SRC009 — https://konvu.com/compare/semgrep-vs-codeql

Contents

• Metadata
• Content Summary
• Reliability: Medium
• Relevance: High
• Bias Assessment

Metadata

Field	Value
URL	https://konvu.com/compare/semgrep-vs-codeql
Authors	Konvu (vendor producing triage tools)
Date	2026-03-16

Content Summary

Technical comparison of CodeQL and Semgrep SAST tools drawing on academic benchmarks. Key data: CodeQL FPR 68.2%, Semgrep FPR 74.8% on OWASP Benchmark. Combined four tools detect only 38.8% of real-world vulnerabilities. Custom Semgrep rules improved detection to 44.7%. CodeQL adoption between 10-30% across languages.

Reliability: Medium

Well-sourced vendor comparison citing academic papers but from a company selling SAST triage tools.

Relevance: High

Provides specific false positive rates and detection accuracy data for major SAST tools, plus CodeQL adoption rates.

Bias Assessment

Domain	Rating	Rationale
Missing Data	Some concerns	Academic benchmarks only test Semgrep Community Edition, not the commercial Pro Engine.
Measurement	Low risk	Cites specific academic studies with named authors and publication venues.
Selective Reporting	Some concerns	Concludes by noting triage is the bottleneck, which is Konvu's product area.
Randomization	N/A	Not an RCT.
Protocol Deviation	N/A	Not an RCT.
Conflict Of Interest	Some concerns	Konvu sells triage tools that sit downstream of SAST scanners.

← Back to item overview