diff --git a/docs/pricing-and-billing.mdx b/docs/pricing-and-billing.mdx deleted file mode 100644 index 162d97bc8..000000000 --- a/docs/pricing-and-billing.mdx +++ /dev/null @@ -1,282 +0,0 @@ ---- -slug: pricing-and-billing -append_help_link: true -title: Pricing and billing -description: "Learn about pricing, tiers, and feature support for the following Semgrep Products: Semgrep OSS, Semgrep Code, and Semgrep Supply Chain." -tags: - - Semgrep Cloud Platform - - Semgrep OSS - - Team & Enterprise Tier -hide_title: true ---- - -import MoreHelp from "/src/components/MoreHelp"; - - - -# Pricing and billing - -Semgrep's various functionalities are available through several offerings: - -
-
Semgrep OSS
-
- The OSS (open source software) offering includes Semgrep OSS Engine, a fast - code analysis command line tool for finding bugs and enforcing code - standards. It is licensed under LGPL 2.1.{" "} -
-
Semgrep Team tiers (available as separate products)
- -
- All of the above products include Semgrep Cloud Platform, a web app that - enables users to manage users, organizations, repositories, security - policies, and scans. -
-
Semgrep Enterprise tier
-
- The Enterprise tier offers custom features and the highest levels of support - in addition to all of the features in the Team tier. -
-
- -All Semgrep offerings can scan the following repository providers or SCMs (source code managers): - -- GitHub -- GitLab -- Bitbucket -- Azure Repos - -:::caution Usage limits - -- Semgrep Team tier is free for **10 monthly contributors**. -- A contributor is someone who has made at least one commit to a Semgrep-scanned private repository within the last month. -- See the [Usage limits FAQ](/usage-limits) for more information. -::: - -## Semgrep OSS Engine and Team tier offerings - -The following tables provide an overview of Semgrep features and comparison between Semgrep OSS and Semgrep Team tier. - -### 🔎 Core scanning features - -The following tables describe Semgrep's essential scanning and findings management capabilities. - -#### SAST (Static Application Security Testing) - -| Feature | Semgrep OSS | Semgrep Code Team tier | -| ------------------------------------------------------------------------------------- | ----------- | ---------------------- | -| Intrafile (single-file) analysis | ✔️ | ✔️ | -| Cross-file (across multiple files or interfile) analysis | ❌ | ✔️ | -| [Single-file taint](/writing-rules/data-flow/data-flow-overview/) (dataflow) analysis | ✔️ | ✔️ | -| [Cross-file taint](/semgrep-code/semgrep-pro-engine-intro/) (dataflow) analysis | ❌ | ✔️ | - -#### SCA (Software composition analysis) - -| Feature | Semgrep OSS | Semgrep Supply Chain Team tier | -| --------------------------------------------------------------- | ----------- | ------------------------------ | -| Reachability analysis for direct dependencies | ❌ | ✔️ | -| [License compliance](/semgrep-supply-chain/license-compliance/) | ❌ | ✔️ | -| [Dependency search](/semgrep-supply-chain/dependency-search) | ❌ | ✔️ | -| SBOM export | ❌ | ✔️ | - -### 💬 Scan management and monitoring - -The following table displays various notification channels and reporting features. - -| Feature | Semgrep OSS | Semgrep Team tier | -| --------------------------------------------------------------------------------------------------------------- | ----------- | ----------------- | -| [Centralized management of scan results (triage, remediation, fine-tuning noisy rules)](/semgrep-code/policies) | ❌ | ✔️ | -| [Notifications and reports (Slack, email, webhooks, and API)](/semgrep-cloud-platform/notifications/) | ❌ | ✔️ | -| Send scan results to GitLab SAST and GitHub Advanced Security | ❌ | ✔️ | -| [Findings dashboard](/semgrep-cloud-platform/dashboard/) | ❌ | ✔️ | -| Findings retention | ❌ | 5 years | - -### 🧰 Scan customization features - -The following table displays customization features and tools that enhance Semgrep's core scanning capabilities. These features can increase true-positive rate and provide deeper insights into remediation. - -| Feature | Semgrep OSS | Semgrep Team tier | -| ------------------------------------------------------------ | ----------------------------------------------- | -------------------------------------------- | -| Write your own rules | ✔️ | ✔️ | -| Private rules\* | n/a | ✔️ | -| [Community-contributed rule registry](https://semgrep.dev/r) | ✔️ | ✔️ | -| Proprietary rule registry | ❌ | ✔️ | -| [Policy-based workflows†](/semgrep-code/policies/) | ❌ | ✔️ | -| Rule-writing environment | ✔️ [Playground](https://semgrep.dev/playground) | ✔️ Playground and Editor for logged-in users | - -\*Private rules refer to rules that are guaranteed a private access scope in the cloud. This scope of access does not apply to Semgrep OSS, as it is purely CLI-based.
-† Policy-based workflows provide security teams a means to block merges, leave PR/MR comments, or silently monitor for potential issues based on the presence of a finding. - -### 🤖 Developer experience - -The following table lists tools to enable developers to resolve their own code. - -| Feature | Semgrep OSS | Semgrep Team tier | -| ------------------------- | ----------- | ----------------- | -| VS Code extension | ✔️ | ✔️ | -| Autofix | ✔️ | ✔️ | -| Autofix in PR/MR comments | ❌ | ✔️ | -| Autofix AI | ❌ | ✔️ | -| `pre-commit`‡ | ✔️ | ✔️ | - -‡`pre-commit` requires some manual set-up. - -### 🏢 User and organization management - -| Feature | Semgrep OSS | Semgrep Team tier | -| ------------------------------------------------------------------------------------------------------------- | ----------- | ----------------- | -| [Role-based access control (RBAC)](/semgrep-cloud-platform/user-management/#controlling-access-through-roles) | ❌ | ✔️ | -| [Personal and organizational accounts](/semgrep-cloud-platform/user-management/) | ❌ | ✔️ | -| [SSO, OpenID, or OAuth2 authentication](/semgrep-cloud-platform/sso/) | ❌ | ✔️ | - -## Differences between Semgrep Code and Semgrep Supply Chain - -The following table displays differences between Semgrep Code and Semgrep Supply Chain. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
FeatureSemgrep CodeSemgrep Supply Chain
Type of toolStatic application security testing (SAST)Software composition analysis (SCA)
Scan targetFirst-party code (your codebase or repository)Open source dependencies
Triage workflow - Findings can be categorized as: -
    -
  • Ignored (to triage false positives)
    • -
  • Closed (resolved) by refactoring code
    • -
  • Removed
    • -
- 		- Findings can be categorized as: -
    -
  • New
    • -
  • In progress
    • -
  • Fixed
    • -
  • Ignored
    • -
-
Remediation workflowCode refactoringUpgrading or removing the dependency, code refactoring
Notification channelsSlack, Email, WebhooksSlack
- -## Determining your plan needs - -### Number of contributors - -Within your team or organization, assess the number of **contributors**. Contributors are members of your organization that make commits. That determines the number of **licenses** needed for the plan purchase. - -For example, if a project has 4 unique contributors who create commits during the billing period while Semgrep is scanning their repositories, only 4 licenses are required even if the organization has a total of 10 members. If these unique contributors commit to many projects within the same organization, they are counted once, so no additional cost is charged. - -:::info Usage limits -Semgrep Team tier is free for the first 10 contributors. You only need to buy licenses for contributors over 10. -::: - -All members of the organization, regardless of contributor (license) status, have access to paid features for the chosen tier. This means that project managers and other non-programming roles can still view the Semgrep Cloud Platform dashboard. - -### Semgrep add-on reconciliation of licenses - -If the organization exceeds the number of purchased licenses, the organization will be charged based on the number of licenses that exceeded the purchased amount. The additional charge starts the month after the use of licenses exceeds the contracted amount. - -Check in with your Semgrep Account Executive every **60 days** if you need more licenses than initially purchased. - -#### Example of license reconciliation - -On January 21st, you purchased annual licenses for 50 developers of Semgrep Supply Chain’s Team tier ($40 per developer per month). The 21st of the month is the start date of the annual contract. In the following month, on February 28th, the number of used developer licenses exceeded the original purchased quantity by 20 users. This requires a contract adjustment. - -Contract adjustment: - -- Since the organization’s use exceeded the amount of purchased licenses on February 28th, the future date of March 21st is selected to align with the remaining months in the contract. There are 10 months remaining in the contract. -- The additional amount charged, the add-on cost, is $8,000 ($40 per developer per month x 10 months x 20 users). -- Resulting add-on cost: **$8,000** - -## Upgrading your plan - -To upgrade to the Semgrep Code **Team tier** through a **credit card**: - -1. In the Settings page, select the Payment tab. -2. Select the number of developers to purchase licenses for. -3. Fill in your payment details. - -![Screenshot of payment menu](/img/billing-and-pricing-payment.png)
- -To purchase seats for Semgrep Supply Chain or to upgrade to the **Enterprise tier**, please [contact us](https://semgrep.dev/contact-us). - -### Billing - -Team tier users who pay through a credit card are charged monthly. Enterprise tier users are charged at an agreed-upon billing cycle. For any concerns such as custom payment methods and billing cycles, send an email to [billing@semgrep.com](mailto:billing@semgrep.com) to get in touch with our sales team. - -## Modifying or canceling your plan - -To modify or cancel your plan, send an email to [billing@semgrep.com](mailto:billing@semgrep.com). - -## Paying for your plan - -Pay through the following methods: - -
-
Pay using your credit card.
-
The payment will be processed through Stripe.
-
Pay through a purchase order or invoice.
-
- Send an email to{" "} - billing@semgrep.com to get in touch - with our sales team. -
-
- -## See also - -- [Supported languages](/supported-languages/) -- [List of vulnerabilities found and fixed with Semgrep](/trophy-case/) -- [Frequently asked questions](/faq/) - -## Additional resources - -- [Slack on scaling static analysis with Semgrep](https://semgrep.dev/blog/2021/slack-presents-semgrep-at-def-con-appsec-village/) - - diff --git a/docs/release-notes/april-2023.md b/docs/release-notes/april-2023.md index 01727ed5b..f4b79037b 100644 --- a/docs/release-notes/april-2023.md +++ b/docs/release-notes/april-2023.md @@ -122,7 +122,6 @@ This section of release notes includes upgrades of Semgrep OSS Engine for versio - You can now add repositories from Azure Repos into the Semgrep Cloud Platform. - Bitbucket PR comments are now available for Bitbucket Cloud users. See the [Enabling Bitbucket pull request comments](/semgrep-cloud-platform/bitbucket-pr-comments) to enable PR comments in your repositories. -- Check the new documentation sections [Semgrep add-on reconciliation of licenses](/pricing-and-billing/#semgrep-add-on-reconciliation-of-licenses) and [Example of license reconciliation](https://semgrep.dev/docs/semgrep-cloud-platform/pricing-and-billing/#example-of-license-reconciliation) that inform you about what happens if your organization exceeds the number of purchased licenses. ### Changes @@ -136,7 +135,7 @@ This section of release notes includes upgrades of Semgrep OSS Engine for versio ### Added -- New section [Semgrep add-on reconciliation of licenses](https://semgrep.dev/docs/semgrep-cloud-platform/pricing-and-billing/#semgrep-add-on-reconciliation-of-licenses) and [Example of license reconciliation](https://semgrep.dev/docs/semgrep-cloud-platform/pricing-and-billing/#example-of-license-reconciliation). +- New section [Semgrep add-on reconciliation of licenses](/usage-and-billing/#semgrep-add-on-reconciliation-of-licenses) and [Example of license reconciliation](/usage-and-billing/#example-of-license-reconciliation). - New section [Updating existing open-source rules in Semgrep Registry](/contributing/contributing-to-semgrep-rules-repository/#updating-existing-open-source-rules-in-semgrep-registry). - Added section [Creating rules that analyze across files](/semgrep-code/semgrep-pro-engine-intro/#creating-rules-that-analyze-across-files) and [Types of Semgrep Pro Engine analysis](/semgrep-code/semgrep-pro-engine-intro/#types-of-semgrep-pro-engine-analysis). - Added [Appendix: Token scopes](/semgrep-cloud-platform/user-management/#appendix-token-scopes). diff --git a/docs/release-notes/july-2023.md b/docs/release-notes/july-2023.md index 01098fd27..1ca91057b 100644 --- a/docs/release-notes/july-2023.md +++ b/docs/release-notes/july-2023.md @@ -157,7 +157,7 @@ This section of release notes includes upgrades of Semgrep OSS Engine for versio - To enable this feature: 1. Fill out the following form: [Request access to the Semgrep Jira integration private beta](https://get.semgrep.dev/Jira-private-beta.html). 2. Contact your Technical Account Manager or your Account Executive and let them know you'd like to try out the Jira integration. -- Usage limits are now in effect as of July 31, 2023. See the [Usage limits FAQ](/usage-limits) to learn more. +- Usage limits are now in effect as of July 31, 2023. See the [Usage](/usage-and-billing) document to learn more. - Various bugfixes and improvements. ## Semgrep Code diff --git a/docs/release-notes/may-2023.md b/docs/release-notes/may-2023.md index 3e9884ad8..a12d67309 100644 --- a/docs/release-notes/may-2023.md +++ b/docs/release-notes/may-2023.md @@ -15,7 +15,7 @@ These release notes include updates made by Semgrep, Inc. from May 2023 until Ju ## Semgrep tiers -- Semgrep’s Community Tier has been sunsetted. Existing and new users now have access to **all** Semgrep Team tier features for free, subject to [Usage limits](/usage-limits/). +- Semgrep’s Community Tier has been sunsetted. Existing and new users now have access to **all** Semgrep Team tier features for free, subject to [usage limits](/usage-and-billing/). ## Semgrep Cloud Platform diff --git a/docs/release-notes/november-2022.md b/docs/release-notes/november-2022.md index e450fe2ce..97fc2e013 100644 --- a/docs/release-notes/november-2022.md +++ b/docs/release-notes/november-2022.md @@ -88,7 +88,7 @@ These release notes include upgrades for versions ranging between 0.120.0 and 0. - [Running Semgrep in continuous integration (CI) with Semgrep App](/semgrep-ci/running-semgrep-ci-with-semgrep-cloud-platform/) - [Running Semgrep in continuous integration (CI) without Semgrep App](/semgrep-ci/running-semgrep-ci-without-semgrep-cloud-platform/) - [Sample continuous integration (CI) configurations](/semgrep-ci/sample-ci-configs/) -- Updated [Pricing and billing](/pricing-and-billing/) page. [Semgrep Supply Chain supported languages](/supported-languages/#semgrep-supply-chain) are now part of Pricing and billing document. +- Updated [Usage and billing](/usage-and-billing/) page. [Semgrep Supply Chain supported languages](/supported-languages/#semgrep-supply-chain) are now part of Pricing and billing document. - The `SEMGREP_TIMEOUT ` information has been updated. See [`SEMGREP_TIMEOUT`](/semgrep-ci/configuration-reference/#semgrep_timeout) documentation for more details. - Collapsible items in the documentation sidebar now take you to overview pages for a given category or lead to introductory pages. Overview pages also provide an updated description for displayed cards that represent individual documents. For example: [Semgrep command-line interface (CLI)](/category/semgrep-cli/), [Semgrep in continuous integration (CI)](/category/semgrep-in-ci/), [Data-flow analysis engine overview](/writing-rules/data-flow/data-flow-overview/) - Release notes that you are now reading have been split into one document for each month the Release notes category now has its own dedicated right sidebar. This change makes it easier to find changes that happened over the span of a month. diff --git a/docs/semgrep-ci/overview.md b/docs/semgrep-ci/overview.md index b278d717f..8c3e8edd9 100644 --- a/docs/semgrep-ci/overview.md +++ b/docs/semgrep-ci/overview.md @@ -70,7 +70,7 @@ The following table displays what features are available for manual (without Sem | Receive notifications in Slack and email | ✔️ | ❌ | | Pricing | Free for up to 10 developers* | Free | -*For teams larger than 10 developers, see the paid [Team or Enterprise tiers](/docs/pricing-and-billing). +*For teams larger than 10 developers, see the paid [Team or Enterprise tiers](https://semgrep.dev/pricing/). ## Setting up a CI job with Semgrep Cloud Platform diff --git a/docs/semgrep-cloud-platform/getting-started.md b/docs/semgrep-cloud-platform/getting-started.md index a63d9af6f..6a7b166a9 100644 --- a/docs/semgrep-cloud-platform/getting-started.md +++ b/docs/semgrep-cloud-platform/getting-started.md @@ -135,7 +135,7 @@ For **members**, perform the following steps to join the org: :::tip Product-specific information * To learn more about SAST scans on your codebase, see [Getting started with Semgrep Code](/semgrep-code/getting-started). * To learn more about SCA scans for your third-party dependencies, see [Getting started with Semgrep Supply Chain](/semgrep-supply-chain/getting-started). -* Both products are **free for up to 10 contributors**. See [Usage limits](/usage-limits) to learn more about contributors and usage limits. +* Both products are **free for up to 10 contributors**. See [Usage and billing](/usage-and-billing) to learn more about contributors and usage limits. ::: ### Starting a local repository scan and sending findings to SCP diff --git a/docs/semgrep-pro-vs-oss.md b/docs/semgrep-pro-vs-oss.md new file mode 100644 index 000000000..c8a767404 --- /dev/null +++ b/docs/semgrep-pro-vs-oss.md @@ -0,0 +1,204 @@ +--- +slug: semgrep-pro-vs-oss +append_help_link: true +title: Semgrep Pro versus Semgrep OSS +hide_title: true +description: "Learn about the features and differences of Semgrep OSS and Semgrep Pro." +tags: + - Semgrep OSS + - Semgrep Team & Enterprise Tier +--- + +# Semgrep Pro versus Semgrep OSS + +You can use Semgrep Pro or Semgrep OSS to scan your code for security issues, bugs, and compliance to coding standards. Semgrep uses both an engine and rules to scan your code. + +**Rules**, which are written in YAML, describe how Semgrep generates a **finding**, such as a security issue. A rule encapsulates the pattern-matching logic and is meant to be readable and customizable. + +The **engine** runs an analysis using the rules you have configured it to run. Semgrep provides both a proprietary Pro engine, and an OSS engine. + +This document outlines key differences between the Semgrep OSS and Pro product lines. + +The terms used in this document are defined as follows: + +
+
Semgrep OSS
+
Refers to Semgrep offerings with an open-source license, primarily the Semgrep OSS Engine, a fast and customizable static application security testing (SAST) scanner. To run Semgrep completely on OSS, use the OSS Engine and rules in the Semgrep Registry with open source licenses, or write your own custom rules.
+
Semgrep Pro
+
Refers to proprietary product offerings from Semgrep, Inc. These include:
+
Semgrep Code
A SAST scanner that uses cross-file (interfile) and cross-function (interprocedural) analysis for improved results over Semgrep OSS. Semgrep Code includes premium rules, known as Pro rules, that use the cross-file analysis to reduce false positives.
+
Semgrep Supply Chain
A high-signal dependency scanner that detects reachable vulnerabilities in open source third-party libraries and functions across the software development life cycle (SDLC).
+
Semgrep Secrets (beta)
A a secrets scanner that, in addition to detecting secrets, validates these leaked secrets on a variety of services to help you prioritize active secrets.
+
Semgrep Cloud Platform
A a web application for the deployment, management, and monitoring of findings from Semgrep's SAST, SCA, and secrets scanners. It integrates with continuous integration (CI) providers such as GitHub Actions, GitLab CI/CD, CircleCI, and more.
+
+
+
+ +:::tip +All Semgrep Pro products are free for up to 10 contributors. +::: + +## 🔎 Core scanning features + +The following tables describe Semgrep's essential scanning and findings management capabilities. + +### SAST (Static application security testing) + +| Feature | Semgrep OSS | Semgrep Pro | +| ------------------------------------------------------------------------------------- | ----------- | ---------------------- | +| Single-file analysis | ✔️ | ✔️ | +| Single-function analysis | ✔️ | ✔️ | +| Cross-file (across multiple files or **interfile**) analysis | -- | ✔️ | +| Cross-function (across multiple functions or **interprocedural**) analysis | -- | ✔️ | -- | ✔️ | +| [Dataflow analysis (taint)](/semgrep-code/semgrep-pro-engine-intro/) | -- | ✔️ | + +### SCA (Software composition analysis) + +| Feature | Semgrep OSS | Semgrep Pro | +| --------------------------------------------------------------- | ----------- | ------------------------------ | +| Reachability analysis for direct dependencies | -- | ✔️ | +| [License compliance](/semgrep-supply-chain/license-compliance/) | -- | ✔️ | +| [Dependency search](/semgrep-supply-chain/dependency-search) | -- | ✔️ | +| SBOM export | -- | ✔️ | + +## 💬 Scan management and monitoring + +The following table displays various notification channels and reporting features. + +| Feature | Semgrep OSS | Semgrep Pro | +| --------------------------------------------------------------------------------------------------------------- | ----------- | ----------------- | +| [Centralized management of scan results (triage, remediation, fine-tuning noisy rules)](/semgrep-code/policies) | -- | ✔️ | +| [Notifications and reports (Slack, email, webhooks, and API)](/semgrep-cloud-platform/notifications/) | -- | ✔️ | +| Send scan results to GitLab SAST and GitHub Advanced Security | -- | ✔️ | +| [Findings dashboard](/semgrep-cloud-platform/dashboard/) | -- | ✔️ | +| Findings retention | -- | 5 years | + +## 🧰 Scan customization features + +The following table displays customization features and tools that enhance Semgrep's core scanning capabilities. These features can increase true-positive rate and provide deeper insights into remediation. + +| Feature | Semgrep OSS | Semgrep Pro | +| ------------------------------------------------------------ | ----------------------------------------------- | -------------------------------------------- | +| Write your own rules | ✔️ | ✔️ | +| [Community-contributed rule registry](https://semgrep.dev/r) | ✔️ | ✔️ | +| Rule-writing environment | ✔️ [Playground](https://semgrep.dev/playground) | ✔️ Playground and Editor for logged-in users | +| Private rules\* | -- | ✔️ | +| Proprietary rule registry | -- | ✔️ | +| [Policy-based workflows†](/semgrep-code/policies/) | -- | ✔️ | + +\*Private rules refer to rules that are guaranteed a private access scope in the cloud. This scope of access does not apply to Semgrep OSS, as Semgrep OSS is purely CLI-based.
+† Policy-based workflows provide security teams a means to block merges, leave PR/MR comments, or silently monitor for potential issues based on the presence of a finding. + +### 🤖 Developer experience + +The following table lists tools to enable developers to resolve findings in their own code. + +| Feature | Semgrep OSS | Semgrep Pro | +| ------------------------- | ----------- | ----------------- | +| VS Code extension | ✔️ | ✔️ | +| IntelliJ extension | ✔️ | ✔️ | +| `pre-commit`‡ | ✔️ | ✔️ | +| Autofix | ✔️ | ✔️ | +| Autofix in PR/MR comments | -- | ✔️ | +| GPT-assisted autofix | -- | ✔️ | + +‡`pre-commit` requires some manual set-up. + +### 🏢 User and organization management + +| Feature | Semgrep OSS | Semgrep Pro | +| ------------------------------------------------------------------------------------------------------------- | ----------- | ----------------- | +| [Role-based access control (RBAC)](/semgrep-cloud-platform/user-management/#controlling-access-through-roles) | -- | ✔️ | +| [Personal and organizational accounts](/semgrep-cloud-platform/user-management/) | -- | ✔️ | +| [SSO, OpenID, or OAuth2 authentication](/semgrep-cloud-platform/sso/) | -- | ✔️ | + +## 🧾 Licenses and tiers + + + + + + + + + + + + + + + + + + + + + + + + + + +
Product lineLicenseSubscription tiers
Semgrep ProProprietary
  • Semgrep Team
    • +
  • Semgrep Enterprise
Semgrep OSS EngineGNU LGPL 2.1--
Publicly-contributed rulesDependent on author--
+ +See [ Licensing](/licensing/#semgrep-registry-license) for more details. + + + diff --git a/docs/usage-and-billing.mdx b/docs/usage-and-billing.mdx new file mode 100644 index 000000000..860e539a1 --- /dev/null +++ b/docs/usage-and-billing.mdx @@ -0,0 +1,158 @@ +--- +slug: usage-and-billing +append_help_link: true +title: Usage and billing +description: "Learn about usage computation and other aspects of your Semgrep licenses." +tags: + - Semgrep Cloud Platform + - Semgrep OSS + - Team & Enterprise Tier +hide_title: true +--- + +import MoreHelp from "/src/components/MoreHelp"; + + + + + +# Usage and billing + +Learn about usage computation and other aspects of your Semgrep licenses. + +:::note +- This document is for **Semgrep Pro** users; Semgrep OSS Engine does not have any usage limit. Compare [ Semgrep Pro and Semgrep OSS](/semgrep-pro-vs-oss). +::: + +## Usage + +All Semgrep Pro products are free under the **Team** tier for **10 monthly contributors**. These products include: + +- Semgrep Cloud Platform +- Semgrep Code +- Semgrep Supply Chain +- Semgrep Secrets (beta) + +A **contributor** is someone who has made at least **one** commit to a Semgrep-scanned **private** repository within the last month, starting from the **date of license purchase** if a license was purchased, or the date of account creation, for accounts using Semgrep within usage limits. + +Any type of Semgrep Pro scan counts towards the contributor total. This includes: + +- Scanning with any Semgrep Pro product (Code, Supply Chain, and so on). +- Full scans on a repository or partial scans on a pull or merge request. + +### Usage computation + +Contributors are calculated using `git log` over the **past 30 days** (a rolling interval), not the beginning of each month. The start date is either: + +- The date of your license purchase. +- The date of account creation, if you and your team are within usage limits. + +**Bots** and similar automations are excluded from this count. + +### Exceeding the free usage limit + +Semgrep scans stop when the usage limit is exceeded. Resume scanning through: + +* A one-time 30-day free trial that starts automatically when the usage limit is exceeded for the first time. +* Purchasing additional licenses. +* Waiting for the next billing cycle. + +If the first scan exceeds the usage limit, Semgrep still completes the first scan and a one-time 30-day free trial automatically starts. After the trial concludes, if scans are attempted on private repositories that exceed the usage limit, scans will not run until additional licenses are purchased. + +### Usage limit on public projects + +Public projects have no limits on contributors. + +### Semgrep CLI commands subject to usage limits + +The `semgrep scan` command is subject to the usage limit only if the scan is by a logged-in contributor. Semgrep computes contributor counts for any logged-in scan command (for example, `semgrep ci`, `semgrep scan`, and so on) when the Pro Engine, Supply Chain, or Pro rules are used. + +## Determine your plan needs + +Within your team or organization, assess the number of **contributors**. Contributors are members of your organization that make commits. That determines the number of **licenses** needed for the plan purchase. + +For example, if a project has 4 unique contributors who create commits during the billing period while Semgrep is scanning their repositories, only 4 licenses are required even if the organization has a total of 10 members. Contributors are counted only once even if they commit to many projects within the same organization, so no additional licenses are required. + +:::info +You only need to buy licenses for contributors over 10. The 11th contributor and onwards are charged. For example, an engineering team with 20 contributing developers will only pay for 10 licenses. +::: + +All members of the organization, regardless of contributor (license) status, have access to paid features for the chosen tier. This means that project managers and other non-programming roles can still view the Semgrep Cloud Platform dashboard. + +### Single-product purchases + +You can choose to purchase a single product. Products can also be disabled from the [Settings page](https://semgrep.dev/orgs/-/settings). + +### Number of licenses per product + +You must purchase an **equal number of licenses** for each product you intend to use. For example, you cannot purchase 4 licenses of Semgrep Supply Chain and 9 licenses of Semgrep Code. + +## Reconciliation of licenses and usage + +If your organization exceeds the number of purchased licenses for the period defined in your contract, your organization will be charged based on the number of licenses that exceeded the purchased amount. The additional charge starts the month after the use of licenses exceeds the contracted amount. + +Check in with your Semgrep Account Executive every **60 days** if you need more licenses than initially purchased. + +### Example of license reconciliation + +On January 21st, you purchased annual licenses for 50 developers of Semgrep Supply Chain’s Team tier ($40 per developer per month). The 21st of the month is the start date of the annual contract. In the following month, on February 28th, the number of used developer licenses exceeded the original purchased quantity by 20 users. This requires a contract adjustment. + +Contract adjustment: + +- Since the organization’s use exceeded the amount of purchased licenses on February 28th, the future date of March 21st is selected to align with the remaining months in the contract. There are 10 months remaining in the contract. +- The additional amount charged, the add-on cost, is $8,000 ($40 per developer per month x 10 months x 20 users). +- Resulting add-on cost: **$8,000** + +## Upgrade your plan + +To upgrade to the Semgrep Code **Team tier** through a **credit card**: + +1. In the Settings page, select the **Usage & billing** tab. +2. Select the number of developers to purchase licenses for. +3. Fill in your payment details. + +![Payment menu](/img/billing-and-pricing-payment.png)
+ +To purchase licenses for Semgrep Supply Chain and Secrets, or to upgrade to the **Enterprise tier**, please [contact us](https://semgrep.dev/contact-us). + +### Billing + +Team tier users who pay through a credit card are charged monthly. Enterprise tier users are charged at an agreed-upon billing cycle. For any concerns such as custom payment methods and billing cycles, send an email to [billing@semgrep.com](mailto:billing@semgrep.com) to get in touch with our sales team. + +## Modify or cancel your plan + +To modify or cancel your plan, send an email to [billing@semgrep.com](mailto:billing@semgrep.com). + +## Pay for your plan + +Pay through the following methods: + +
+
Pay using your credit card.
+
The payment will be processed through Stripe.
+
Pay through a purchase order or invoice.
+
+ Send an email to{" "} + billing@semgrep.com to get in touch + with our sales team. +
+
+ +## See also + +- [Supported languages](/supported-languages/) +- [List of vulnerabilities found and fixed with Semgrep](/trophy-case/) +- [Frequently asked questions](/faq/) + +## Additional resources + +- [Slack on scaling static analysis with Semgrep](https://semgrep.dev/blog/2021/slack-presents-semgrep-at-def-con-appsec-village/) + + diff --git a/docs/usage-limits.md b/docs/usage-limits.md deleted file mode 100644 index 4b574ba93..000000000 --- a/docs/usage-limits.md +++ /dev/null @@ -1,78 +0,0 @@ ---- -slug: usage-limits -append_help_link: true -hide_title: true -description: >- - Frequently asked questions about Semgrep, comparisons to similar tools, - rule licensing, technical support, and more. ---- - -import MoreHelp from "/src/components/MoreHelp" - -# Usage limits - -This section describes usage limits. - -:::caution important dates -* The Semgrep Community tier has been sunsetted. All Community Tier accounts have been moved to the Team tier. -* The new usage limits come into effect starting on July 31, 2023. -::: - -### What is changing about Semgrep tiers? - -The Community tier was sunsetted on June 6, 2023. Semgrep, Inc now offers the Team tier for free to all users up to the usage limit of 10 contributors scanning on private repositories. A contributor is defined as someone who contributed code to a private repository scanned by Semgrep. - -You can now access the Team tier features of Semgrep Supply Chain, Semgrep Code, and Semgrep Cloud Platform features such as: - -* [SSO, RBAC, and other account management tools](/semgrep-cloud-platform/user-management/) -* [Semgrep Pro Engine](/semgrep-code/semgrep-pro-engine-intro/) -* [Semgrep Pro rules](/semgrep-code/pro-rules/) -* [Semgrep API](https://semgrep.dev/api/v1/docs/) - -If the number of contributors exceeds the usage limit, you must purchase licensing for the 11th contributor onward. - -The Enterprise tier remains unaffected. - -### What is the usage limit? - -The usage limit is 10 contributors. A contributor is someone who has made at least one commit to a Semgrep-scanned private repository within the last 30 days. - -### How are contributors calculated? - -Contributors are calculated using `git log` over the past 30 days. **Bots** and similar automations are excluded from this count. - -### What happens when the usage limit is exceeded? - -Semgrep scans stop when the usage limit is exceeded. You can resume scanning through the following: - -* A one-time 30-day free trial that starts automatically when the usage limit is exceeded for the first time. -* By purchasing additional licenses. -* By waiting for the next billing cycle. - -### When will usage limits be enforced? - -Usage limits have been enforced since July 31, 2023. - -### What if the first Semgrep scan exceeds the contributor usage limit? - -Semgrep will complete the first scan and a one-time 30-day free trial will automatically start. After the trial concludes, if scans are run on private repositories that exceed the usage limit, scans will not run until additional licenses are purchased. - -### How is the cost calculated for the Team tier? - -The 11th contributor and onwards are charged. For example, an engineering team with 20 contributing developers will only pay for 10 licenses. - -### Can a single product be purchased? - -Yes, you can buy a single product. Products can also be disabled from the [Settings page](https://semgrep.dev/orgs/-/settings). - -### Can I purchase a different number of licenses per product? - -No. For example, you cannot purchase 4 licenses of Semgrep Supply Chain and 9 licenses of Semgrep Code. You must purchase an equal number of licenses for both products. - -### Do public projects have the same contribution limits? - -No, public projects have no limits on contributors. - -### Is the command `semgrep scan` subject to the usage limit? - -Yes, but only if the scan is by a logged-in/authenticated contributor or user. Semgrep computes contributor counts for any logged-in scan command (for example, `semgrep ci`, `semgrep scan`, etc.) when the Pro Engine, Supply Chain, or Pro rules are used. diff --git a/docusaurus.config.js b/docusaurus.config.js index 8996baf5c..646e688f1 100644 --- a/docusaurus.config.js +++ b/docusaurus.config.js @@ -310,7 +310,7 @@ module.exports = { //Semgrep Cloud Platform { from: "/semgrep-app/dashboard/" , to: "/semgrep-cloud-platform/dashboard/" } , { from: "/semgrep-app/getting-started-with-semgrep-app/" , to: "/semgrep-cloud-platform/getting-started/" } , - { from: "/semgrep-app/pricing-and-billing/" , to: "/pricing-and-billing/" } , + { from: "/semgrep-app/pricing-and-billing/" , to: "/usage-and-billing/" } , { from: "/semgrep-app/scm/" , to: "/semgrep-cloud-platform/scm/" } , { from: "/semgrep-app/semgrep-api/" , to: "/semgrep-cloud-platform/semgrep-api/" } , { from: "/semgrep-app/sso/" , to: "/semgrep-cloud-platform/sso/" } , @@ -330,7 +330,7 @@ module.exports = { { from: "/semgrep-ci/configuration-reference" , to: "/semgrep-ci/ci-environment-variables/" }, /* MAY 12 2023 */ - { from: "/semgrep-cloud-platform/pricing-and-billing/" , to: "/semgrep-cloud-platform/notifications/" }, + { from: "/semgrep-cloud-platform/pricing-and-billing/" , to: "/usage-and-billing/" }, { from: "/extensions/" , to: "/extensions/overview/" }, /* JULY 14 2023 */ @@ -343,7 +343,10 @@ module.exports = { { from: "/kb/semgrep-ci/github-required-workflows-semgrep/" , to: "/kb/semgrep-ci/github-repository-rulesets-semgrep/" }, /* NOV 23 2023 */ - { from: "/getting-started/" , to: "/getting-started/quickstart/" } + { from: "/getting-started/" , to: "/getting-started/quickstart/" }, + + /* JAN 30 2024 */ + { from: "/usage-limits/" , to: "/usage-and-billing/" } ] } diff --git a/sidebars.js b/sidebars.js index 69a4a1f5a..6cb30d18b 100644 --- a/sidebars.js +++ b/sidebars.js @@ -347,7 +347,8 @@ module.exports = { }, ], }, - 'pricing-and-billing' + 'semgrep-pro-vs-oss', + 'usage-and-billing' ] }, { @@ -485,7 +486,6 @@ module.exports = { 'licensing', 'faq', 'integrating', - 'usage-limits', 'contributing/philosophy', { type: 'doc', diff --git a/static/img/billing-and-pricing-payment.png b/static/img/billing-and-pricing-payment.png index b9d67b79d..a1a246585 100644 Binary files a/static/img/billing-and-pricing-payment.png and b/static/img/billing-and-pricing-payment.png differ