Foil vs Semgrep.
Semgrep is a popular static analysis tool built on AST pattern matching (Semgrep Pro adds cross-file dataflow). Foil takes a different approach — using an on-device LLM to reason about code semantics, catching logic-level vulnerabilities that pattern rules struggle to express.
By Vito Rallo, Security Engineer at Peach Studio · Last updated April 2026
| Feature | Foil | Semgrep |
|---|---|---|
| Analysis method | On-device LLM (semantic reasoning) | Pattern matching (AST); Pro adds cross-file / cross-function dataflow |
| Logic-level vulnerability detection | Yes — auth bypasses, IDOR, race conditions | Limited in OSS; improved on Pro via cross-file dataflow |
| Code leaves your machine | Never | No (OSS CLI); cloud features send metadata/findings to the Semgrep AppSec Platform |
| Cloud dependency | None — fully offline | Platform required for Pro rules, Supply Chain, Secrets, Multimodal |
| Fix generation | Deep Dive & Deep Scan rewrite vulnerable code with explanation | Rule-based autofix (OSS); AI-assisted remediation via Multimodal (Platform) |
| Languages | 7 (Python, JS, TS, Go, Java, Ruby, C#) | 30+ (OSS) / 35+ (Pro) |
| IDE integration | VS Code (coming soon) | VS Code, IntelliJ, and more |
| Rule count | 162 built-in + custom rules | 2,800+ community rules (OSS) / 20,000+ Pro rules (Platform) |
| Custom rules | Yes (Developer plan) | Yes (YAML-based) |
| CI/CD integration | CLI-based, JSON export | Native CI integrations, SARIF |
| Pricing | Free Community / €19 per user / mo Developer | Free OSS / Team pricing on request |
| Runs on | macOS (Apple Silicon) | Any OS (CLI); hosted Platform for Pro |
When to choose Foil
- + Your code can't leave your machine (compliance, IP sensitivity)
- + You need to catch logic-level flaws (broken access control, IDOR, auth bypasses)
- + You want AI-generated fix suggestions, not just alerts
- + You want zero cloud dependency and no API costs
When to choose Semgrep
- + You need support for 30+ languages
- + You want a large library of community-maintained rules plus the 20,000+ Pro rule set
- + You need native CI/CD integrations and SARIF output
- + You need supply chain, secrets scanning, or AI-assisted triage via Semgrep Multimodal (Platform)