Semgrep vs. BrassCoders: Choose the Right Tool
Semgrep and BrassCoders share a scanner. The useful question is what each adds that the other doesn't — for Python teams shipping AI-generated code.
Semgrep and BrassCoders both scan Python code. They share a scanner: BrassCoders bundles Semgrep internally and runs its OSS ruleset as one of 12 analysis passes. The question of which one to use is, in most cases, the wrong framing. The relevant question is what each tool adds that the other doesn’t.
The short answer: Semgrep is a pattern-matching engine built for teams who write custom rules. BrassCoders is a 12-scanner bundle built for Python teams who don’t want to write any rules. A team with custom Semgrep rules and a Python-heavy codebase using AI coding assistants gets the most from running both.
What Semgrep Does Well
Semgrep is a multi-language static analysis engine built around a pattern-matching language that lets security engineers express any AST structure they want to find. Its OSS ruleset covers 30+ languages and thousands of pre-written patterns; its Pro tier adds cross-file taint analysis and team management. The tool’s strength is custom rules — if you have a security engineer who knows what to look for, Semgrep’s pattern language is how you codify it at scale.
The default OSS rules are strong on the security categories where patterns are well-understood: SQL injection, command injection, XSS, insecure deserialization, path traversal, SSRF. The community ruleset at github.com/returntocorp/semgrep-rules has been written, reviewed, and tested against real codebases. For general-purpose security coverage across a polyglot codebase, running the OSS ruleset is a reasonable starting point.
The custom-rule layer is where Semgrep separates from every other static analyzer. Semgrep’s pattern syntax can match any AST structure you can describe, which means it can encode org-specific anti-patterns, internal API misuse, proprietary framework idioms, or library deprecation notices. The pattern compiler is fast enough that a ruleset of hundreds of custom rules runs in seconds. That capability requires an engineer to write and maintain the rules.
What BrassCoders Does Differently
BrassCoders ships 12 scanners pre-configured for AI-generated Python, including Semgrep with its OSS ruleset. Running BrassCoders gives you Semgrep’s OSS coverage plus four AI-coder performance anti-pattern detectors, a phantom-API hallucination detector, a PII/privacy scanner, and Yelp’s detect-secrets covering 20+ secret formats. No rule-writing required.
The architecture is deliberate. The 12 scanners — Bandit, Pylint, Pyre/Pysa (Meta’s taint analyzer for Python), Semgrep, ast-grep, detect-secrets, plus six custom detectors — emit findings as a union into structured YAML at .brass/. The AI coding assistant reads the YAML and triages. BrassCoders doesn’t infer context or assign blame; it reports what the patterns found. The AI assistant applies the contextual judgment.
The --offline flag enforces zero outbound network calls for the OSS core. The Paid plan ($12/month) adds AI-powered enrichment through BrassCoders’s gateway but never sends raw source code off the local machine.
Catch-Rate Comparison (Real Numbers)
In BrassCoders’s reproducible benchmark against 12 AI-generated Python files (June 2026, version 2.0.8), BrassCoders caught 11 of 12 planted bugs and Semgrep’s default OSS rules caught 4 of 12. Semgrep’s four catches were all in the security category. Semgrep caught 0 of the 4 AI-coder performance anti-patterns, because no default Semgrep rule targets that category.
The full methodology is published at coppersun.dev/blog/ai-coder-bug-benchmark/.
| Tool | Security (4) | Perf (4) | Secrets / PII (2) | Correctness (2) | Total |
|---|---|---|---|---|---|
| BrassCoders 2.0.8 | 4/4 | 4/4 | 2/2 | 1/2 | 11/12 |
| Semgrep (OSS rules) | 4/4 | 0/4 | 0/2 | 0/2 | 4/12 |
| Bandit | 4/4 | 0/4 | 2/2 | 0/2 | 6/12 |
The security column is a tie. Both tools caught all four security bugs — the OSS ruleset is strong there. The gap opens in the other three categories, particularly performance and PII, where the OSS ruleset has no default coverage and BrassCoders ships dedicated detectors.
The benchmark is reproducible. The planted bugs, tooling versions, and invocation commands are all documented there. Run it yourself and see different numbers? Open an issue — the methodology is public.
When to Choose Semgrep
Semgrep is the right choice when custom rules are the core requirement. If your team has a security engineer who will write and maintain a ruleset — org-specific anti-patterns, internal API misuse, deprecated library calls, proprietary framework idioms — Semgrep’s pattern language is the right tool for that work. Nothing else matches its expressiveness for codifying what you already know to look for.
Semgrep is also the right pick for polyglot codebases. If the same analysis pass needs to cover Java, Go, Ruby, and Python, Semgrep’s 30+ language support handles that in one invocation. BrassCoders is Python-first; its 11 Python-specific scanners don’t cross over.
Without custom rules, the equation shifts. Running Semgrep’s OSS ruleset on a Python codebase gives you the security patterns the community has written, which is useful, but that’s the coverage BrassCoders already bundles. The OSS-only Semgrep run is, in effect, a subset of a BrassCoders run.
When to Choose BrassCoders
BrassCoders is the right choice when you’re shipping Python, using AI coding assistants, and want a CI gate that requires no rule authorship. The 12-scanner bundle covers the AI-coder perf and privacy surface without any configuration — pip install brasscoders, then brasscoders scan. That’s the full setup.
The AI-coder performance category is the clearest differentiator. Patterns like O(N²) string concatenation in a loop, repeated list.insert(0, ...) calls, and unbounded polling intervals are artifacts of how AI assistants generate code. They’re performance bugs, not security bugs, and no general-purpose security ruleset covers them. BrassCoders’s performance detector catches all four categories because those detectors were written specifically for AI-generated Python.
The phantom-API hallucination detector is the other category with no Semgrep equivalent in the default ruleset. When an AI assistant generates an import for a library that doesn’t exist on PyPI, BrassCoders catches it at scan time. That category doesn’t appear in general-purpose rulesets because it’s a recent AI-generation artifact.
At $12/month for the Paid tier or free for the OSS core, the upfront cost is lower than the engineering time to write and maintain a Semgrep custom-rule library for these categories.
Running Both
BrassCoders bundles Semgrep internally, so running BrassCoders replaces a standalone Semgrep invocation for the OSS ruleset. If your team has custom Semgrep rules, you can run BrassCoders for its 12-scanner baseline and Semgrep separately for the custom rules. The two output formats don’t conflict, and the CI step is straightforward: BrassCoders writes .brass/ai_instructions.yaml, Semgrep writes its own SARIF or JSON output, and the developer hands both to the AI assistant for triage.
Most Python-heavy teams with existing custom Semgrep rules run this combination. BrassCoders handles the AI-coder-specific surface (perf, PII, phantom APIs, secrets) and the aggregated OSS security rules; Semgrep handles the org-specific patterns that require the custom rule layer.
Teams starting from scratch on a Python AI-assisted codebase with no existing Semgrep investment typically run BrassCoders alone. The 12-scanner bundle covers the territory without requiring any rule authorship.
Install the OSS core: pip install brasscoders. The June 2026 benchmark has the full methodology, the planted bugs, and the invocation commands for both tools if you want to run the comparison on your own codebase.
Frequently Asked Questions
Does BrassCoders replace Semgrep?
No, and the question doesn't quite land right — BrassCoders bundles Semgrep internally and runs its OSS ruleset as one of 12 scanners. Running BrassCoders replaces a standalone Semgrep invocation for the OSS rules, but if your team has custom Semgrep rules, you'd still run Semgrep separately for those.
How many bugs did Semgrep catch in BrassCoders's benchmark?
In BrassCoders's June 2026 benchmark against 12 AI-generated Python files, Semgrep's default OSS rules caught 4 of 12 planted bugs — all four in the security category. It caught 0 of 4 AI-coder performance anti-patterns, because no default Semgrep rule targets them.
Does Semgrep detect AI-coder performance bugs?
Not by default. Semgrep's OSS ruleset is strong on security patterns (SQL injection, command injection, XSS, deserialization) and extensible via custom rules. AI-coder perf anti-patterns — O(N²) string concat, insert(0) loops, triple-nested joins, unbounded polls — aren't in the default ruleset.
When does it make sense to run both tools?
BrassCoders bundles Semgrep's OSS rules, so running BrassCoders gives you that coverage plus 11 additional scanners. If your team has custom Semgrep rules for org-specific anti-patterns or proprietary frameworks, run BrassCoders for the 12-scanner baseline and Semgrep separately for the custom rules. The outputs don't conflict.
Does BrassCoders work without a paid plan?
Yes. The OSS core is Apache 2.0, ships via PyPI as brasscoders, requires Python 3.10+, and makes zero outbound network calls by default. The --offline flag enforces that guarantee. Paid is $12/month and adds AI-powered enrichment.
What languages does each tool support?
Semgrep supports 30+ languages. BrassCoders is Python-first — 11 of its 12 scanners target Python directly; the 12th covers JavaScript and TypeScript. BrassCoders is not the right pick for polyglot codebases where Java, Go, and Ruby need the same analysis pass.