers with appropriate permissions can override policy blocks when necessary. For details around proper configuration, please chat with the Semgrep team. Jira integration documents your remediation workflow with timestamps and assignments, giving auditors clear evidence that security issues are identified, tracked, and resolved systematically (CC8.1 change management). SBOM generation provides supply chain visibility for vendor risk management controls (CC9.1).Documentation Index
Fetch the complete documentation index at: https://docs.semgrep.dev/llms.txt
Use this file to discover all available pages before exploring further.
Compliance