All posts

Comparison

A Semgrep alternative built for AI-generated code

Semgrep is a genuinely good static analysis engine, and this is not a takedown. But if your goal is specifically to catch the security mistakes that Cursor, Claude Code, Lovable, and the rest leave in your app, a general-purpose scanner is the wrong shape for the job. Here is the honest comparison, including a precision test on a popular open-source starter where the two tools produced very different results.

Last updated

People reach for Semgrep when they want static analysis and it is the name they know. It deserves the reputation: it is fast, it supports many languages, and its pattern syntax is genuinely powerful once you invest in writing rules. The question this post answers is narrower: if the thing you actually care about is the security of code an AI tool wrote, is a general-purpose scanner the right tool, and where does something purpose-built fit instead.

The core difference in one sentence

Semgrep is a general engine that finds whatever patterns you (or a community ruleset) tell it to look for. Prbl asks one specific question, did an AI tool generate this code and does it carry the gaps AI tools leave behind, and ships with the rules for that question already written and tuned. That difference in scope drives everything else.

Semgrep
Prbl
What it scans
Any code, any language, general patterns
The vulnerability classes AI coding tools produce
Rule authoring
You write and tune rules (or use community packs)
Curated rules, no setup
Tuning burden
High: default packs need triage on modern frameworks
Low: tuned against 1,900+ real apps
Best at
Deep, customizable org-wide static analysis
Catching what AI tools leave behind, fast
Setup
CI config, rule selection, ignore files
Paste a repo URL, or connect GitHub

Wondering if your code has any of this? Scan a public repo free, no account needed.

Scan a repo →

The precision problem, measured

The practical issue with pointing a general-purpose ruleset at modern AI-generated app code is noise. Framework idioms, generated boilerplate, and typed helper code trip generic patterns constantly, and every false alarm trains a developer to ignore the tool. We measured this on create-t3-app, a widely used, clean TypeScript starter, the kind of code an AI tool scaffolds every day.

Semgrep default ruleset
54
findings, 53 of them false positives
Prbl
0
findings on the same repo

To be fair to Semgrep, this is its default ruleset, not a tuned one, and tuning is exactly what Semgrep is built to let you do. That is the whole point: getting a general engine quiet enough to trust on your codebase is real, ongoing work. Prbl arrives quiet because its rules were tuned against more than 1,900 real apps before you ever ran it, and every false positive we have found in those studies became a permanent regression test.

When Semgrep is the right call

Plenty of situations favor Semgrep, and it is worth being straight about them:

  • You want to enforce organization-specific patterns, internal API rules, banned functions, house style, that only you can define.
  • You have the appetite to write and maintain rules and want maximum control over exactly what fires.
  • You need broad language coverage across a large, varied codebase beyond web app code.

When Prbl is the better fit

  • Your codebase is mostly or partly AI-generated, and you want the specific issues those tools produce (hardcoded secrets, injection, missing auth, weak randomness, disabled TLS) caught without authoring rules.
  • You want to start in a minute, paste a public repo URL and read findings, no CI setup or rule selection.
  • You want low noise out of the box, because a scanner nobody trusts is a scanner nobody runs.

The honest answer: they are not mutually exclusive

The best setup for many teams is both. Keep Semgrep for the deep, custom, org-wide analysis it is unmatched at, and add Prbl as the focused pass that answers the AI-specific question with near-zero tuning. They overlap far less than their category names suggest. If you only want one and your code is AI-heavy, start with the one that is already tuned for it.

If you want the full picture on how Prbl is validated, the testing methodology writeup covers the regression suite and the precision comparison in detail, and the Prbl vs Semgrep page has the quick side-by-side.

Prbl scans the AI-generated parts of your codebase for exactly the kinds of issues above.

Find what AI missed — free
A Semgrep Alternative Built for AI-Generated Code: Prbl