# Semgrep > [## 📄️ CI environment variablesConfigure Semgrep in CI by setting various environment variables. Enable diff-aware scanning, connect to Semgrep AppSec Platform, and more. --- # Documentation Source: https://semgrep.dev/docs/category/ci-references [## 📄️ CI environment variablesConfigure Semgrep in CI by setting various environment variables. Enable diff-aware scanning, connect to Semgrep AppSec Platform, and more. ](/docs/semgrep-ci/ci-environment-variables) --- # Documentation Source: https://semgrep.dev/docs/category/deployment-at-scale [## 📄️ Teams and user managementManage user access to projects through Teams. ](/docs/deployment/teams) --- # Documentation Source: https://semgrep.dev/docs/category/glossaries [## 📄️ Code glossaryDefinitions of Semgrep Code product-specific terms. ](/docs/semgrep-code/glossary) --- # Documentation Source: https://semgrep.dev/docs/category/language-specific-features [## 📄️ Semantic detection in JavaProprietary Semgrep features for the Java language that can increase true positives and reduce false positives. ](/docs/semgrep-code/java) --- # Documentation Source: https://semgrep.dev/docs/category/local-and-cli-scans [## 📄️ Local CLI scansLearn how to set up Semgrep, scan your first project for security issues, and view your findings in the CLI. ](/docs/getting-started/cli) --- # Compliance Source: https://semgrep.dev/docs/compliance/compliance-overview - [](/docs/)- Support & resources- Compliance**On this page- [Compliance](/docs/tags/compliance)Compliance Semgrep provides security tooling that can support compliance efforts, but does not guarantee compliance. Organizations remain responsible for meeting all compliance requirements. Consult with your compliance team and auditors to determine how Semgrep fits into your compliance program. Semgrep can help address security requirements in the following compliance frameworks and standards: ### Government and federal standards[​](#government-and-federal-standards) - **[FedRAMP](/docs/compliance/fedramp):** Federal Risk and Authorization Management Program for cloud services used by U.S. federal agencies - **[NIST 800-171](/docs/compliance/nist-800-171):** Protecting Controlled Unclassified Information (CUI) in nonfederal systems ### Healthcare and privacy[​](#healthcare-and-privacy) - **[HIPAA/HITRUST](/docs/compliance/hipaa-hitrust):** Health Insurance Portability and Accountability Act and HITRUST Common Security Framework - **[GDPR](/docs/compliance/gdpr):** General Data Protection Regulation for protecting personal data of EU residents ### Financial services[​](#financial-services) - **[PCI DSS](/docs/compliance/pci-dss):** Payment Card Industry Data Security Standard for protecting cardholder data ### Information security standards[​](#information-security-standards) - **[ISO 27001](/docs/compliance/iso27001):** International standard for information security management systems (ISMS) - **[ISO 27017](/docs/compliance/iso-27017):** Code of practice for information security controls for cloud services ### SOC 2[​](#soc-2) - **[SOC 2](/docs/compliance/soc2):** Service Organization Control 2 for security, availability, processing integrity, confidentiality, and privacy ## Getting started with compliance[​](#getting-started-with-compliance) - **Review the specific framework page** relevant to your organization from the list above - **Understand which controls** Semgrep can help address in your compliance program - **Deploy Semgrep** following the [core deployment guide](/docs/deployment/core-deployment) - **Configure policies** that align with your compliance requirements - **Work with your compliance team** to incorporate Semgrep into your compliance documentation and audit processes For questions about how Semgrep fits into your specific compliance program, contact your compliance team or [Semgrep support](/docs/support). Not finding what you need in this doc? Ask questions in our [Community Slack group](https://go.semgrep.dev/slack), or see [Support](/docs/support/) for other ways to get help. Tags:**- [Compliance](/docs/tags/compliance)[Edit this page](https://github.com/semgrep/semgrep-docs/edit/main/docs/compliance/overview.md)Last updated on **Nov 26, 2025** --- # Contributing overview Source: https://semgrep.dev/docs/contributing/contributing - [](/docs/)- [Support & resources](/docs/trophy-case)- Contribute to Semgrep- Contributing overviewContributing overview Your contributions to Semgrep Community Edition (CE) are welcome! To contribute, read and agree with the [Contributor Covenant Code of Conduct](https://github.com/semgrep/semgrep/blob/develop/CODE_OF_CONDUCT.md). Your contributions can help in various places: ContributionWhere to contributeFile a Semgrep CE issue.See the [Semgrep GitHub repository](https://github.com/semgrep/semgrep/issues/new/choose).Contribute code changes.Follow the [Contributing code](/docs/contributing/contributing-code) document. Find a task in the [list of good first issues](https://github.com/semgrep/semgrep/issues?q=is%3Aopen+is%3Aissue+label%3A%22good+first+issue%22).Contribute rules to the Semgrep Registry.Add new rules through Semgrep AppSec Platform or GitHub. See [Contributing rules](/docs/contributing/contributing-to-semgrep-rules-repository).Update the documentation you are reading right now!Create a PR or an issue in the [Documentation repository](https://github.com/semgrep/semgrep-docs).File an issue for our Semgrep Visual Studio Code extension or help us to improve it.See the [semgrep-vscode](https://github.com/semgrep/semgrep-vscode) repository.File an issue for our Semgrep IntelliJ Plugin help us to improve it.See the [semgrep-intellij](https://github.com/semgrep/semgrep-intellij) repository.Help others in the community.Check [Semgrep Community Slack](https://go.semgrep.dev/slack). For any contribution to Semgrep code (bug fix or fixed issue, feature), read more about development workflow and testing in the [contribution guidelines](/docs/contributing/contributing-code). For a high-level view of Semgrep’s design principles, see the [Semgrep philosophy](/docs/contributing/semgrep-philosophy). Not finding what you need in this doc? Ask questions in our [Community Slack group](https://go.semgrep.dev/slack), or see [Support](/docs/support/) for other ways to get help. [Edit this page](https://github.com/semgrep/semgrep-docs/edit/main/docs/contributing/contributing.md)Last updated on **Dec 13, 2024** --- # Semgrep Community Edition (CE) philosophy Source: https://semgrep.dev/docs/contributing/semgrep-philosophy - [](/docs/)- [Support & resources](/docs/trophy-case)- What's Semgrep- Semgrep CE philosophy- [Semgrep Community Edition](/docs/tags/semgrep-community-edition)Semgrep Community Edition (CE) philosophy [Semgrep CE](https://github.com/semgrep/semgrep/) is a lightweight static analysis tool for many languages. It can find bug variants with patterns that look like source code. As you think about contributing to Semgrep CE, consider these design principles that have guided Semgrep CE development so far: - **Free**** “If a developer has to convince their manager to spend a few million dollars on advanced security tools each time they change jobs, the future is bleak.” — see our [introductory blog post](https://semgrep.dev/blog/2020/introducing-semgrep-and-r2c/) for more. It’s important to us (and the community) that Semgrep, Inc. is able to develop a sustainable business around Semgrep to support its development, but we strongly believe the tooling itself must always be free. - **Open-source software** Semgrep is [LGPL](https://tldrlegal.com/license/gnu-lesser-general-public-license-v2.1-(lgpl-2.1)) and powered not just by [Semgrep, Inc.](https://semgrep.dev/) but also by community of brilliant external contributors. We welcome feedback and contributions and strive to be a welcoming community for new developers. - **Fast** High sloc/sec scanning speed and low startup cost. We’ll never be as fast as ripgrep but we want to get as close as we can. - **Code never leaves your machine** Semgrep by default runs entirely locally (unless you set it up yourself in a server/client mode). Code never leaves your machine to be analyzed. - **Support every programming language** “If grep supports it, we will too!” This even includes those that aren’t thought of as programming languages, like Bash or Docker. - **Run anywhere** Semgrep is small (<100 MB), has minimal runtime dependencies, and should be easily installable via your programming language or operating system package manager. - **Keep easy things easy, and hard things possible.** Using Semgrep to scan your code, and writing rules with which to scan, should be easy. Semgrep also smooths the process with delightful defaults and support every step of the way. But it’s also adaptable, and we welcome you using Semgrep in your own custom way. Hey, there are even [examples of scanning cat pictures out there](https://youtu.be/ybWB2Vf2V50?t=1182). - **Beginner-friendly** You shouldn’t need a PhD in program analysis, or even to understand what an AST is, to be effective with Semgrep. A novice programmer should be able to write their first Semgrep rule in 60 seconds. - **Human-readable rules** Rules should look like code and be easy to read and reason about—hopefully easier than if they were written in grep or a native linter. - **Self-contained rule files** You shouldn’t need an additional plugin, dependency, or internet access to run a YAML rule. It should just work. - **Deterministic (implies reproducible, idempotent)** Given the same input, Semgrep gives the same output. - **Runs offline** Semgrep can run without internet access so developers can write code from airplanes or beaches. - **Rules are safe to run no matter where they came from** Rules shouldn’t have the capability to run arbitrary code on your system, only to act as a function that produces a deterministic output message. - **Single-file analysis** To stay fast and limit complexity, Semgrep CE draws a line at crossing file boundaries during analysis. It loses the ability to detect certain complex cross-function (interprocedural) issues, but that’s an explicit tradeoff it makes. Semgrep CE's goal is to catch what a senior engineer would catch in code review: Semgrep isn’t designed to find a crazy issue that’s 300 calls from start to finish and evaded the team for 20 years. Instead, it’s designed for enforcing best-practices and automating the code review tasks that an excellent senior engineer would be capable of. For a discussion of why expressive creativity is better than a powerful engine, [see this excellent blog post by Devdatta Akhawe](https://devd.me/log/posts/static-analysis/). As a corollary: if you design your codebase so that code in a file is safe today, it's still safe after a colleague makes a change twenty function calls away in another file. - **Designed to run while code is being written** Semgrep is optimized for running in the IDE, Git commit hooks, or CI—not for at the tail-end of a release process. - **A platform for program analysis** We will expose stable internals so that researchers and engineers can develop novel program analysis work off of APIs like Semgrep’s generic AST. Not finding what you need in this doc? Ask questions in our [Community Slack group](https://go.semgrep.dev/slack), or see [Support](/docs/support/) for other ways to get help. Tags:**- [Semgrep Community Edition](/docs/tags/semgrep-community-edition)[Edit this page](https://github.com/semgrep/semgrep-docs/edit/main/docs/contributing/philosophy.md)Last updated on **Oct 29, 2025** --- # Claim a license Source: https://semgrep.dev/docs/deployment/claim-a-license - [](/docs/)- [Scan](/docs/getting-started/quickstart)- Support & resources- Claim a license**On this page- [Support](/docs/tags/support)- [Semgrep AppSec Platform](/docs/tags/semgrep-app-sec-platform)Claim a license Once you've purchased a subscription, you should receive an email from Semgrep with your license information. Follow the instructions provided in the email to claim your license and begin onboarding your Semgrep products. ## For license key holders or manual license claims[​](#for-license-key-holders-or-manual-license-claims) cautionFor **single-tenant** users, reach out to the [Semgrep Support Team](https://semgrep.dev/docs/support) directly. Please do not attempt to claim a license manually. If you have been provided a license key by Semgrep or if you would like to claim a license manually: - Sign up or log in to your Semgrep account. - [Create an org](/docs/deployment/create-account-and-orgs#initial-sign-in-to-semgrep-appsec-platform) if you haven't already done so. - Navigate to `http://semgrep.dev/orgs/-/settings/upgrade/YOUR_LICENSE_KEY`, making sure that you **replace** the `YOUR_LICENSE_KEY` placeholder with your license key value. Not finding what you need in this doc? Ask questions in our [Community Slack group](https://go.semgrep.dev/slack), or see [Support](/docs/support/) for other ways to get help. Tags:**- [Support](/docs/tags/support)- [Semgrep AppSec Platform](/docs/tags/semgrep-app-sec-platform)[Edit this page](https://github.com/semgrep/semgrep-docs/edit/main/docs/deployment/claim-a-license.md)Last updated on **Nov 25, 2025** --- # Core deployment Source: https://semgrep.dev/docs/deployment/core-deployment - [](/docs/)- [Scan](/docs/getting-started/quickstart)- Set up and deploy scans- Core deployment**On this page- [Deployment](/docs/tags/deployment)- [Semgrep AppSec Platform](/docs/tags/semgrep-app-sec-platform)Core deploymentSemgrep can be set up to scan repositories of any size. Once added to Semgrep, a codebase, repository, or subfolder within a monorepo is referred to as a **project**. **Deployment** refers to the process of integrating Semgrep into your developer and infrastructure workflows. Completing the deployment process provides you with the Semgrep features that meet your security program's needs. Deployment includes: - Running Semgrep scanners as part of your CI. These scans can be any combination of SAST (Static Application Security Testing), SCA (Software Composition Analysis), or Secrets, depending on your plan. - Managing team members' access and authentication. - Ensuring that Semgrep has sufficient access to your self-hosted source code manager (SCM), such as GitLab Self-Managed. Semgrep does not require code access to complete the core deployment process. Your code is not sent anywhere. Are these guides for you? - These guides outline procedures for the deployment of Semgrep as part of a security program. To try out Semgrep, refer to the [** Quickstart](/docs/getting-started/quickstart) document. - Individual users can also use these guides to deploy Semgrep as part of their personal security. Many deployment features are set up through **Semgrep AppSec Platform**. Deployment does **not** include: - Customizing your SAST, SCA, or secrets scans - Custom rule writing - Triage For these features, refer to the **Scan and Triage** section in the navigation bar. ### All Semgrep deployment features[​](#all-semgrep-deployment-features) Semgrep supports many different technology stacks. Refer to the following table to evaluate which deployment features of Semgrep you can use based on your technologies. #### Core deployment[​](#core-deployment) These are the absolute minimum Semgrep features for any deployment. Deployment featureNotesSAST scanningCheck that Semgrep: - Can scan your language and that the language's maturity matches your security needs. See [** Supported languages](/docs/supported-languages). - Provides rulesets that you can use out-of-the-box. See [** Semgrep Registry](https://semgrep.dev/r/).SCA scanningCheck that Semgrep either supports your manifest file or lockfile and package manager.Secrets scanningCheck that your services, such as Slack or Twilio, can be validated by Semgrep. Semgrep Secrets is available through Semgrep Sales, so you must [** Book a demo.](https://get.semgrep.dev/Book-a-demo.html)SSOSemgrep supports: - OpenID Connect or OAuth 2 - SAML 2.0OrganizationsSemgrep can connect to orgs from **GitHub and GitLab**. Connecting an org enables Semgrep AppSec Platform to authenticate new users from the same org easily.If you use **Bitbucket or Azure Repos**, you can use SSO to manage the authentication of your users, then add repositories for scanning through your CI provider.Scanning remote repositories through CISemgrep fully supports many popular CI providers. See [** Add Semgrep to CI](/docs/deployment/add-semgrep-to-ci).Managed Scans: scanning remote repositories in bulk without CI changesAn alternative method of scanning many repositories with Semgrep that doesn't require integration with your CI. Requires read access to user-selected repositories. See [** Add repositories to Semgrep in bulk](/docs/deployment/managed-scanning/overview).PR or MR commentsSemgrep can post PR or MR comments in the following SCMs: - GitHub- GitLab- Bitbucket #### Additional deployment features[​](#additional-deployment-features) Useful features that you can add based on your tech stack. You can integrate these features further into your security workflows after some initial testing of your core deployment. Deployment featureNotesNotificationsSemgrep can send notifications through the following channels:- Slack - Email- WebhooksAI-assisted triage and remediationSemgrep can give AI-assisted recommendations on whether a finding is a true or false positive as well as suggest code fixes for true positive findings.IDE integrationEncourage developers to run Semgrep in their IDE. Officially supported extensions include: - Microsoft Visual Studio Code- IntelliJ Ultimate IDEA- EmacsAPICheck that Semgrep's API meets your needs. See [** API docs](). ## Core deployment process[​](#core-deployment-process) At the minimum, your deployment of Semgrep consists of the following steps: - **Creating a Semgrep account**. Each user of Semgrep has one account. - **Setting up organizations (orgs)**. Each Semgrep account can have many orgs. Orgs are logical groupings of related projects and users. - **Setting up membership**: For GitHub or GitLab users, you can connect your Semgrep org to the orgs in your source code manager (SCM). This means that any member of an org in your SCM can sign in to your Semgrep deployment. - You can also use SSO to manage user authentication. - **Adding Semgrep into your CI workflows**. This step ensures that your Semgrep deployment is up and running and that you receive **findings** of security issues in Semgrep AppSec Platform. - **Enabling Semgrep to post PR or MR comments**. ***Figure**. Core deployment steps.* To manage a large volume of users and projects, you may need to perform additional steps: - Role management - Tagging projects These steps are covered in the section [Deployment at scale](/docs/category/deployment-at-scale). Team size isn't necessarily indicative of deployment needs. Features for large teams can be deployed for smaller teams as well, and are available on the Semgrep Team Tier. ## Deploy Semgrep in phases[​](#deploy-semgrep-in-phases) It is recommended to finish the core deployment of Semgrep to a few repositories or departments in your organization first before attempting to deploy to the majority. This **initial phase** prepares you to deploy Semgrep to the rest of the organization. Organizational infrastructure can vary greatly and the initial deployment can help you identify and address issues so that they do not recur in a wider deployment. ## Next steps[​](#next-steps) Click **Next** to begin setting up your core deployment. Not finding what you need in this doc? Ask questions in our [Community Slack group](https://go.semgrep.dev/slack), or see [Support](/docs/support/) for other ways to get help. Tags:**- [Deployment](/docs/tags/deployment)- [Semgrep AppSec Platform](/docs/tags/semgrep-app-sec-platform)[Edit this page](https://github.com/semgrep/semgrep-docs/edit/main/docs/deployment/core-deployment.md)Last updated on **Dec 2, 2025** --- # Semgrep Community Edition in CI Source: https://semgrep.dev/docs/deployment/oss-deployment - [](/docs/)- [Scan](/docs/getting-started/quickstart)- Semgrep Community Edition- Semgrep CE in CI**On this page- [Deployment](/docs/tags/deployment)- [Semgrep Community Edition](/docs/tags/semgrep-community-edition)Semgrep Community Edition in CI Semgrep Community Edition (CE) can be set up run static application security testing (SAST) scans on repositories of any size. This guide explains how to set up Semgrep CE in your CI pipeline using entirely open source components, also known as a **stand-alone** CI setup. The preferred Semgrep CE command is `semgrep scan`. ## Prerequisites[​](#prerequisites) - Sufficient permissions in your repository to: Commit a CI configuration file. - Start or stop a CI job. - Optional: Create environment variables. ## Ensure your scans use open source components[​](#ensure-your-scans-use-open-source-components) This setup uses only the **LGPL 2.1** Semgrep CLI tool. It is not subject to the usage limits of Semgrep AppSec Platform. In order to remain strictly open source, you must ensure that the rules you run use open source licenses or are your own custom Semgrep rules. To verify a rule's license, read the `license` key under the `metadata` of a Semgrep rule. Click to expand for an example of a rule with a `license` key.This rule's last line displays a `license: MIT` key-value pair. `rules: - id: eslint.detect-object-injection patterns: - pattern: $O[$ARG] - pattern-not: $O["..."] - pattern-not: "$O[($ARG : float)]" - pattern-not-inside: | $ARG = [$V]; ... <... $O[$ARG] ...>; - pattern-not-inside: | $ARG = $V; ... <... $O[$ARG] ...>; - metavariable-regex: metavariable: $ARG regex: (?![0-9]+) message: Bracket object notation with user input is present, this might allow an attacker to access all properties of the object and even it's prototype, leading to possible code execution. languages: - javascript - typescript severity: MEDIUM metadata: cwe: "CWE-94: Improper Control of Generation of Code ('Code Injection')" primary_identifier: eslint.detect-object-injection secondary_identifiers: - name: ESLint rule ID security/detect-object-injection type: eslint_rule_id value: security/detect-object-injection license: MIT` For a comparison of the behavior between Semgrep CE CI scans and Semgrep AppSec Platform scans, see [** Semgrep AppSec Platform versus Semgrep Community Edition](/docs/semgrep-pro-vs-oss). ## Set up the CI job[​](#set-up-the-ci-job) ### Use template configuration files[​](#use-template-configuration-files) Click the link of your CI provider to view a configuration file you can commit to your repository to create a Semgrep job: - [GitHub Actions](/docs/semgrep-ci/sample-ci-configs#github-actions) - [GitLab CI/CD](/docs/semgrep-ci/sample-ci-configs#gitlab-cicd) - [Jenkins](/docs/semgrep-ci/sample-ci-configs#jenkins) - [Bitbucket Pipelines](/docs/semgrep-ci/sample-ci-configs#bitbucket-pipelines) - [Buildkite](/docs/semgrep-ci/sample-ci-configs#buildkite) - [CircleCI](/docs/semgrep-ci/sample-ci-configs#circleci) - [Azure Pipelines](/docs/semgrep-ci/sample-ci-configs#azure-pipelines) ### Use other methods[​](#use-other-methods) Use either of the following methods to run Semgrep on other CI providers. #### Direct docker usage[​](#direct-docker-usage) Reference or add the [semgrep/semgrep](https://hub.docker.com/r/semgrep/semgrep) Docker image directly. The method to add the Docker image varies based on the CI provider. This method is used in the [Bitbucket Pipelines code snippet](/docs/semgrep-ci/sample-ci-configs#sample-bitbucket-pipelines-configuration-snippet). #### Install `semgrep` within your CI job[​](#install-semgrep-within-your-ci-job) If you cannot use the Semgrep Docker image, install Semgrep as a step or command within your CI job: - Add `pip3 install semgrep` into the configuration file as a step or command, depending on your CI provider's syntax. - Run any valid `semgrep scan` command, such as `semgrep scan --config auto`. For an example, see the [Azure Pipelines code snippet](/docs/semgrep-ci/sample-ci-configs#sample-azure-pipelines-configuration-snippet). ## Configure your CI job[​](#configure-your-ci-job) The following sections describe methods to customize your CI job. ### Schedule your scans[​](#schedule-your-scans) The following table is a summary of methods and resources to set up schedules for different CI providers. CI providerWhere to set scheduleGitHub ActionsSee [Sample CI configs](/docs/semgrep-ci/sample-ci-configs#sample-github-actions-configuration-file) for information on how to modify your `semgrep.yml` fileGitLab CI/CDRefer to [GitLab documentation](https://docs.gitlab.com/ee/ci/pipelines/schedules.html)JenkinsRefer to [Jenkins documentation](https://www.jenkins.io/doc/book/pipeline/running-pipelines/#scheduling-jobs-in-jenkins)Bitbucket PipelinesRefer to [Bitbucket documentation](https://support.atlassian.com/bitbucket-cloud/docs/pipeline-triggers/)CircleCIRefer to [CircleCI documentation](https://circleci.com/docs/scheduled-pipelines#get-started-with-scheduled-pipelines-in-circleci)BuildkiteRefer to [Buildkite documentation](https://buildkite.com/docs/pipelines/scheduled-builds)Azure PipelinesRefer to [Azure documentation](https://docs.microsoft.com/en-us/azure/devops/pipelines/process/scheduled-triggers?view=azure-devops&tabs=yaml)SemaphoreRefer to [Semaphore documentation](https://docs.semaphore.io/using-semaphore/tasks) ### Customize rules and rulesets[​](#customize-rules-and-rulesets) #### Add rules to scan with `semgrep scan`[​](#add-rules-to-scan-with-semgrep-scan) You can customize what rules to run in your CI job. The rules and rulesets can come from the [Semgrep Registry](https://semgrep.dev/explore/), or your own rules. The sources for rules to scan with are: - The value of the `SEMGREP_RULES` environment variable. - The value passed after `--config`. You can use multiple `--config` arguments, one per value. For example: `semgrep scan --config p/default --config p/comment`. The `SEMGREP_RULES` environment variable accepts a list of local and remote rules and rulesets to run. The `SEMGREP_RULES` list is delimited by a space (` `) if the variable is exported from a shell command or script block. For example, see the following BitBucket Pipeline snippet: `# ... script: - export SEMGREP_RULES="p/nginx p/ci no-exec.yml" - semgrep ci# ...` The line defining `SEMGREP_RULES` defines three different sources, delimited by a space: `- export SEMGREP_RULES="p/nginx p/ci no-exec.yml"` The example references two rulesets from Semgrep Registry (`p/nginx` and `p/ci`) and a rule available in the repository (`no-exec.yml`). If the `SEMGREP_RULES` environment variable is defined from a YAML block, the list of rules and rulesets to run is delimited by a newline. See the following example of a GitLab CI/CD snippet: `# ...variables: SEMGREP_RULES: >- p/nginx p/ci no-exec.yml# ...` #### Write your own rules[​](#write-your-own-rules) Write custom rules to enforce your team's coding standards and security practices. Rules can be forked from existing community-written rules. See [Writing rules](/docs/writing-rules/overview) to learn how to write custom rules. ### Ignore files[​](#ignore-files) See [** Ignore files, folders, and code](/docs/ignoring-files-folders-code). By default `semgrep ci` skips files and directories such as `tests/`, `node_modules/`, and `vendor/`. It uses the default `.semgrepignore` file which you can find in the [Semgrep GitHub repository](https://github.com/semgrep/semgrep/blob/develop/cli/src/semgrep/templates/.semgrepignore). This default is used when no explicit `.semgrepignore` file is found in the root of your repository. Optional: Copy and commit the default `.semgrepignore` file to the **root of your repository** and extend it with your own entries or write your `.semgrepignore` file from scratch. If Semgrep detects a `.semgrepignore` file within your repository, it does not append entries from the default `.semgrepignore` file. For a complete example, see the [.semgrepignore file in Semgrep’s source code](https://github.com/semgrep/semgrep/blob/develop/.semgrepignore). caution`.semgrepignore` is only used by Semgrep. Integrations such as [GitLab's Semgrep SAST Analyzer](https://gitlab.com/gitlab-org/security-products/analyzers/semgrep) do not use it. ### Save or export findings to a file[​](#save-or-export-findings-to-a-file) To save or export findings, pass file format options and send the formatted findings to a file. For example, to save to a JSON file: `semgrep scan --json > findings.json` The JSON schema for Semgrep's CLI output can be found in [semgrep/semgrep-interfaces](https://github.com/semgrep/semgrep-interfaces/blob/main/semgrep_output_v1.jsonschema). You can also use the SARIF format: `semgrep scan --sarif > findings.sarif` Refer to the [CLI reference](/docs/cli-reference) for output formats. ## Migrate to Semgrep AppSec Platform from a stand-alone CI setup[​](#migrate-to-semgrep-appsec-platform-from-a-stand-alone-ci-setup) Migrate to Semgrep AppSec Platform to: - **View and manage findings in a centralized location**. False positives can be ignored through triage actions. These actions can be undertaken in bulk. - **Configure rules and actions to undertake when a finding is generated by the rule**. You can undertake the following actions: Audit the rule. This means that findings are kept within Semgrep's **Findings** page and are not surfaced to your team's SCM. - Show the finding to your team through the use of PR and MR comments. - Block the pull request or merge request. To migrate to Semgrep AppSec Platform: - Create an account in [Semgrep AppSec Platform](https://semgrep.dev/login). - Click **[Projects](https://semgrep.dev/orgs/-/projects)** > **Scan New Project** > Run scan in CI. - Follow the steps in the setup page to complete your migration. - Optional: Remove the old CI job that does not use Semgrep AppSec Platform. ## Semgrep CE jobs versus Semgrep jobs[​](#semgrep-ce-jobs-versus-semgrep-jobs) FeatureSemgrep CI (`semgrep ci`)Semgrep CE CI (`semgrep scan`)Customized SAST scans✔️✔️[SCA (software composition analysis) scans](/docs/semgrep-supply-chain/overview)✔️--[Secrets scans](/docs/semgrep-secrets/conceptual-overview)✔️--[PR (pull request) or MR (merge request) comments](/docs/category/pr-or-mr-comments)✔️--[Finding status tracked over lifetime](/docs/semgrep-code/findings)✔️--Not finding what you need in this doc? Ask questions in our [Community Slack group](https://go.semgrep.dev/slack), or see [Support](/docs/support/) for other ways to get help. Tags:**- [Deployment](/docs/tags/deployment)- [Semgrep Community Edition](/docs/tags/semgrep-community-edition)[Edit this page](https://github.com/semgrep/semgrep-docs/edit/main/docs/deployment/oss-deployment.md)Last updated on **Oct 21, 2025** --- # Extensions Source: https://semgrep.dev/docs/extensions/overview - [](/docs/)- [Scan](/docs/getting-started/quickstart)- Set up and deploy scans- Extensions**On this pageExtensions Several third-party tools include Semgrep extensions. ## Official IDE extensions[​](#official-ide-extensions) NameMarketplace linkDocumentationMicrosoft Visual Studio Code[** `semgrep-vscode`](https://marketplace.visualstudio.com/items?itemName=semgrep.semgrep)[Semgrep VS Code extension](/docs/extensions/semgrep-vs-code)IntelliJ Ultimate Ideaand many other IntelliJ products[** `semgrep-intellij`](https://plugins.jetbrains.com/plugin/22622-semgrep)[Semgrep IntelliJ extension](/docs/extensions/semgrep-intellij)Emacs[** `lsp-mode`](https://github.com/emacs-lsp/lsp-mode)See repository README ## Use of Language Server Protocol (LSP)[​](#use-of-language-server-protocol-lsp) All of the official IDE extensions use the [Language Server Protocol](https://microsoft.github.io/language-server-protocol/) to communicate with Semgrep. This allows the team to focus on one codebase that can be shared across most modern editor platforms. ## `pre-commit`[​](#pre-commit) Prevent secrets or security issues from entering your Git source control history by running Semgrep as a [** pre-commit](https://pre-commit.com/) hook. See [`pre-commit` documentation](/docs/extensions/pre-commit) for details. ## Semgrep as an engine[​](#semgrep-as-an-engine) Many other tools have capabilities powered by Semgrep. Add yours [with a pull request](https://github.com/semgrep/semgrep-docs)! - [DefectDojo](https://github.com/DefectDojo/django-DefectDojo/pull/2781) - [Dracon](https://github.com/thought-machine/dracon) - [GitLab SAST](https://docs.gitlab.com/ee/user/application_security/sast/#multi-project-support) - [GuardDog](https://github.com/datadog/guarddog) - [litbsast](https://github.com/ajinabraham/libsast) - [mobsfscan](https://github.com/MobSF/mobsfscan) - [nodejsscan](https://github.com/ajinabraham/nodejsscan) - [SecObserve](https://github.com/SecObserve/SecObserve) Not finding what you need in this doc? Ask questions in our [Community Slack group](https://go.semgrep.dev/slack), or see [Support](/docs/support/) for other ways to get help. [Edit this page](https://github.com/semgrep/semgrep-docs/edit/main/docs/extensions/overview.md)Last updated on Nov 10, 2025** --- # Run local CLI scans Source: https://semgrep.dev/docs/for-developers/cli - [](/docs/)- [For developers](/docs/for-developers/overview)- Run scans- Run local CLI scans**On this page- [Semgrep AppSec Platform](/docs/tags/semgrep-app-sec-platform)Run local CLI scans You can run local Semgrep CLI scans with the Semgrep command-line tool. ## Prerequisites[​](#prerequisites) - An existing Semgrep org account. - Semgrep CLI tool installed in your local machine. ## Best practices[​](#best-practices) It's best to run the following command for local scans: `semgrep ci --dry-run` - The command `semgrep ci` tells Semgrep to use your organization's chosen analyses and rules for the scan. - The `--dry-run` flag ensures that your scans are not uploaded to the Semgrep web app. This is recommended because your code could be a work in progress, subject to change, whereas code uploaded as a PR or MR usually indicates the code is ready for review. When Semgrep performs a CLI or IDE scan, it presents findings from **all rules** that your AppSec team uses. For this reason, you may encounter **more false positive or low severity findings** that you can ignore. ## Common Semgrep commands[​](#common-semgrep-commands) ### `semgrep scan`[​](#semgrep-scan) The following command runs a local scan with Semgrep's open source Community Edition (CE) using pre-selected rules for a variety of languages: `semgrep scan` - `semgrep scan` does not take into account your organization's settings. - You do **not** need to be logged in to run a scan. - It only runs lightweight SAST analyses. - It does not run other Semgrep products, such as Secrets or Supply Chain. caution - `semgrep scan` does not run the same analyses as `semgrep ci` so you may have a higher rate of false positives. - You can run `semgrep scan --pro` to run advanced SAST analyses with no other Semgrep products. #### Test a custom rule[​](#test-a-custom-rule) You can test a custom rule by creating a test file. See [Testing rules](/docs/writing-rules/testing-rules). After you've tested your custom rule, you can try it on your codebase locally: - Ensure that you're signed in to Semgrep from the CLI by entering `semgrep login`. If you have successfully signed in, you should see **API token already exists** or a similar message. - Enter the following command: `semgrep scan --pro --config [CUSTOM_RULE].yaml` Replace `CUSTOM_RULE.yaml` with the name of your custom rule. ### `semgrep ci`[​](#semgrep-ci) The `semgrep ci` command, without any flags, sends the results of your scan to Semgrep AppSec Platform with the slug `local-scan/PROJECT_NAME`. When using this command in a team setting, ensure that you are aware of its risks and that your team members are aware that you're uploading the results of local scans. Not finding what you need in this doc? Ask questions in our [Community Slack group](https://go.semgrep.dev/slack), or see [Support](/docs/support/) for other ways to get help. Tags:**- [Semgrep AppSec Platform](/docs/tags/semgrep-app-sec-platform)[Edit this page](https://github.com/semgrep/semgrep-docs/edit/main/docs/for-developers/developer-local-scans.md)Last updated on **Jan 16, 2025** --- # How Semgrep works Source: https://semgrep.dev/docs/for-developers/detection - [](/docs/)- [For developers](/docs/for-developers/overview)- References- How Semgrep works**On this page- [Developer education](/docs/tags/developer-education)How Semgrep works Semgrep enables you to: - Search for code semantically - Codify those search parameters as a **rule** - Run the rule on every keystroke, commit, pull request, and merge ## `grep`, linters, and Semgrep[​](#grep-linters-and-semgrep) * ***Figure**. A summary of differences between grep, linters, and Semgrep.* In addition to being a security tool, once customized, Semgrep can be used as a linter to help you and your team codify and follow best practices and to detect code smells. You only need to learn a single rule-writing schema to write rules for many programming languages, rather than having to learn a new schema for each linter. ## Transparency and determinism[​](#transparency-and-determinism) Semgrep is **transparent** because you can inspect the rules and analyses that are run on your code. Rules establish what should match (for example, you may want to look for and ban usages of `==` in JavaScript) and what shouldn't match. They have the following characteristics: - Rules are written in YAML. By having a single schema for all supported programming languages, you can write rules for any programming language that Semgrep supports. In contrast, linters vary in customizability. Linters that let you write your own rules require you to learn that linter's rule schema, which can only be applied to that linter's programming language. - A rule has a **confidence level** to indicate the likelihood it is a true positive. - A rule includes a **message** to help you remediate or fix. Semgrep is **deterministic**; given the same set of inputs, such as your code and rules, and the same analyses, Semgrep always finds the same findings. ## Speed, scope and analysis[​](#speed-scope-and-analysis) Semgrep can perform several types of analyses on a given scope, which affects its scan speed. The following table breaks down expected runtimes in each developer interface. InterfaceScope of scanAnalysisTypical speedIDE (per keystroke and on save)Current fileSingle-function, single-fileIn a few secondsCLI on commit (through [`pre-commit`](https://pre-commit.com/))Files staged for commit (cross-function, single-file analysis)Cross-function, single-fileUnder 5 minutesPR or MR commentsAll committed files and changes in the PR or MRCross-function, single-file analysisUnder 5 minutes ### Rule examples[​](#rule-examples) Click the following boxes to learn about Semgrep's pattern matching mechanisms and analyses. Simple syntax-based example: ban the use of `==` in JavaScript#### Simple syntax-based example[​](#simple-syntax-based-example)You may want to ban the use of `==` in JavaScript and instead require `===` to avoid **type coercion** when evaluating expressions. This is a common standard enforced in popular JavaScript linters. This is a simple find and replace in many text editors, because the ban is enforced for **all** usages of `==`. In Semgrep, you can create a rule codifying this find and replace operation to share or enforce this standard. ***Figure**. Prevent type coercion in `==`. Click *** Run** to view the findings.* This simple rule is accurate because it only requires the syntax defined in `pattern` to match, not the semantics. The **metavariables** $A and $B always evaluate to some value on the left and right hand side of the `==` operator, and that is all that matters, not the meaning or of $A and $B themselves. Metavariables[Metavariables](/docs/writing-rules/pattern-syntax#metavariables) are an abstraction to match code when you don’t know the value or contents ahead of time, similar to capture groups in regular expressions. Complex syntax-based example: ban `console.log` in external or user-facing functions#### Complex syntax-based example[​](#complex-syntax-based-example)It is a common convention either to ban all uses of some language feature in user-facing code, such as `console.log()`, or to permit `console.log()` internally but not externally. Semgrep enables you to create a custom best practices set of rules around cases like this. ****Figure**. Ban `console.log` in external-facing functions. Click *** Run** to view the findings.* Notice that only **line 4** matches. This is because only line 4 has a `console.log()` function within `someExternalFunction()`. This example defines both what matches within the external-facing function, and the external-facing function itself. This is achieved through the use of `pattern` and `pattern-inside`. The `...` **ellipsis** operator tells Semgrep to accept any number of arguments or values in `someExternalFunction()` and `console.log()`, thus capturing all possible variations of the functions. Semantic taint analysis: detecting unsanitized data from source to sink#### Semantic taint analysis example[​](#semantic-taint-analysis-example)A more complex example is detecting if **unsanitized data** is flowing from some **source**, such as saved form data, to a **sink**, without sanitization. The following example is a simplified Semgrep rule that detects possible cross-site scripting vulnerabilities: ****Figure**. Prevent possible cases of cross-site scripting due to unsanitized data. Click *** Run** to view the findings.* In this example, **lines 11 and 18** are the only two true positives. - **Line 7** is not a match because `hash` has been sanitized through `sanitize(hash)`. - **Line 9** stores the hash as a number, and the rule has defined this as a sanitizer as well. Semgrep defines the `pattern-sources`, `pattern-sinks`, and `pattern-sanitizers` to make sure that the rule is accurate and contains no false positives or false negatives by including every possible way this type of XSS can occur and **excluding** those cases where the data has been sanitized. Not finding what you need in this doc? Ask questions in our [Community Slack group](https://go.semgrep.dev/slack), or see [Support](/docs/support/) for other ways to get help. Tags:**- [Developer education](/docs/tags/developer-education)[Edit this page](https://github.com/semgrep/semgrep-docs/edit/main/docs/for-developers/detection.md)Last updated on **Sep 5, 2025** --- # Run IDE scans Source: https://semgrep.dev/docs/for-developers/ide - [](/docs/)- [For developers](/docs/for-developers/overview)- Run scans- Run IDE scans**On this page- [Developer education](/docs/tags/developer-education)- [Extensions](/docs/tags/extensions)Run IDE scans Semgrep supports the following IDE extensions: NameMarketplace linkDocumentationMicrosoft Visual Studio Code[** `semgrep-vscode`](https://marketplace.visualstudio.com/items?itemName=semgrep.semgrep)[Semgrep VS Code extension](/docs/extensions/semgrep-vs-code)IntelliJ Ultimate Ideaand many other IntelliJ products[** `semgrep-intellij`](https://plugins.jetbrains.com/plugin/22622-semgrep)[Semgrep IntelliJ extension](/docs/extensions/semgrep-intellij)Emacs[** `lsp-mode`](https://github.com/emacs-lsp/lsp-mode)See repository README ## Quickstart[​](#quickstart) Select your IDE in the following tabs and follow the instructions to set up your first Semgrep IDE scan. - Visual Studio Code (VS Code)- IntelliJFor Microsoft VS Code users: - [Install the Semgrep extension](https://code.visualstudio.com/docs/editor/extension-marketplace#_install-an-extension). If you're unfamiliar with installing VS Code extensions, see the Extension Marketplace's article [Install an Extension](https://code.visualstudio.com/docs/editor/extension-marketplace#_install-an-extension). - Use Ctrl+⇧Shift+P or ⌘Command+⇧Shift+P (macOS) to launch the Command Palette, and run the following to sign in to Semgrep AppSec Platform: `Semgrep: Sign in` You can use the extension without signing in, but doing so enables better results since you benefit from [Semgrep Code](/docs/semgrep-code/overview) and its [Pro rules](/docs/semgrep-code/pro-rules). - Launch the Command Palette using Ctrl+⇧Shift+P or ⌘Command+⇧Shift+P (macOS), and scan your files by running: ``` Semgrep: Scan all files in workspace ``` - To see detailed vulnerability information, hover over the code underlined in yellow. You can also see the findings identified by Semgrep using ⇧Shift+Ctrl+M or ⌘Command+⇧Shift+M (macOS) and opening the **Problems** tab. For JetBrains IntelliJ users: - Install the Semgrep extension: Visit [** Semgrep's page on the JetBrains Marketplace](https://plugins.jetbrains.com/plugin/22622-semgrep). - In IntelliJ: **Settings/Preferences > Plugins > Marketplace > Search for `semgrep-intellij` > Install**. You may need to restart IntelliJ for the Semgrep extension to be installed. - Sign in: Press Ctrl+⇧Shift+A (Windows) or ⌘Command+⇧Shift+A (macOS) and sign in to Semgrep AppSec Platform by selecting the following command: `Sign in with Semgrep` - Test the extension by pressing Ctrl+⇧Shift+A (Windows) or ⌘Command+⇧Shift+A (macOS) and run the following command: `Scan workspace with Semgrep` - See Semgrep findings: Hold the pointer over the code that has the red underline. Feature maturitySemgrep's IntelliJ extensions are currently in beta. Currently, the IntelliJ extension only supports Semgrep Community Edition (CE) - it doesn't support Semgrep Supply Chain, Secrets, Pro rules, or Pro Engine. Please join the [Semgrep community Slack workspace](https://go.semgrep.dev/slack) and let the Semgrep team know if you encounter any issues. ## Scan scope and limitations[​](#scan-scope-and-limitations) Semgrep's VS Code extension supports the use of Pro rules and cross-file analysis. Other IDE scans use Semgrep Community Edition (CE) for its speed, and these scans are limited to single-file analysis. As a result, you may encounter a higher rate of false positives. Not finding what you need in this doc? Ask questions in our [Community Slack group](https://go.semgrep.dev/slack), or see [Support](/docs/support/) for other ways to get help. Tags:**- [Developer education](/docs/tags/developer-education)- [Extensions](/docs/tags/extensions)[Edit this page](https://github.com/semgrep/semgrep-docs/edit/main/docs/for-developers/ide.md)Last updated on **Jan 16, 2025** --- # Semgrep for developers Source: https://semgrep.dev/docs/for-developers/overview - [](/docs/)- [For developers](/docs/for-developers/overview)- Overview**On this page- [Guides for developers](/docs/tags/guides-for-developers)Semgrep for developers This guide is for developers who are using Semgrep in a team or organizational setting. Use Semgrep to: - Triage security issues - Follow best practices set by your organization - Automate code reviews among your peers - Lint your code This document provides an overview of how developers work with Semgrep to resolve the issues it detects. Developer and AppSec rolesIf you are a developer responsible for your **own** security program in personal projects, see the [Quickstart](/docs/getting-started/quickstart) and [Core deployment](/docs/deployment/core-deployment) documentation. ## Semgrep AppSec Platform[​](#semgrep-appsec-platform) Semgrep AppSec Platform, or simply **Semgrep**, is a software suite for implementing and tracking security programs. **AppSec engineers** use Semgrep to detect, triage, and remediate findings across an entire organization's codebases. **Developers** primarily interact with Semgrep when Semgrep scans a project, then notifies users of issues in their code. Issues detected by Semgrep are called **findings**. The pattern-matching logic by which Semgrep detects a finding is encapsulated in a **rule**. Semgrep performs various static analyses to detect bugs, vulnerabilities in dependencies, and leaked secrets. ## How developers use Semgrep[​](#how-developers-use-semgrep) Your interactions with Semgrep vary depending on your organization's deployment of it. Semgrep is almost always integrated into your CI and source code manager (SCM) and automatically runs on every pull request or merge request you open. These scans are **diff-aware** and only affect the scope of your PR, which keeps the scan speed fast. Your security engineer may configure Semgrep to display PR or MR comments about certain **blocking** or **non-blocking** findings to you, which you can resolve or ignore from within your SCM. ***Figure**. A PR comment detecting a hardcoded secret.* It is less frequent, but still common, for developers to run Semgrep as part of their day-to-day coding workflow in the following environments: - IDEs (VS Code and IntelliJ) - CLI, including `pre-commit` Your AppSec team is likely to have guidelines about Semgrep scans in these environments. Noise in your pull requests or merge requests?Your security engineers are in full control of what findings are displayed to you. If you notice a high rate of false positives, tell your security engineers so that they can tune your scans. ## Semgrep findings in your PR or MR[​](#semgrep-findings-in-your-pr-or-mr) Semgrep findings are typically posted in your PR or MR. The following image displays the parts of a Semgrep PR comment in GitHub; this example appears in a similar form in GitLab and other SCMs: ***Figure**. An example of a PR comment with various sections annotated.* A - Block indicatorThis appears if a finding fails the CI job. Organizations typically block PRs or MRs with failed jobs.B - Finding descriptionA human-written description always appears in a PR or MR comment, describing why your code is flagged. **References** may also be included to help you learn more about the finding.C - Dataflow graphSome Code findings have a dataflow graph, which indicates that the finding was detected through [taint analysis](/docs/writing-rules/glossary#taint-analysis). The dataflow graph provides the lines of code identifying sources, sinks, and traces of unsanitized data flowing through your program. You can click the links on the boxes to take you to the lines of code.D - Resolution or remediation sectionVarious options are provided to help your resolve the finding. Depending on the [type of finding](#type-of-findings-by-resolution), resolution options may vary.E - Ignore instructionsClick to view instructions about how to ignore the finding by replying to the comment. ### Type of findings by resolution[​](#type-of-findings-by-resolution) Code findingThis type of finding is typically resolved by refactoring your code. This finding typically catches bugs, security issues, or violations of best practices.Dependency findingSemgrep found that you're using a vulnerable version of a dependency. It can also detect if you're using the vulnerable function or code of the dependency.License findingSemgrep has found that you're using a dependency with a **license** that may violate the guidelines set by your organization.Secrets findingSemgrep has detected a leaked secret. Rotate the secret to resolve this finding. ***Figure**. Summary of findings by resolution, assuming that the finding is a true positive.* Not finding what you need in this doc? Ask questions in our [Community Slack group](https://go.semgrep.dev/slack), or see [Support](/docs/support/) for other ways to get help. Tags:**- [Guides for developers](/docs/tags/guides-for-developers)[Edit this page](https://github.com/semgrep/semgrep-docs/edit/main/docs/for-developers/developer-overview.md)Last updated on **Jan 16, 2025** --- # Resolve findings through the Semgrep web app Source: https://semgrep.dev/docs/for-developers/resolve-findings-through-app - [](/docs/)- [For developers](/docs/for-developers/overview)- Resolve findings- Resolve findings through the Semgrep web app**On this page- [Developer education](/docs/tags/developer-education)- [Semgrep AppSec Platform](/docs/tags/semgrep-app-sec-platform)Resolve findings through the Semgrep web app This guide explains how you can view and triage findings in bulk through the Semgrep AppSec Platform web app. caution - Not all organizations allow developers to use the AppSec Platform; ask your security team if you have access. - When triaging through Semgrep AppSec Platform, developers typically triage findings specific to their **branch**. Avoid triaging findings in branches that are not yours to triage. ## Prerequisites[​](#prerequisites) You must have an existing Semgrep org account. See [Sign in to Semgrep](/docs/for-developers/signin). ## Ignore findings in bulk[​](#ignore-findings-in-bulk) - Sign in to [** Semgrep AppSec Platform](https://semgrep.dev/login). - Click **Code** for SAST findings, **Secrets** for secrets findings, or **Supply Chain** for SCA findings. You are taken to a page with all the findings for that product. - Click on **Projects and branches**, then click the **** drop-down arrow** to view open branches, which is listed by its unique ID. For example, GitHub branches are represented by their PR number. - Click your branch. This filters the displayed findings to those specific to your PR or MR. - Click the findings you want to triage, then click **Triage**. - In the drop-down box, select a new **Status**, typically **Ignored**. - Optional: include a comment as to why you ignored a finding. ## Appendix: triage statuses[​](#appendix-triage-statuses) Click to view all triage statuses.StatusDescription**Open**Findings are open by default. A finding is open if it was present the last time Semgrep scanned the code and has not been ignored. An open finding represents a match between the code and a rule enabled in the repository. Open findings require action, such as rewriting the code to eliminate the detected vulnerability.**Reviewing**Indicates that the finding requires investigation to determine what the next steps in the triage process should be.**Provisionally ignored**Findings that Semgrep Assistant has flagged as false positives. You can change the status to **Ignored** if you agree with Assistant's assement. Otherwise, you can change the status to **To fix** if you disagree.**To fix**Findings that you have decided to fix. Commonly used to indicate that these findings are tracked in Jira or assigned to developers for further work.**Fixed**Fixed findings were detected in a previous scan but are no longer detected in the most recent scan of that same branch due to changes in the code.**Ignored**Findings marked as ignored are present in the code but have been labeled unimportant. Ignore false positives or deprioritized issues. Mark findings as [ignored through Semgrep AppSec Platform](/docs/semgrep-code/triage-remediation) or by adding a [nosemgrep code comment](/docs/ignoring-files-folders-code#reference-summary). You can also provide a reason for ignoring a finding: **False positive**, **Acceptable risk**, **No time to fix**.**Closed**Vulnerabilities that are no longer detected after a scan. This can be due to changes in the underlying rule or the code. ### Removed findings[​](#removed-findings) Findings can also be **removed**. Semgrep considers a finding removed if it is not found in the most recent scan of the branch where Semgrep initially detected it due to any of the following conditions: - The rule that detected the finding isn't enabled in the policy anymore. - The rule that detected the finding was updated in a way that it no longer detects the finding. - The file path where the finding appeared is no longer found. The file path was deleted, renamed, added to a `.semgrepignore` file, added to a `.gitignore` file, or added to the list of ignored paths in Semgrep AppSec Platform. - For GitHub organization accounts: the pull request or merge request where the finding was detected has been closed without merging. Your removed findings do not count toward the fix rate or the number of findings. The removed findings also do not appear in Semgrep AppSec Platform. ### Triage behavior across refs and branches[​](#triage-behavior-across-refs-and-branches) - When you triage a finding as ignored, reviewing, fixing, or reopened, Semgrep always triages across other branches and [Git references](https://git-scm.com/book/en/v2/Git-Internals-Git-References) (refs). - At scan time, there's automatic triaging that occurs in specific cases, and the behavior changes depending on the type of scan: **Full scans**: if the current branch includes a finding that was Previously introduced in another branch ***and*** - Triaged to a specific state **Then** the finding in the current branch is triaged to that same state. - **Diff-aware scan**: findings introduced in a diff-aware scan are **not** automatically triaged at scan time, even if there are other instances of that finding on branches that have been triaged. Not finding what you need in this doc? Ask questions in our [Community Slack group](https://go.semgrep.dev/slack), or see [Support](/docs/support/) for other ways to get help. Tags:**- [Developer education](/docs/tags/developer-education)- [Semgrep AppSec Platform](/docs/tags/semgrep-app-sec-platform)[Edit this page](https://github.com/semgrep/semgrep-docs/edit/main/docs/for-developers/resolve-findings-through-app.md)Last updated on **Jan 16, 2025** --- # Resolve findings in your pull request or merge request Source: https://semgrep.dev/docs/for-developers/resolve-findings-through-comments - [](/docs/)- [For developers](/docs/for-developers/overview)- Resolve findings- Resolve findings in your pull request or merge request**On this page- [Developer education](/docs/tags/developer-education)Resolve findings in your pull request or merge request Findings resolution involves the assessment of a finding, then either fixing or ignoring it. You can fix or triage findings from your source code manager (SCM); fixing or triaging (ignoring) does **not** require a Semgrep AppSec Platform account. Findings are primarily presented to developers through **pull request (PR) or merge request (MR) comments**. These findings are generated from rules that your AppSec team has vetted or approved. Findings from these rules are meant to be **fixed** or **remediated** rather than ignored unless the finding is a false positive. In **typical coding workflows**, it is recommended to fix or ignore findings as part of your **code review** process; the results of triage or remediation in your SCM are synchronized with Semgrep AppSec Platform. However, if you have accumulated many findings to ignore, it may be faster to perform bulk triage actions in Semgrep AppSec Platform. See [Resolve findings through the Semgrep web app](/docs/for-developers/resolve-findings-through-app). ## Prerequisites and optional features[​](#prerequisites-and-optional-features) - The procedures described in this guide rely on PR or MR comments. Ensure that your security team has enabled this feature. - To receive AI-assisted remediation, your security team must enable the **Semgrep Assistant** feature. Your SCM is the most common environment in which to fix findings. Semgrep provides several features to help you fix findings quickly. ## Parts of a PR or MR comment[​](#parts-of-a-pr-or-mr-comment) Semgrep findings are typically posted in your PR or MR. The following image displays the parts of a Semgrep PR comment in GitHub; this example appears in a similar form in GitLab and other SCMs: * ***Figure**. An example of a PR comment with various sections annotated.* A - Block indicatorThis appears if a finding fails the CI job. Organizations typically block PRs or MRs with failed jobs.B - Finding descriptionA human-written description always appears in a PR or MR comment, describing why your code is flagged. **References** may also be included to help you learn more about the finding.C - Dataflow graphSome Code findings have a dataflow graph, which indicates that the finding was detected through [taint analysis](/docs/writing-rules/glossary#taint-analysis). The dataflow graph provides the lines of code identifying sources, sinks, and traces of unsanitized data flowing through your program. You can click the links on the boxes to take you to the lines of code.D - Resolution or remediation sectionVarious options are provided to help your resolve the finding. Depending on the [type of finding](#type-of-findings-by-resolution), resolution options may vary.E - Ignore instructionsClick to view instructions about how to ignore the finding by replying to the comment. ## Resolve findings[​](#resolve-findings) Different types of findings require different remediations. The following sections describe how Semgrep can help you resolve a finding. ### Autofix[​](#autofix) Some Semgrep Code findings provide an **autofix**, which can be human-written or generated by Semgrep Assistant. The fix can be committed directly, such as by clicking **Commit suggestion** in GitHub repositories. This is the fastest way to fix a finding. All Semgrep-supported SCMs provide this feature. ***Figure**. GitHub enables you to commit the suggestion from Semgrep directly, fixing the finding.* infoIf a line of code contains several findings, Semgrep does not provide the autofix or **Commit suggestion** feature to prevent fixes from conflicting. ### Semgrep Assistant remediations[​](#semgrep-assistant-remediations) Semgrep Assistant provides the following AI-powered security recommendations: - Step-by-step instructions. - AI-written code fixes if a human-written autofix is not available and a code fix can resolve the finding. - "Safe to ignore" suggestions. ***Figure**. PR comment with an AI-written fix and step-by-step instructions.* ***Figure**. Semgrep Assistant suggesting that a finding is safe to ignore.* ## Ignore findings[​](#ignore-findings) If the finding is a false positive, acceptable risk, or similar, you can choose to ignore the finding. You can ignore findings directly from your SCM by **replying** to the finding comment. - Find an open comment created by Semgrep AppSec Platform in your pull request or merge request: - In a subsequent comment, reply with the action you want to take. You must provide a **reason** to help the reader understand why the finding has been triaged as **ignored**: CommentDescription`/fp <REASON>`Triage a finding as **Ignored** with the triage reason **false positive**.`/ar <REASON>`Triage a finding as **Ignored** with the triage reason **acceptable risk**.`/other <REASON>`Triage a finding as **Ignored** without specifying the reason; the triage reason value is set to **No triage reason**.`/open <REASON>`Reopen a finding that has been triaged as **Ignored**. The comment is optional. ***Figure**. A completed triage flow.* ### Re-run a job or workflow[​](#re-run-a-job-or-workflow) After resolving or triaging the findings in your PR or MR, you must re-run the Semgrep job or workflow. See the following list for a link to your CI provider's documentation: - [* Re-run a job in GitHub Actions](https://docs.github.com/en/actions/managing-workflow-runs-and-deployments/managing-workflow-runs/re-running-workflows-and-jobs) - [** View pipelines in GitLab CI/CD](https://docs.gitlab.com/ee/ci/pipelines/#view-pipelines) - [** View your pipeline in Bitbucket Pipelines](https://support.atlassian.com/bitbucket-cloud/docs/view-your-pipeline/#Viewyourpipeline-CI_RerunStep) - [** Re-run a single stage in Azure DevOps](https://learn.microsoft.com/en-us/azure/devops/release-notes/2024/pipelines/sprint-235-update) - [** Restarting or rerunning a pipeline in Jenkins](https://www.jenkins.io/doc/book/pipeline/running-pipelines/#restarting-or-rerunning-a-pipeline) - [** Re-run a job in CircleCI](https://circleci.com/docs/rerun-failed-tests/) - [** **Retry a job**](https://buildkite.com/resources/changelog/231-retry-failed-jobs-while-builds-are-running/) from the [**Dashboard > Build view**](https://buildkite.com/docs/pipelines/dashboard-walkthrough) in Buildkite. ## Appendix: triage statuses[​](#appendix-triage-statuses) Click to view all triage statuses.StatusDescription**Open**Findings are open by default. A finding is open if it was present the last time Semgrep scanned the code and has not been ignored. An open finding represents a match between the code and a rule enabled in the repository. Open findings require action, such as rewriting the code to eliminate the detected vulnerability.**Reviewing**Indicates that the finding requires investigation to determine what the next steps in the triage process should be.**Provisionally ignored**Findings that Semgrep Assistant has flagged as false positives. You can change the status to **Ignored** if you agree with Assistant's assement. Otherwise, you can change the status to **To fix** if you disagree.**To fix**Findings that you have decided to fix. Commonly used to indicate that these findings are tracked in Jira or assigned to developers for further work.**Fixed**Fixed findings were detected in a previous scan but are no longer detected in the most recent scan of that same branch due to changes in the code.**Ignored**Findings marked as ignored are present in the code but have been labeled unimportant. Ignore false positives or deprioritized issues. Mark findings as [ignored through Semgrep AppSec Platform](/docs/semgrep-code/triage-remediation) or by adding a [nosemgrep code comment](/docs/ignoring-files-folders-code#reference-summary). You can also provide a reason for ignoring a finding: **False positive**, **Acceptable risk**, **No time to fix**.**Closed**Vulnerabilities that are no longer detected after a scan. This can be due to changes in the underlying rule or the code. ### Removed findings[​](#removed-findings) Findings can also be **removed**. Semgrep considers a finding removed if it is not found in the most recent scan of the branch where Semgrep initially detected it due to any of the following conditions: - The rule that detected the finding isn't enabled in the policy anymore. - The rule that detected the finding was updated in a way that it no longer detects the finding. - The file path where the finding appeared is no longer found. The file path was deleted, renamed, added to a `.semgrepignore` file, added to a `.gitignore` file, or added to the list of ignored paths in Semgrep AppSec Platform. - For GitHub organization accounts: the pull request or merge request where the finding was detected has been closed without merging. Your removed findings do not count toward the fix rate or the number of findings. The removed findings also do not appear in Semgrep AppSec Platform. ### Triage behavior across refs and branches[​](#triage-behavior-across-refs-and-branches) - When you triage a finding as ignored, reviewing, fixing, or reopened, Semgrep always triages across other branches and [Git references](https://git-scm.com/book/en/v2/Git-Internals-Git-References) (refs). - At scan time, there's automatic triaging that occurs in specific cases, and the behavior changes depending on the type of scan: **Full scans**: if the current branch includes a finding that was Previously introduced in another branch ***and*** - Triaged to a specific state **Then** the finding in the current branch is triaged to that same state. - **Diff-aware scan**: findings introduced in a diff-aware scan are **not** automatically triaged at scan time, even if there are other instances of that finding on branches that have been triaged. Not finding what you need in this doc? Ask questions in our [Community Slack group](https://go.semgrep.dev/slack), or see [Support](/docs/support/) for other ways to get help. Tags:**- [Developer education](/docs/tags/developer-education)[Edit this page](https://github.com/semgrep/semgrep-docs/edit/main/docs/for-developers/resolve-findings-through-comments.md)Last updated on **Sep 3, 2025** --- # Sign in to Semgrep Source: https://semgrep.dev/docs/for-developers/signin - [](/docs/)- [For developers](/docs/for-developers/overview)- Sign in to Semgrep**On this page- [Developer education](/docs/tags/developer-education)- [Semgrep AppSec Platform](/docs/tags/semgrep-app-sec-platform)Sign in to Semgrep Signing in to the [** Semgrep AppSec Platform web app](https://semgrep.dev/login) enables you to: - View and triage your findings in bulk. - Use your organization's custom Semgrep rules and configurations when you perform local scans with Semgrep. This ensures that everyone in the organization uses the same rules and analyses. Is this document for you? - Not all organizations require their developers to create a Semgrep account. - You can resolve or triage (ignore) findings in pull request or merge request comments, even **without** a Semgrep account, by replying to the comment. See [Resolve findings in your pull request or merge request](/docs/for-developers/resolve-findings-through-comments). ## Semgrep in multiple environments[​](#semgrep-in-multiple-environments) If you have not yet created a Semgrep account, it is **recommended** to first sign in to the Semgrep web app. This process creates a **personal** account, which you can then use to **join** your organization's Semgrep account. This lets you use your organization's Semgrep configuration, such as custom rules and scan parameters. If you use Semgrep in your CLI or IDE, you must sign in from those environments as well. It is recommended to sign in from these interfaces **after** you have signed in to your organization account in the web app. ## Prerequisites[​](#prerequisites) - Confirm with your security team that there is an existing organization account for you to join. - For CLI and IDE scans, see [Prerequisites > Command line tool](/docs/prerequisites#semgrep-command-line-tool) to ensure that your machine meets Semgrep's requirements. ## Sign in to the web app[​](#sign-in-to-the-web-app) In a typical Semgrep deployment, your company creates an **org** that you can sign in to and join using your GitHub, GitLab, or SSO credentials. Your organization will let you know through a notice or announcement once you can sign in. - GitHub or GitLab- SSOTo join an existing org in GitHub or GitLab: - Sign in to [** Semgrep AppSec Platform](https://semgrep.dev/login) with the account credentials specified by your admin. - Follow the on-screen prompts to grant Semgrep the needed permissions and proceed. This creates your **personal** Semgrep account. - Click **Join an existing organization**. - Click your organization's name. The web app signs you in to your organization's Semgrep account. You can verify this by viewing the account name in the navigation menu. To join an existing org through your SSO provider: - Sign in to [** Semgrep AppSec Platform](https://semgrep.dev/login) with the account credentials specified by your admin. - You are automatically signed in to all organizations that your admin has set up for you. After signing in to your org's account, you can now sign in and scan with Semgrep from other environments, such as your CLI or IDE. ## Set up Semgrep in the CLI[​](#set-up-semgrep-in-the-cli) ### Install the Semgrep CLI tool[​](#install-the-semgrep-cli-tool) - **Homebrew users:** Ensure that you've [added Homebrew to your PATH](https://docs.brew.sh/FAQ#my-mac-apps-dont-find-homebrew-utilities). Install the Semgrep CLI tool and confirm the installation: `# macOS users onlybrew install semgrep# macOS, Linux, Windows userspython3 -m pip install semgrep# if you get the following error "error: externally-managed-environment",# see semgrep.dev/docs/kb/semgrep-appsec-platform/error-externally-managed-environment # confirmsemgrep --version` ### Sign in to Semgrep from the CLI[​](#sign-in-to-semgrep-from-the-cli) To sign in to Semgrep: - Ensure that you are signed in to your **[org account](#sign-in-to-the-web-app)** in the Semgrep web app. - Enter the following command in your CLI: `semgrep login` - Running this command launches a browser window, but you can also use the link that's returned in the CLI to proceed. - In the Semgrep CLI login dialog, click **Activate** to proceed. You are now ready to run local scans with your org's Semgrep configuration. Not finding what you need in this doc? Ask questions in our [Community Slack group](https://go.semgrep.dev/slack), or see [Support](/docs/support/) for other ways to get help. Tags:**- [Developer education](/docs/tags/developer-education)- [Semgrep AppSec Platform](/docs/tags/semgrep-app-sec-platform)[Edit this page](https://github.com/semgrep/semgrep-docs/edit/main/docs/for-developers/developer-signin.md)Last updated on **Apr 8, 2025** --- # Get started with Semgrep Community Edition Source: https://semgrep.dev/docs/getting-started/quickstart-ce - [](/docs/)- [Scan](/docs/getting-started/quickstart)- Semgrep Community Edition- Get started**On this page- [quickstart](/docs/tags/quickstart)- [Semgrep CE](/docs/tags/semgrep-ce)Get started with Semgrep Community Edition Semgrep Community Edition (CE) is an open source static analysis tool that can find insecure coding patterns and security vulnerabilities in source code. Semgrep CE encompasses a SAST scanning engine, community rules, and integrated development environment plugins. infoSemgrep CE is the open source version of Semgrep Code, a commercial offering recommended for enterprise use cases. Both products share a common command-line interface, but Semgrep Code adds additional capabilities, including a web user interface. ## Prerequisites[​](#prerequisites) See [Prerequisites](/docs/prerequisites) to ensure your machine meets Semgrep's requirements. ## Install Semgrep CE[​](#install-semgrep-ce) - macOS- Linux- Windows (beta) - Install the Semgrep CLI and confirm the installation: `# install through homebrewbrew install semgrep# install through pippython3 -m pip install semgrep# confirm installation succeeded by printing the currently installed versionsemgrep --version`**Homebrew users:** ensure that you've [added Homebrew to your PATH](https://docs.brew.sh/FAQ#my-mac-apps-dont-find-homebrew-utilities). - Install the Semgrep CLI and confirm the installation: `# install through pippython3 -m pip install semgrep# if you get the following error "error: externally-managed-environment",# see semgrep.dev/docs/kb/semgrep-appsec-platform/error-externally-managed-environment # confirm installation succeeded by printing the currently installed versionsemgrep --version` - [Download](https://www.python.org/downloads/) and install Python. Check the box to add python.exe to the PATH; otherwise, you will have difficulty running Pip and Semgrep. - Configure your system to run Python with UTF-8 text encodings by default. In PowerShell, run: `[System.Environment]::SetEnvironmentVariable('PYTHONUTF8', '1', 'User')` - Install the Semgrep CLI and confirm the installation. In PowerShell, run: ``` # install through pippip install –upgrade semgrep# if you get the following error "error: externally-managed-environment",# see semgrep.dev/docs/kb/semgrep-appsec-platform/error-externally-managed-environment # confirm installation succeeded by printing the currently installed versionsemgrep --version ``` ## Create a test file for use with Semgrep CE[​](#create-a-test-file-for-use-with-semgrep-ce) Navigate to the directory of your choice, and create a sample file called `app.py` with the following: `# app.pyimport osuser_input = input("Enter a Directory: ")os.system("ls " + user_input)` Given this file, you might expect someone to run it as follows: `$ python3 app.pyEnter a Directory: .app.py` However, because this file didn't follow secure coding principles, a malicious actor might take advantage of the file as follows: `$ python3 app.pyEnter a Directory: .; cat ~/.ssh/id_*app.py-----BEGIN OPENSSH PRIVATE KEY-----...` ## Scan `app.py` with Semgrep CE[​](#scan-apppy-with-semgrep-ce) To check your code for security vulnerabilities: - Navigate to the directory where you saved `app.py` using the terminal. - Invoke Semgrep CE using `semgrep scan`. The `semgrep scan` command pulls down rules from the [Semgrep Registry](https://semgrep.dev/r), similar to package managers for source code libraries, and stores rules that help define semantic meaning to patterns in source code. By default, Semgrep CE uses open source community rules: `┌─────────────┐│ Scan Status │└─────────────┘ Scanning 1 file tracked by git with 1062 Code rules: Language Rules Files Origin Rules ───────────────────────────── ─────────────────── python 243 1 Community 1062 <multilang> 48 1` The specific numbers shown in your Scan Status printed to the terminal may vary, but you can still see that Semgrep is scanning the source code using community rules. There are over 1000 community rules in the default rule set, but because Semgrep recognizes the source code language, only rules relevant to the code being scanned are evaluated. To fine-tune your scan, you can include the `--config` parameter, which allows you to choose which rules to run: `semgrep scan --config "p/python-command-injection" app.py` In the preceding example, the command uses a predefined rule set from the Semgrep Registry focused on command injection vulnerabilities in Python. The specific rules you use during a scan will significantly impact what is detected in your source code. ## View and understand Semgrep Scan output[​](#view-and-understand-semgrep-scan-output) Semgrep displays your results when the scan is completed. The Scan Summary printed to the terminal tells you how many rules were run and whether or not there were any findings. A finding indicates that Semgrep detected a potential vulnerability. `┌──────────────┐│ Scan Summary │└──────────────┘✅ Scan completed successfully. • Findings: 1 (1 blocking) • Rules run: 24 • Targets scanned: 1 • Parsed lines: ~100.0% • No ignore information availableRan 24 rules on 1 file: 1 finding.` The findings list includes the name of the rule, a brief explanation of the security issue, and the exact line of code that triggered the finding: `┌────────────────┐│ 1 Code Finding │└────────────────┘ app.py ❯❯❱ python.lang.security.audit.dangerous-system-call-audit.dangerous-system-call-audit Found dynamic content used in a system call. This is dangerous if external data can reach this function call because it allows a malicious actor to execute commands. Use the 'subprocess' module instead, which is easier to use without accidentally exposing a command injection vulnerability. Details: https://sg.run/2WL0 5┆ os.system("ls " + user_input)` Each rule is given a unique namespace to help identify it. For example, Python language issues are prefixed with `python.lang`. The rule's author defines the source code patterns and provides remediation advice or an explanation of the problem. In this example, you can also see the specific expression and line of code where the issue appears. This example is a [Command Injection](/docs/learn/vulnerabilities/command-injection) vulnerability. The rule advises you to review the [Python Code Injection Cheat Sheet](/docs/cheat-sheets/python-code-injection) to learn more. The link in the output takes you to the **Semgrep Playground**, where you can interactively modify this rule and test it against sample code. ## Next steps[​](#next-steps) Read Semgrep docs for details on how to: - [Set up CI/CD pipelines](/docs/deployment/oss-deployment) - [Install the IDE](/docs/extensions/overview) - [Write custom rules](/docs/writing-rules/overview) - [Access learning guides](/docs/learn) Not finding what you need in this doc? Ask questions in our [Community Slack group](https://go.semgrep.dev/slack), or see [Support](/docs/support/) for other ways to get help. Tags:**- [quickstart](/docs/tags/quickstart)- [Semgrep CE](/docs/tags/semgrep-ce)[Edit this page](https://github.com/semgrep/semgrep-docs/edit/main/docs/getting-started/quickstart-ce.md)Last updated on **Nov 17, 2025** --- # Quickstart for Semgrep Managed Scans Source: https://semgrep.dev/docs/getting-started/quickstart-managed-scans - [](/docs/)- [Scan](/docs/getting-started/quickstart)- Get started- Quickstart: Managed Scans**On this page- [Quickstart](/docs/tags/quickstart)- [Semgrep AppSec Platform](/docs/tags/semgrep-app-sec-platform)Quickstart for Semgrep Managed Scans Semgrep Managed Scans is the fastest method to scan projects at scale with Semgrep. With Semgrep Managed Scans, instead of adding Semgrep to your CI/CD pipeline, which requires a configuration file for each repository, Semgrep handles the scan process for all of the repositories you add. infoA **project** is any codebase, repository, or folder within a monorepo that is added to Semgrep for scanning. ## Supported source code managers[​](#supported-source-code-managers) You must be an existing Semgrep AppSec Platform user with: - Bitbucket Cloud Premium plans or Bitbucket Data Center (v8.8 or above for diff-aware scans) - Hosted GitHub (GitHub.com) and GitHub Enterprise Server plans - GitLab Cloud and GitLab self-managed plans and a Premium or Ultimate subscription - Azure DevOps Cloud repositories ## Add projects to Semgrep Managed Scans[​](#add-projects-to-semgrep-managed-scans) - Azure DevOps- Bitbucket- GitHub- GitLab### Prerequisites[​](#prerequisites)You must have admin access to your Azure DevOps organization. Read access is granted through an access token you generate on Azure DevOps. You can provide this token by [adding Azure DevOps as a source code manager](/docs/deployment/connect-scm#connect-to-cloud-hosted-orgs). Semgrep recommends setting up and configuring Semgrep with an Azure DevOps service account, not a personal account. Regardless of whether you use a personal or service account, the account must be assigned the **Owner** or **Project Collection Administrator** role for the organization. During setup and configuration, you must provide a personal access token generated by this account. This token must be authorized with **Full access**. Once you have Semgrep Managed Scans fully configured, you can update the token provided to Semgrep to one that's more restrictive. The scopes you must assign to the token include: - `Code: Read` - `Code: Status` - `Member Entitlement Management: Read` - `Project and Team: Read & write` - `Pull Request Threads: Read & write` ### Add a project[​](#add-a-project) - Sign in to [Semgrep AppSec Platform](https://semgrep.dev/login) - Navigate to **Projects**, and click **Scan new project > Semgrep Managed Scan**. - In the **Enable Managed Scans for repos** page, select the repositories you want to add to Semgrep Managed Scans. - Click **Enable Managed Scans**. The **Enable Managed Scans** dialog appears. By default, Semgrep runs both full and diff-aware scans. - Click **Enable**. You are taken to the **Projects** page as your scans begin. ### Prerequisites[​](#prerequisites-1)You must have admin access to your GitHub organization. To enable and use this feature, you must grant Semgrep **Read access** to your code. Steps are provided in [Add projects to Semgrep Managed Scans](#add-projects-to-semgrep-managed-scans). Read access is permitted through a private Semgrep app that you create and register yourself. See [Managed Scans > Security](/docs/deployment/managed-scanning/overview#security) for more information on how Semgrep handles your code. ### Add a project[​](#add-a-project-1) - Navigate to [Semgrep AppSec Platform](https://semgrep.dev/login), and sign up by clicking on **Sign in with GitHub**. Follow the on-screen prompts to [grant Semgrep the necessary permissions](/docs/deployment/checklist#permissions) and proceed. - Provide the **Organization display name** you'd like to use, then click **Create new organization**. - When asked **Where do you want to scan?** click **GitHub**. - Follow the steps in the **Connect GitHub to Semgrep** page. These steps install a public GitHub app, which handles PR comments, and a private GitHub app, which handles code access. You are able to select which repositories these apps have access to, and have full control over removing them or revoking their permissions. - Click **Set up projects**. You are taken to the **Enable Managed Scans for repos** page. - Select all the repositories you want to add to Semgrep Managed Scans for scanning. - Click **Enable Managed Scans**. You are taken to the **Projects** page as your scans begin. ### Prerequisites[​](#prerequisites-2)Semgrep Managed Scanning (SMS) requires one of the following plans: - GitLab Premium - GitLab Ultimate - GitLab Self Managed You must provide a GitLab group access token or personal access token to Semgrep. The token must have the `api` scope assigned to it. During SMS onboarding, the group or user to which the token is assigned must have one of the following roles: - `Maintainer` - `Owner` - `Admin` This is because managed scans of GitLab repositories require the enablement of webhooks to facilitate diff-aware scans and the creation of pull request comments by Semgrep. The webhooks are enabled by default when you set up Managed Scans and add GitLab as a source code manager. Once onboarding is complete, you can downgrade the role assigned to the token to `Developer`. ### Add a project[​](#add-a-project-2) - Navigate to [Semgrep AppSec Platform](https://semgrep.dev/login), and sign up by clicking on **Sign in with GitLab**. Follow the on-screen prompts to proceed. - When prompted, click **Scan new project > Semgrep Managed Scan**. - In the **Enable Managed Scans for repos** page, select the repositories you want to add to Semgrep Managed Scans. - Click **Enable Managed Scans**. The **Enable Managed Scans** dialog appears. By default, Semgrep runs both full and diff-aware scans. - Click **Enable**. You are taken to the **Projects** page as your scans begin. ### Prerequisites[​](#prerequisites-3)You must have admin access to your Bitbucket organization. #### Bitbucket Cloud[​](#bitbucket-cloud) - Read access is granted through a [workspace access token](https://support.atlassian.com/bitbucket-cloud/docs/workspace-access-tokens/) you generate on Bitbucket. You can provide this token by [adding Bitbucket as a source code manager](/docs/deployment/connect-scm#connect-to-cloud-hosted-orgs). - The user generating the workspace token must be a **Product Admin** for the workspace. The scopes you must assign to the token include: `webhook (read and write)` - `repository (read and write)` - `pullrequest (read and write)` - `project (admin)` - `account (read)` #### Bitbucket Data Center[​](#bitbucket-data-center) - V8.8 or above for diff-aware scans. Additionally, project-level webhooks are required to support diff-aware scans. - Read access is granted through an [HTTP access token](https://confluence.atlassian.com/bitbucketserver/http-access-tokens-939515499.html) you generate on Bitbucket. You can provide this token by [adding Bitbucket as a source code manager](/docs/deployment/connect-scm#connect-to-on-premise-orgs-and-projects). - The user generating the workspace token must be a **Product Admin** for the workspace. The token must be created with `PROJECT_ADMIN` permissions. ### Add a project[​](#add-a-project-3) - Sign in to [Semgrep AppSec Platform](https://semgrep.dev/login) - Navigate to **Projects**, and click **Scan new project > Semgrep Managed Scan**. - In the **Enable Managed Scans for repos** page, select the repositories you want to add to Semgrep Managed Scans. - Click **Enable Managed Scans**. The **Enable Managed Scans** dialog appears. By default, Semgrep runs both full and diff-aware scans. - Click **Enable**. You are taken to the **Projects** page as your scans begin. You have finished setting up a Semgrep managed scan. Here are some behaviors and characteristics of a managed scan: - After enabling Managed Scans, Semgrep performs a full scan in batches on all the repositories that have been added to it. - In general, once a git repository has been added to Semgrep AppSec Platform, it becomes a **project**. A project in Semgrep AppSec Platform includes all the findings, history, and scan metadata of that repository. - Projects with a Managed Scan configuration are tagged with `managed-scan`, regardless of whether the project is actively being scanned by Semgrep Managed Scans or not. ## Next steps[​](#next-steps) Once a scan has finished, you can view your findings by clicking any of the following on the navigation menu: - [** Code](https://semgrep.dev/orgs/-/findings?tab=open&primary=true) for SAST findings - [** Secrets](https://semgrep.dev/orgs/-/secrets?tab=open&validation_state=confirmed_valid,validation_error,no_validator) for secrets findings - [** Supply Chain](https://semgrep.dev/orgs/-/supply-chain/vulnerabilities?primary=true&tab=open) for SCA findings To learn more about how Semgrep manages your scans, read the in-depth [Semgrep Managed Scans documentation](/docs/deployment/managed-scanning/overview). Not finding what you need in this doc? Ask questions in our [Community Slack group](https://go.semgrep.dev/slack), or see [Support](/docs/support/) for other ways to get help. Tags:**- [Quickstart](/docs/tags/quickstart)- [Semgrep AppSec Platform](/docs/tags/semgrep-app-sec-platform)[Edit this page](https://github.com/semgrep/semgrep-docs/edit/main/docs/getting-started/quickstart-sms.md)Last updated on **Dec 2, 2025** --- # Quickstart Source: https://semgrep.dev/docs/getting-started/quickstart - [](/docs/)- [Scan](/docs/getting-started/quickstart)- Get started- Quickstart**On this page- [quickstart](/docs/tags/quickstart)QuickstartLearn how to set up Semgrep, scan your first project for security issues, and view your findings. A **project** can be any codebase, repository, or folder within a monorepo. prerequisitesYou must have Python 3.10 or later installed on the machine where the Semgrep CLI is running. - Navigate to [Semgrep AppSec Platform](https://semgrep.dev/login), and sign up by clicking on **Continue with GitHub** or **Continue with GitLab**. Follow the on-screen prompts to grant Semgrep the necessary permissions. - Provide the **Organization display name** you'd like to use, then click **Create new organization**. - When asked **Where do you want to scan?** click **Run on CLI**. - Launch your CLI, and follow the instructions on the [**Scan a project on your machine**](https://semgrep.dev/onboarding/scan) page. For your convenience, the same information is presented below, along with instructions for Windows users. macOS- Linux- Windows (beta)- Docker - Install the Semgrep CLI and confirm the installation: `# install through homebrewbrew install semgrep# install through pippython3 -m pip install semgrep# confirm installation succeeded by printing the currently installed versionsemgrep --version` note**Homebrew users:** ensure that you've [added Homebrew to your PATH](https://docs.brew.sh/FAQ#my-mac-apps-dont-find-homebrew-utilities). - Log in to your Semgrep account. Running this command launches a browser window, but you can also use the link that's returned in the CLI to proceed: `semgrep login` - In the **Semgrep CLI login**, click **Activate** to proceed. - Return to the CLI, navigate to the root of your project, and run your first scan: `semgrep ci` - Install the Semgrep CLI and confirm the installation: `# install through pippython3 -m pip install semgrep# if you get the following error "error: externally-managed-environment",# see semgrep.dev/docs/kb/semgrep-appsec-platform/error-externally-managed-environment # confirm installation succeeded by printing the currently installed versionsemgrep --version` - Log in to your Semgrep account. Running this command launches a browser window, but you can also use the link that's returned in the CLI to proceed: `semgrep login` - In the **Semgrep CLI login**, click **Activate** to proceed. - Return to the CLI, navigate to the root of your project, and run your first scan: `semgrep ci` - [Download](https://www.python.org/downloads/) and install Python. Make sure to check the box to add python.exe to the PATH, otherwise you will have difficulty running Pip and Semgrep. - Configure your system to run Python with UTF-8 text encodings by default. In PowerShell, run: `[System.Environment]::SetEnvironmentVariable('PYTHONUTF8', '1', 'User')` - Install the Semgrep CLI and confirm the installation. In PowerShell, run: `# install through pippip install –upgrade semgrep# if you get the following error "error: externally-managed-environment",# see semgrep.dev/docs/kb/semgrep-appsec-platform/error-externally-managed-environment # confirm installation succeeded by printing the currently installed versionsemgrep --version` - Log in to your Semgrep account. Running this command launches a browser window, but you can also use the link that's returned in the CLI to proceed: `semgrep login` - In the **Semgrep CLI login**, click **Activate** to proceed. - Return to the CLI, navigate to the root of your project, and run your first scan: `semgrep ci` PrerequisitesEnsure that you have [Docker installed](https://docs.docker.com/desktop/) before proceeding. - Pull the latest image and confirm the version: `docker pull semgrep/semgrep# confirm versiondocker run --rm semgrep/semgrep semgrep --version` - For users running Docker on **macOS or Linux** Docker: Log in to your Semgrep account (running this command will launch a browser window, but you can also use the link that's returned in the CLI to proceed): `docker run -it semgrep/semgrep semgrep login` - In the **Semgrep CLI login**, click **Activate** to proceed. Return to the CLI and copy the login token that's shown. - Navigate into the root of your project, and run your first scan. Be sure to substitute `YOUR_TOKEN` with the login token value you copied in the previous step: `docker run -e SEMGREP_APP_TOKEN=YOUR_TOKEN --rm -v "${PWD}:/src" semgrep/semgrep semgrep ci` The provided `-v` option mounts the current directory into the container to be scanned. Navigate into a different project or provide a specific local directory in the command to scan a different project. - For users running Docker on **Windows**: Log in to your Semgrep account (running this command will launch a browser window, but you can also use the link that's returned in the CLI to proceed): `docker run -it semgrep/semgrep semgrep login` - In the **Semgrep CLI login**, click **Activate** to proceed. Return to the CLI, and copy the login token that's shown. - Navigate into the root of your project, and run your first scan. Be sure to substitute `YOUR_TOKEN` with the login token value you copied in the previous step: `docker run -e SEMGREP_APP_TOKEN=YOUR_TOKEN --rm -v "%cd%:/src" semgrep/semgrep semgrep ci` The provided `-v` option mounts the current directory into the container to be scanned. Navigate into a different project or provide a specific local directory in the command to scan a different project. - Once you've scanned your first application, return to Semgrep AppSec Platform, and click **View findings** to see the security vulnerabilities in your project. Alternatively, you can view your results in Semgrep AppSec Platform's **Dashboard** page. For detailed information, click **Code** to access your SAST findings or **Supply Chain** to access your SCA findings. info**Code is not uploaded.** Only **findings** are sent to Semgrep AppSec Platform. ## Scan without a GitHub or GitLab account[​](#scan-without-a-github-or-gitlab-account) If you don't have a GitHub or GitLab account, you can use `semgrep scan` in your CLI. See [Scan your project](/docs/getting-started/cli#scan-your-project) for more details. Not finding what you need in this doc? Ask questions in our [Community Slack group](https://go.semgrep.dev/slack), or see [Support](/docs/support/) for other ways to get help. Tags:**- [quickstart](/docs/tags/quickstart)[Edit this page](https://github.com/semgrep/semgrep-docs/edit/main/docs/getting-started/quickstart.md)Last updated on **Nov 17, 2025** --- # Supported source code managers Source: https://semgrep.dev/docs/getting-started/scm-support - [](/docs/)- [Scan](/docs/getting-started/quickstart)- Get started- Supported source code managers- [SCM](/docs/tags/scm)- [Deployment](/docs/tags/deployment)Supported source code managers Semgrep supports the following source code managers (SCM) and plans to varying degrees. Please review the information for your specific SCM and plan to see what Semgrep features are available to you. If any of the following conditions apply to you, you may need to add [Semgrep's IP addresses](/docs/deployment/checklist#ip-addresses) to your ingress and egress allowlists, or you can use the [Network Broker](/docs/semgrep-ci/network-broker): - Your SCM offers security features that limit access to your resources - Your SCM is behind a firewall or protected by network restrictions regarding access - You are using a virtual private network (VPN) PlanUnsupported Semgrep featuresAzure DevOps Cloud- Query console- Auto PRs for Supply Chain findingsAzure DevOps Server- Semgrep Assistant- Semgrep Managed Scans- Pull request comments- Query console- Diff-aware scans- Sending findings to Semgrep AppSec Platform- Default branch identification- Auto PRs for Supply Chain findings- Generic secrets (requires Semgrep Assistant)Bitbucket Cloud Free- Semgrep Assistant†- Semgrep Managed Scan†- Query console- Auto PRs for Supply Chain findings- Generic secrets (requires Semgrep Assistant)Bitbucket Cloud Standard- Semgrep Assistant†- Semgrep Managed Scan†- Query console- Auto PRs for Supply Chain findings- Generic secrets (requires Semgrep Assistant)Bitbucket Cloud Premium- Query console- Auto PRs for Supply Chain findingsBitbucket Data Center- Query console- Diff-aware scans require Bitbucket Data Center version 8.8 or later.- Auto PRs for Supply Chain findingsGitHub Free-GitHub Pro-GitHub Team-GitHub Enterprise Cloud-GitHub Enterprise Server- Auto PRs for Supply Chain findingsGitLab Free- Semgrep Managed Scans*- Query console- Auto PRs for Supply Chain findingsGitLab Premium- Query console- Auto PRs for Supply Chain findingsGitLab Ultimate- Query console- Auto PRs for Supply Chain findingsGitLab Dedicated / Dedicated for Government- Query console- Auto PRs for Supply Chain findingsGitLab Self-Managed Free- Semgrep Managed Scans*** Query console- Auto PRs for Supply Chain findingsGitLab Self-Managed Premium- Query console- Auto PRs for Supply Chain findingsGitLab Self-Managed Ultimate- Query console- Auto PRs for Supply Chain findings **†**Semgrep Assistant and Managed Scans require a workspace access token, which is only available to users with Bitbucket Cloud Premium. *****Semgrep Managed Scans requires access to group webhooks, which is unavailable to GitLab Free users. Not finding what you need in this doc? Ask questions in our [Community Slack group](https://go.semgrep.dev/slack), or see [Support](/docs/support/) for other ways to get help. Tags:**- [SCM](/docs/tags/scm)- [Deployment](/docs/tags/deployment)[Edit this page](https://github.com/semgrep/semgrep-docs/edit/main/docs/getting-started/scm-support.md)Last updated on **Jun 23, 2025** --- # Ignore files, folders, and code Source: https://semgrep.dev/docs/ignoring-files-folders-code - [](/docs/)- Set up and deploy scans- Core deployment- Customize core deployment- Ignore files, folders, and code- Semgrep Code**On this page- [Semgrep AppSec Platform](/docs/tags/semgrep-app-sec-platform)Ignore files, folders, and code This document describes two types of ignore operations: - **Ignoring as exclusion.** Exclude or skip specific **files and folders** from the scope of Semgrep scans in your repository or working directory. Ignoring in this context means that Semgrep does not generate findings for the ignored files and folders. - **Ignoring as triage action**. Ignore specific parts of code that would have generated a finding. Ignoring in this context means that Semgrep generates a finding record and automatically triages it as **Ignored**, a triage state. All Semgrep environments (CLI, CI, and Semgrep AppSec Platform) adhere to user-defined or Semgrep-defined ignore patterns. ## Reference summary[​](#reference-summary) MethodUsageTo ignore blocks of code: Add a `nosemgrep` annotationCreate a comment, followed by `nosemgrep`, at the first line or preceding line of the pattern match. This generates a finding that is automatically ignored. For example:` // nosemgrep`      `// nosemgrep: rule-id` `# nosemgrep`For Semgrep AppSec Platform users: - Ignore files and folders through the use of Semgrep AppSec Platform's **Project or Global ignores**- Override the implicit ignorelist through the use of a `.semgrepignore` file.Navigate to **Projects > PROJECT_NAME > Details > Settings > Path ignores**. *For Semgrep Community Edition (CE) users:Ignore files and folders through a `.semgrepignore` fileCreate a `.semgrepignore` file in your **repository's root directory** or your **project's working directory** and add patterns for files and folders there. Patterns follow `.gitignore` syntax with some caveats. See [Defining ignored files and folders in `.semgrepignore`](#define-ignored-files-and-folders-in-semgrepignore). ## Understand Semgrep defaults[​](#understand-semgrep-defaults) Without user customization, Semgrep refers to the following to define ignored files and folders: - Semgrep's default `.semgrepignore` file - Your repository's `.gitignore` file (if it exists) - For Semgrep AppSec Platform users: each project (repository or subfolder in monorepo) in Semgrep has a list of ignored files and folders in its project details page. In the absence of a user-generated `.semgrepignore`, Semgrep refers to [its repository's default template](https://github.com/semgrep/semgrep/blob/develop/cli/src/semgrep/templates/.semgrepignore): `# Administrative folder or file used by popular version control systems.git.svn.hg_darcsCVS# Paths to files and folders that are typically large and ignorablebuild/vendor/dist/*.min.js.env/.tox/# Package managersnode_modules/.npm/.yarn/.venv/_opam/_build/_cargo/# Note that PHP composer uses vendor/ and C++ conan uses build/# .venv is used both by Go and Python.# Common test pathstest/tests/testsuite/*_test.go` ## Override defaults[​](#override-defaults) The default `.semgrepignore` file causes Semgrep to skip these folders: - `/tests`, `/test` - `/vendors` To include these folders: - Create a `.semgrepignore` file at the repository root without those paths. - For Platform users: remove the folders from the project ignore list in **Projects > PROJECT_NAME > Details page > Settings > Path ignores > Code (SAST) & Supply Chain (SCA)**. ## Files, folders, and code beyond Semgrep's scope[​](#files-folders-and-code-beyond-semgreps-scope) There are files that Semgrep ignores even without `.semgrepignore`: - Large files (maximum file size defaults to 1 MB) - Binary files - Unknown file extensions (file extensions not matched with any supported programming language) Large files and unknown file extensions are included or excluded through command line flags (See [CLI reference](/docs/cli-reference)). Binary files are never scanned. This document defines **files, folders and code** as those that are **relevant to a Semgrep scan**. For example, `.jpg` files are not a part of Semgrep's scope and therefore are not part of the scope of this document. ## Customize ignore behavior[​](#customize-ignore-behavior) Semgrep provides several methods to customize ignore behavior. Refer to the following table to see which method suits your goal: GoalMethodTo ignore custom files and folders each time you run a Code or Supply Chain scan.Add these files to your `.semgrepignore` file or [define them through Semgrep AppSec Platform](#define-ignored-files-and-folders-in-semgrep-appsec-platform).To ignore specific code blocks each time you run a scan.Create a comment with the word `nosemgrep`.To ignore files or folders for a particular scan.Run Semgrep with the flag `--exclude` followed by the pattern or file to be excluded. See [CLI reference](/docs/cli-reference).To include files or folders for a particular scan.Run Semgrep with the flag `--include` followed by the pattern or file to be included. Any file that isn't matched is excluded. See CLI reference. When including a pattern from a `.gitignore` or `.semgrepignore` file, `--include` does not override either, resulting in the file's exclusion.To scan all files within Semgrep's scope each time you run Semgrep (only files in `.git` are ignored).Create an empty `.semgrepignore` file in your repository root directory, and for `semgrep ci` scans, [remove any entries listed in your **Path Ignores** list](#define-ignored-files-and-folders-in-semgrep-appsec-platform) in Semgrep AppSec Platform.To include files or folders defined within a `.gitignore` for a particular scan.Run Semgrep with the flag `--no-git-ignore`.To ignore files or folders for a particular rule.Edit the rule to set the `paths` key with one or more patterns. See [Rule syntax](/docs/writing-rules/rule-syntax#paths). ## Define ignored files and folders in `.semgrepignore`[​](#define-ignored-files-and-folders-in-semgrepignore) Configure a `.semgrepignore` file to ignore files and folders each time you run a Code or Supply Chain scan. cautionFor Secrets scans, Semgrep ignores both the default and user-defined `.semgrepignore` files. You can still configure secrets-specific ignores in [Semgrep AppSec Platform](#define-ignored-files-and-folders-in-semgrep-appsec-platform) or use the `--exclude` flag to ignore files or folders for a particular scan. `.semgrepignore` syntax mirrors `.gitignore` syntax, with the following modifications: - "Character range" patterns (lines including a collection of characters inside brackets) are unsupported. - An `:include ...` directive is added, which allows another file to be included in the ignore pattern list; typically this included file would be the project `.gitignore`. No attempt at cycle detection is made. - Any line that begins with a colon, but not `:include`, raises an error. - `\:` is added to escape leading colons. Unsupported patterns are silently removed from the pattern list (this is done so that `.gitignore` files may be included without raising errors). The removal is logged. For a description of `.gitignore` syntax, see [.gitignore documentation](https://git-scm.com/docs/gitignore). ## Define ignored files and folders in Semgrep AppSec Platform[​](#define-ignored-files-and-folders-in-semgrep-appsec-platform) Another method for users to define ignore patterns is through Semgrep AppSec Platform. These patterns follow the same syntax as `.semgrepignore` in the preceding section. You can either define patterns at the individual-project level or at the organization level, so they're applied to all projects owned by that organization. Ignoring files and folders through this method is **additive**. Adding items to Semgrep AppSec Platform's **Path Ignores** box **doesn't** override default Semgrep ignore patterns included with its CLI tool, since the patterns are additive. To override a Semgrep default, both an existing local `.semgrepignore` file and the **Path ignores** box must be configured. See [Override defaults](#override-defaults). All files and folders defined using Semgrep AppSec Platform's **Path Ignores** feature, both for a specific project and globally, are additive. tipThis method is utilized by the `semgrep ci` command. For `semgrep scan`, you can only define ignored files and folders through `.semgrepignore`. ### Define files and folders for a specific project[​](#define-files-and-folders-for-a-specific-project) - Sign in to [* Semgrep AppSec Platform](https://semgrep.dev/login?return_path=/manage/projects). - From the sidebar, click **[Projects](https://semgrep.dev/orgs/-/projects)**. - Find the project you want to modify, then click its **** icon** under **Details**. - Click the **Settings** tab. - To define files and folders that Semgrep can ignore: Click **Code (SAST) & Supply Chain (SCA)** or **Secrets** to expand and display the **Path Ignores** box. - Enter files and folders to ignore in the relevant **Path Ignores** box. - Click **Save changes**. * ***Figure**. Set ignore paths for a project in Semgrep AppSec Platform.* ### Define files and folders for all projects of an organization[​](#define-files-and-folders-for-all-projects-of-an-organization) - Sign in to [* Semgrep AppSec Platform](https://semgrep.dev/login?return_path=/manage/projects). - Click **Settings**. This takes you to the **General > Global** settings tab. - Enter files and folders to ignore in the **Ignore paths** box for the product to which the changes should apply. - Click **Save changes**. ***Figure**. Set global ignore paths for all projects of an organization in Semgrep AppSec Platform.* ### Add items to `.semgrepignore` during findings triage[​](#add-items-to-semgrepignore-during-findings-triage) You can also add files to `.semgrepignore` while triaging individual findings using Semgrep AppSec Platform: - On the Semgrep Code [Findings](https://semgrep.dev/orgs/-/findings?tab=open) page, click the **Status** filter, and then select the **Open** status to see all open findings. - Click the finding you want ignored to open its **Details** page. - Select **Ignored**, and optionally, select an **Ignore reason**. - Click to expand **Ignore files in future scans...**. - Select the files you want ignored in future scans. - Click **Change status** to save. ## Ignore code through nosemgrep[​](#ignore-code-through-nosemgrep) To ignore blocks of code, define an **inline comment**, followed by the word `nosemgrep`, at either the **first line** or **the line preceding** the potential match. Semgrep ignores all rule pattern matches. This functionality works across all supported languages. cautionIgnoring code through this method still generates a finding. The finding is automatically set to the **Ignored** triage state. `nosemgrep` in Python: `bad_func1() # nosemgrep# nosemgrepbad_func2()` `nosemgrep` in JavaScript: `// nosemgrepbad_func1()bad_func2(); // nosemgrepbad_func3( // nosemgrep arg);` To ignore blocks of code for a **particular rule**, enter its `rule-id` as follows: `nosemgrep: RULE_ID`. To ignore **multiple rules**, use a comma-delimited list. `rule-ids` must be referenced with their namespace. Python examples: `bad_func1() # nosemgrep: rule-id-1# nosemgrep: rule-id-1, rule-id-2bad_func2()` JavaScript examples wherein rules are stored in a `configs` subdirectory: `// nosemgrep: configs.rule-id-3bad_func1()bad_func2(); // nosemgrep: configs.rule-id-3bad_func3( // nosemgrep: configs.rule-id-3, configs.rule-id-4 arg);` infoPrevious annotations for ignoring code inline, such as `nosem`, are deprecated. ## Disable rules on Semgrep AppSec Platform[​](#disable-rules-on-semgrep-appsec-platform) Semgrep AppSec Platform users can disable rules and rulesets through the Policies page. See [Disable rules](/docs/semgrep-code/policies#disable-rules) and [Disable rulesets](/docs/semgrep-code/triage-remediation#disable-a-ruleset-or-a-rule). ## Ignore findings[​](#ignore-findings) **Ignoring** can also be a triage action. In this case, the code is scanned rather than excluded, and if a pattern match occurs, a finding record is generated that you can then triage as **Ignored**. See [Triage and remediate Semgrep Code findings in Semgrep AppSec Platform](/docs/semgrep-code/triage-remediation#ignore-findings) to learn how to: - [Manage findings](/docs/semgrep-code/triage-remediation#triage-and-remediation) - [Ignore findings through PR and MR comments](/docs/semgrep-code/triage-remediation#triage-findings-through-pr-and-mr-comments) ## Troubleshooting[​](#troubleshooting) ### Tips to prevent unexpected ignore behavior[​](#tips-to-prevent-unexpected-ignore-behavior) tipThis section focuses on ignoring as excluding or skipping files, not as a triage action. Because Semgrep ignore logic is configured at the file, repository, and platform level, you may sometimes encounter unexpected behavior. - If possible, only create a custom, user-defined `.semgrepignore` file if you are **overriding** Semgrep defaults. This means defining all other items to ignore through the global or project path ignores. This method works well if your organization primarily scans using the `semgrep ci` command. - Be aware that creating a user-defined `.semgrepignore` file enables developers to edit it. - Include the `.semgrepignore` file in Git tracking to keep a log of changes and ensure it's applied consistently. - To **include** a file or folder for scanning, ensure it's not in any of the following places: Global path ignores - Project path ignores - User-defined `.semgrepignore` - Semgrep defaults (implicit) `.semgrepignore` ### `SAST_EXCLUDED_PATHS`[​](#sast_excluded_paths) **For GitLab users**: if you use [the `SAST_EXCLUDED_PATHS` variable](https://docs.gitlab.com/ee/user/application_security/sast/#vulnerability-filters) to specify paths excluded from analysis, you may find that Semgrep doesn't honor these items. This is due to default Semgrep behavior. To explicitly exclude files, you must do one of the following steps: - Create a `.semgrepignore` file that lists the files you want excluded. - [Update the **Path Ignores** box](#define-ignored-files-and-folders-in-semgrep-appsec-platform) in Semgrep AppSec Platform. Not finding what you need in this doc? Ask questions in our [Community Slack group](https://go.semgrep.dev/slack), or see [Support](/docs/support/) for other ways to get help. Tags:**- [Semgrep AppSec Platform](/docs/tags/semgrep-app-sec-platform)[Edit this page](https://github.com/semgrep/semgrep-docs/edit/main/docs/ignoring-files-folders-code.md)Last updated on **Apr 4, 2025** --- # Semgrep docs Source: https://semgrep.dev/docs/ - [](/docs/)- Docs home[*](https://semgrep.dev)Semgrep docs ##### Find bugs and reachable dependency vulnerabilities in code. Enforce your code standards on every commit. ### Scan with Semgrep AppSec Platform Deploy static application security testing (SAST), software composition analysis (SCA), and secrets scans from one platform. [###### Get startedRun your first Semgrep scan.** ](/docs/getting-started/quickstart-managed-scans)[###### Deploy SemgrepDeploy Semgrep to your organization quickly and at scale. ](/docs/deployment/core-deployment)[###### Triage and remediateTriage and remediate findings; fine-tune guardrails for developers. ](/docs/semgrep-code/triage-remediation)[###### Write rulesEnforce your organization’s coding standards with custom rules. ](/docs/writing-rules/overview) ### Supported languages ProductLanguagesSemgrep Code**Generally available (GA)**C and C++ • C# • Generic • Go • Java • JavaScript • JSON • Kotlin • Python • TypeScript • Ruby • Rust • JSX • PHP • Scala • Swift • Terraform **Beta**APEX • Elixir**Experimental**Bash • Cairo • Circom • Clojure • Dart • Dockerfile • Hack • HTML • Jsonnet • Julia • Lisp • Lua • Move on Aptos • Move on Sui • OCaml• R • Scheme • Solidity • YAML • XMLSemgrep Supply Chain**Generally available reachability**C# • Go • Java • JavaScript and TypeScript • Kotlin • PHP • Python • Ruby • Scala • Swift **Languages without support for reachability analysis**Dart • Elixir • RustSemgrep SecretsLanguage-agnostic; can detect 630+ types of credentials or keys. See the [Supported languages](/docs/supported-languages#language-maturity-summary) documentation for more details. ### November 2025 release notes summary - **Cortex** and **Sysdig** integrations are now generally available. Semgrep now uses deployment status and, for Cortex, internet-exposure data from these CNAPP providers to better prioritize findings. - Malicious dependency detection is now generally available. Semgrep detects malicious packages, including malware, typosquatting, and credential-stealing dependencies, using over 80,000 rules. - Assistant now automatically analyzes **all new Critical and High-severity findings** with **Medium or High confidence** in full scans, removing the previous 10-issue limit. - The **Settings > General** tab now displays all Semgrep product settings on a single page. [See the latest release notes *](/docs/release-notes) [** Subscribe to RSS feed ](https://semgrep.dev/docs/release-notes/rss.xml)Not finding what you need in this doc? Ask questions in our [Community Slack group](https://go.semgrep.dev/slack), or see [Support](/docs/support/) for other ways to get help. [Edit this page](https://github.com/semgrep/semgrep-docs/edit/main/docs/index.md)Last updated on Dec 9, 2025** --- # Introduction to Semgrep Source: https://semgrep.dev/docs/introduction - [](/docs/)- What's Semgrep- Introduction to Semgrep**On this page- [quickstart](/docs/tags/quickstart)- [introduction](/docs/tags/introduction)- [what-is-semgrep](/docs/tags/what-is-semgrep)- [intro](/docs/tags/intro)Introduction to SemgrepSemgrep is a software security tool that provides static application security testing (SAST), software composition analysis (SCA), and secrets detection. Semgrep identifies vulnerabilities in your source code without executing your code. It integrates with IDEs and CI/CD, and can also run from the Semgrep AppSec Platform. Semgrep uses rules written in a simple schema that match code semantically. You can use out-of-the-box rules, apply community-maintained rules, or write your own to fit your workflow. Scan results can be triaged and remediated in the Semgrep AppSec Platform. The platform includes Semgrep Assistant, which offers remediation guidance and autofix suggestions for Semgrep Code and Secrets findings. ## Offerings[​](#offerings) - **Community Edition** (CE): is an open source static analysis tool that can find insecure coding patterns and security vulnerabilities in source code. Semgrep CE encompasses a SAST scanning engine, community rules, and integrated development environment plugins. The core scanner supports over 30 programming languages. [Get started with CE](/docs/getting-started/quickstart-ce). - **Semgrep AppSec Platform** (Pro): is a commercial offering recommended for enterprise use cases. It shares the command-line interface with CE and adds additional capabilities. Semgrep AppSec Platform Pro offers Managed Scans at org scale, advanced (pro) rules, supply chain analysis, secrets detection, PR comments, and AI-assisted triage/fixes, and more. It supports over 35 programming languages, with new ones added regularly. [Learn more](/docs/semgrep-pro-vs-oss) about the differences between CE and Pro offerings and the features that distinguish them. ## The analysis workflow[​](#the-analysis-workflow) Semgrep's analysis workflow can be divided into three stages: ### Deployment[​](#deployment) Deployment is the process of integrating Semgrep into your developer and infrastructure workflows. Completing the deployment process provides you with the Semgrep features that meet your security program's needs. Semgrep does not require code access to complete the core deployment process. Your code is **not** sent anywhere. Learn more about [Semgrep deployment](/docs/deployment/core-deployment). ### Scan[​](#scan) Scanning is the process of analyzing your code to identify security vulnerabilities, exposed secrets, or risks introduced through dependencies. Semgrep provides three scanning tools that help you detect and address issues early in development and throughout your software lifecycle: - Semgrep Code: a static application security testing (SAST) tool that detects security vulnerabilities in your **first-party code**. You can use it to scan local repositories or integrate it into your CI/CD pipeline to automate the continuous scanning of your code. [Learn more](/docs/semgrep-code/overview) - Semgrep Supply Chain Analysis: a software composition analysis (SCA) tool that detects security vulnerabilities in your codebase introduced by open source dependencies. [Learn more](/docs/semgrep-supply-chain/overview) - Semgrep Secrets: scans code to detect exposed API keys, passwords, and other credentials. [Learn more](/docs/semgrep-secrets/conceptual-overview) ### Triage and remediation[​](#triage-and-remediation) After each scan, your findings are displayed in the Semgrep AppSec Platform. The filters provided allow you to manage and triage your findings. Triage is the process of reviewing, prioritizing, and managing findings identified during Semgrep scans. It helps security teams and developers decide which issues to address, ignore, or assign for further investigation. Within the Semgrep AppSec Platform, triage tools such as filtering, tagging, and assigning owners streamline this process and integrate seamlessly into existing workflows. Remediation is the process of fixing security issues identified during scanning. Semgrep supports remediation by providing detailed findings, contextual code examples, and, in many cases, autofix suggestions that can automatically or semi-automatically resolve vulnerabilities. These tools help developers quickly implement secure fixes while maintaining development speed. [Semgrep Assistant](/docs/semgrep-assistant/overview) enhances this workflow by providing AI-powered security recommendations to help you understand findings, assess severity, and prioritize fixes. It can also suggest potential remediations, explain rule matches in context, and guide developers toward faster resolution of issues. ## Ways to incorporate Semgrep into your development workflow[​](#ways-to-incorporate-semgrep-into-your-development-workflow) GoalRecommended OptionAvailable InQuick local checksRun Semgrep locallyCE & ProCatch issues before commitIDE extension or pre-commit frameworkCE & ProIntegrate into buildsCI/CD integrationCE & ProOrg-wide management & automationSemgrep Managed ScansPro only ### Run Semgrep locally[​](#run-semgrep-locally) Run Semgrep directly on your machine to scan code before pushing changes. This is the quickest way to get started and experiment with rules. You can run scans manually from the command line or set up local automations. [Learn more](/docs/getting-started/quickstart). ### Use Semgrep in your IDE or before commits[​](#use-semgrep-in-your-ide-or-before-commits) Incorporate Semgrep early in your development workflow by using a [supported IDE extension](/docs/extensions/overview#official-ide-extensions) or by setting up the [pre-commit framework](/docs/extensions/pre-commit), which runs Semgrep checks automatically before code is committed. This helps you catch issues before they ever reach your repository. ### Add Semgrep to CI/CD[​](#add-semgrep-to-cicd) Integrate Semgrep into your CI/CD environment like GitHub Actions, GitLab CI/CD, Jenkins, CircleCI, Azure Pipelines, Bitbucket, or Buildkite by creating a job that your CI provider runs. After each scan, findings are sent to the Semgrep AppSec Platform for triage and remediation. [Learn more](/docs/deployment/add-semgrep-to-ci). infoWhile CI/CD integration continues to be supported, [Semgrep Managed Scans](#semgrep-managed-scans-via-the-appsec-platform-dashboard-recommended) are the recommended approach for organization-wide deployments. ### Semgrep Managed Scans via the AppSec Platform Dashboard (Recommended)[​](#semgrep-managed-scans-via-the-appsec-platform-dashboard-recommended) [Semgrep Managed Scans](/docs/deployment/managed-scanning/overview) help teams adopt SAST, SCA, and secrets detection tools across their organization without complex setup. Scans are run automatically on Semgrep’s cloud infrastructure, and results appear directly in the AppSec Platform dashboard. **Key features:** - Minimal setup and no CI changes required - Configure scans through the AppSec Platform - Scan multiple repositories with a single integration - Integrate results into workflows via PR comments - Available for all Semgrep products (Code, Secrets, Supply Chain Analysis) - Automatic bi-weekly scans ## Why Semgrep outperforms competitors (practical differences)[​](#why-semgrep-outperforms-competitors-practical-differences) - **No build required for most languages:** Semgrep runs on almost any repository without complex setup. Tools like CodeQL often need a buildable environment and use their own query language. - **Faster rule authoring and iteration:** Semgrep patterns resemble real code, making it easier to write, test, and refine rules without switching contexts. It allows for customization and extensibility without DSLs, managing abstract syntax trees, or regex wrangling - **Actionable feedback during code review:** Developers receive immediate PR or MR comments based on organization-defined policies, allowing them to fix or ignore findings during review and reducing triage churn. - **Seamless path to deeper analysis:** With Semgrep’s platform features, teams can extend scanning to include cross-file and taint analysis, reachability checks, secrets detection, and supply chain analysis within the same workflow. - **Support for 30+ programming languages** Semgrep offers lower setup friction, fewer false positives in code review, simpler custom rules, and a tighter feedback loop between security and development teams. Read more about [comparisons with other tools](/docs/faq/comparisons/codeql). Not finding what you need in this doc? Ask questions in our [Community Slack group](https://go.semgrep.dev/slack), or see [Support](/docs/support/) for other ways to get help. Tags:**- [quickstart](/docs/tags/quickstart)- [introduction](/docs/tags/introduction)- [what-is-semgrep](/docs/tags/what-is-semgrep)- [intro](/docs/tags/intro)[Edit this page](https://github.com/semgrep/semgrep-docs/edit/main/docs/getting-started/introduction.md)Last updated on **Dec 2, 2025** --- # Documentation Source: https://semgrep.dev/docs/kb/integrations [## 📄️ Customize Semgrep in pre-commitUnderstand how to customize Semgrep's behavior when using it with pre-commit. ](/docs/kb/integrations/customize-semgrep-precommit) --- # Documentation Source: https://semgrep.dev/docs/kb/rules [## 📄️ Change rule severity and other metadata by forking rulesChange rule severity and other metadata by forking rules ](/docs/kb/rules/changing-rule-severity-and-other-metadata) --- # Documentation Source: https://semgrep.dev/docs/kb/semgrep-appsec-platform [## 📄️ What does "Act on your behalf" mean?Understand GitHub authorization and permissions. ](/docs/kb/semgrep-appsec-platform/act-on-your-behalf) --- # Documentation Source: https://semgrep.dev/docs/kb/semgrep-assistant [## 📄️ Azure OpenAI: Error 429 - Max Tokens ExceededAzure OpenAI: Error 429 - Max Tokens Exceeded ](/docs/kb/semgrep-assistant/azure-openai-error-429) --- # Documentation Source: https://semgrep.dev/docs/kb/semgrep-ci [## 📄️ Semgrep with self-hosted Ubuntu runners in Azure PipelinesRun Semgrep on self-hosted Ubuntu runners in Azure DevOps. ](/docs/kb/semgrep-ci/azure-self-hosted-ubuntu) --- # Documentation Source: https://semgrep.dev/docs/kb/semgrep-code [## 📄️ Troubleshoot ValueError: Invalid header value errorTroubleshoot "invalid header value" errors in GitHub and Gitlab ](/docs/kb/semgrep-code/InvalidHeaderValue) --- # Documentation Source: https://semgrep.dev/docs/kb/semgrep-secrets [## 📄️ Why didn't Semgrep Secrets find these example secrets?Semgrep Secrets attempts to reduce false positives by bypassing common example secret patterns. ](/docs/kb/semgrep-secrets/no-example-secrets-found) --- # Documentation Source: https://semgrep.dev/docs/kb/semgrep-supply-chain [## 📄️ How to exclude a Semgrep Supply Chain rule from a scanExclude a Semgrep Supply Chain rule from a scan ](/docs/kb/semgrep-supply-chain/exclude-rule) --- # Documentation Source: https://semgrep.dev/docs/kb [## 🗃️ Semgrep Assistant2 items ](/docs/kb/semgrep-assistant) --- # C# support Source: https://semgrep.dev/docs/languages/csharp - [](/docs/)- [Scan](/docs/getting-started/quickstart)- Get started- Supported languages- C#**On this page- [Semgrep Code](/docs/tags/semgrep-code)- [Semgrep Supply Chain](/docs/tags/semgrep-supply-chain)- [c](/docs/tags/c)C# support tipSemgrep’s C# coverage leverages framework-specific analysis capabilities that are not present in Semgrep Community Edition (CE). As a result, many framework specific Pro rules will **fail** to return findings if run on Semgrep CE. To ensure full security coverage, run: `semgrep login && semgrep ci`. ## Semgrep Code analyses[​](#semgrep-code-analyses) - Interfile analysis (cross-file) - Interprocedural analysis (cross-function) - All analyses performed by [Semgrep Community Edition (CE)](#c-support-in-semgrep-ce) ## Coverage[​](#coverage) Semgrep aims to provide comprehensive and accurate detection of common OWASP Top 10 issues in source code. Semgrep uses **rules**, which are instructions based on which it detects patterns in code. These rules are usually organized in rulesets. By default, Semgrep Code provides you with the [** `p/comment`](https://semgrep.dev/p/comment) and [** `p/default`](https://semgrep.dev/p/default) rulesets. These rulesets provide the most accurate and comprehensive coverage across Semgrep's supported languages. Some examples of rules include: - [** CWE-89: SQL injection. Don't use formatted strings in SQL statements; prefer prepared statements](https://semgrep.dev/playground/r/csharp.lang.security.sqli.csharp-sqli.csharp-sqli?editorMode=advanced) - [** CWE-90: LDAP injection. Avoid LDAP queries constructed dynamically on user-controlled input](https://semgrep.dev/playground/r/csharp.dotnet.security.audit.ldap-injection.ldap-injection?editorMode=advanced) - [** CWE-347: Improper verification of cryptographic signature. Use signed security tokens](https://semgrep.dev/playground/r/csharp.lang.security.cryptography.unsigned-security-token.unsigned-security-token?editorMode=advanced) ## C# support in Semgrep Supply Chain[​](#c-support-in-semgrep-supply-chain) Semgrep Supply Chain is a software composition analysis (SCA) tool that detects security vulnerabilities in your codebase introduced by open source dependencies. ### Supported package managers[​](#supported-package-managers) Semgrep supports the following C# package manager: - NuGet ### Analyses and features[​](#analyses-and-features) The following analyses and features are available for C#: Reachability analysisReachability refers to whether or not a vulnerable code pattern from a dependency is used in the codebase that imports it. In Semgrep Supply Chain, both a dependency's vulnerable version and code pattern must match for a vulnerability to be considered reachable. License detectionSemgrep Supply Chain's **license compliance** feature enables you to explicitly allow or disallow (block) a package's use in your repository based on its license. For example, your company policy may disallow the use of packages with the Creative Commons Attribution-NonCommercial (CC-BY-NC) license. Semgrep can help enforce this restriction. Malicious dependency detectionSemgrep is able to detect malicious dependencies in your projects and in pull requests (PRs) or merge requests (MRs). SBOM generationSemgrep enables you to generate a software bill of materials (SBOM) to assess your third-party dependencies and comply with auditing procedures. Semgrep Supply Chain (SSC) can generate an SBOM for each repository you have added to Semgrep AppSec Platform. No need for lockfilesC# projects can be scanned **without** the need for lockfiles. See [Scan a project without lockfiles (beta)](/docs/semgrep-supply-chain/getting-started#scan-a-project-without-lockfiles-beta). ## C# support in Semgrep CE[​](#c-support-in-semgrep-ce) Semgrep CE is a fast, lightweight program analysis tool that can help you detect bugs in your code. It makes use of Semgrep's LGPL 2.1 open source engine. ### Analyses[​](#analyses) - Single-file, cross-function constant propagation - Single-function taint analysis - Semantic analysis ### Coverage[​](#coverage) tip - Check the `license` of a rule to ensure it meets your licensing requirements. See [Licensing](/docs/licensing) for more details. The Semgrep Registry provides the following C# rule sets: - [** `p/default`](https://semgrep.dev/p/default) - [** `p/csharp`](https://semgrep.dev/p/csharp) - [** `p/gitlab`](https://semgrep.dev/p/gitlab) Sample usage: `semgrep scan --config p/csharp`Not finding what you need in this doc? Ask questions in our [Community Slack group](https://go.semgrep.dev/slack), or see [Support](/docs/support/) for other ways to get help. Tags:**- [Semgrep Code](/docs/tags/semgrep-code)- [Semgrep Supply Chain](/docs/tags/semgrep-supply-chain)- [c](/docs/tags/c)[Edit this page](https://github.com/semgrep/semgrep-docs/edit/main/docs/languages/csharp.md)Last updated on **Sep 30, 2025** --- # Go support Source: https://semgrep.dev/docs/languages/go - [](/docs/)- [Scan](/docs/getting-started/quickstart)- Get started- Supported languages- Go**On this page- [Semgrep Code](/docs/tags/semgrep-code)- [Semgrep Supply Chain](/docs/tags/semgrep-supply-chain)- [go](/docs/tags/go)Go support tipSemgrep’s Go coverage leverages framework-specific analysis capabilities that are not present in Semgrep Community Edition (CE). As a result, many framework specific Pro rules will **fail** to return findings if run on Semgrep CE. To ensure full security coverage, run: `semgrep login && semgrep ci`. ## Semgrep Code analyses[​](#semgrep-code-analyses) - Interfile analysis (cross-file) - Interprocedural analysis (cross-function) - All analyses performed by [Semgrep Community Edition (CE)](#go-support-in-semgrep-ce) ## Coverage[​](#coverage) Semgrep aims to provide comprehensive and accurate detection of common OWASP Top 10 issues in source code. Semgrep uses **rules**, which are instructions based on which it detects patterns in code. These rules are usually organized in rulesets. By default, Semgrep Code provides you with the [** `p/comment`](https://semgrep.dev/p/comment) and [** `p/default`](https://semgrep.dev/p/default) rulesets. These rulesets provide the most accurate and comprehensive coverage across Semgrep's supported languages. Some examples of rules include: - [** CWE-89: SQL injection. Don't use user input to manually construct an SQL string](https://semgrep.dev/playground/r/go.aws-lambda.security.tainted-sql-string.tainted-sql-string?editorMode=advanced) - [** CWE-943: Improper neutralization of special elements in data query. Avoid NoSQL Injection in Mongo with Gin](https://semgrep.dev/playground/r/go.gin.nosql.gin-mongo-nosql-taint.gin-mongo-nosqli-taint?editorMode=advanced) ## Go support in Semgrep Supply Chain[​](#go-support-in-semgrep-supply-chain) Semgrep Supply Chain is a software composition analysis (SCA) tool that detects security vulnerabilities in your codebase introduced by open source dependencies. ### Supported package managers[​](#supported-package-managers) Semgrep supports the following Go package manager: - Go modules (`go.mod`) ### Analyses and features[​](#analyses-and-features) The following analyses and features are available for Go: Reachability analysisReachability refers to whether or not a vulnerable code pattern from a dependency is used in the codebase that imports it. In Semgrep Supply Chain, both a dependency's vulnerable version and code pattern must match for a vulnerability to be considered reachable. License detectionSemgrep Supply Chain's **license compliance** feature enables you to explicitly allow or disallow (block) a package's use in your repository based on its license. For example, your company policy may disallow the use of packages with the Creative Commons Attribution-NonCommercial (CC-BY-NC) license. Semgrep can help enforce this restriction. Malicious dependency detectionSemgrep is able to detect malicious dependencies in your projects and in pull requests (PRs) or merge requests (MRs). SBOM generationSemgrep enables you to generate a software bill of materials (SBOM) to assess your third-party dependencies and comply with auditing procedures. Semgrep Supply Chain (SSC) can generate an SBOM for each repository you have added to Semgrep AppSec Platform. ## Go support in Semgrep CE[​](#go-support-in-semgrep-ce) Semgrep CE is a fast, lightweight program analysis tool that can help you detect bugs in your code. It makes use of Semgrep's LGPL 2.1 open source engine. ### Analyses[​](#analyses) - Single-file, cross-function constant propagation - Single-function taint analysis - Semantic analysis ### Coverage[​](#coverage) tip - Check the `license` of a rule to ensure it meets your licensing requirements. See [Licensing](/docs/licensing) for more details. The Semgrep Registry provides the following Go rule sets: - [** `p/default`](https://semgrep.dev/p/default) - [** `p/golang`](https://semgrep.dev/p/golang) - [** `p/gosec`](https://semgrep.dev/p/gosec) Sample usage: `semgrep scan --config p/golang`Not finding what you need in this doc? Ask questions in our [Community Slack group](https://go.semgrep.dev/slack), or see [Support](/docs/support/) for other ways to get help. Tags:**- [Semgrep Code](/docs/tags/semgrep-code)- [Semgrep Supply Chain](/docs/tags/semgrep-supply-chain)- [go](/docs/tags/go)[Edit this page](https://github.com/semgrep/semgrep-docs/edit/main/docs/languages/go.md)Last updated on **Sep 30, 2025** --- # Java support Source: https://semgrep.dev/docs/languages/java - [](/docs/)- [Scan](/docs/getting-started/quickstart)- Get started- Supported languages- Java**On this page- [Semgrep Code](/docs/tags/semgrep-code)- [Semgrep Supply Chain](/docs/tags/semgrep-supply-chain)- [java](/docs/tags/java)Java support tipSemgrep’s Java coverage leverages framework-specific analysis capabilities that are not present in Semgrep Community Edition (CE). As a result, many framework specific Pro rules will **fail** to return findings if run on Semgrep CE. To ensure full security coverage, run: `semgrep login && semgrep ci`. ## Semgrep Code analyses[​](#semgrep-code-analyses) - [Language-specific analysis](/docs/semgrep-code/java) - Interfile analysis (cross-file) - Interprocedural analysis (cross-function) - All analyses performed by [Semgrep Community Edition (CE)](#java-support-in-semgrep-ce) ## Coverage[​](#coverage) Semgrep aims to provide comprehensive and accurate detection of common OWASP Top 10 issues in source code. Semgrep uses **rules**, which are instructions based on which it detects patterns in code. These rules are usually organized in rulesets. By default, Semgrep Code provides you with the [** `p/comment`](https://semgrep.dev/p/comment) and [** `p/default`](https://semgrep.dev/p/default) rulesets. These rulesets provide the most accurate and comprehensive coverage across Semgrep's supported languages. Some examples of rules include: - [** CWE-327: Use of a broken or risky cryptographic algorithm. Don't use the `none` algorithm](https://semgrep.dev/playground/r/java.java-jwt.security.jwt-none-alg.java-jwt-none-alg?editorMode=advanced) - [** CWE-78: OS command injection. Sanitize your variables before using them as input to a `java.lang.Runtime` call](https://semgrep.dev/playground/r/java.lang.security.audit.command-injection-formatted-runtime-call.command-injection-formatted-runtime-call?editorMode=advanced) ## Java support in Semgrep Supply Chain[​](#java-support-in-semgrep-supply-chain) Semgrep Supply Chain is a software composition analysis (SCA) tool that detects security vulnerabilities in your codebase introduced by open source dependencies. ### Supported package managers[​](#supported-package-managers) Semgrep supports the following Java package managers: - Gradle - Maven ### Analyses and features[​](#analyses-and-features) The following analyses and features are available for Java: Reachability analysisReachability refers to whether or not a vulnerable code pattern from a dependency is used in the codebase that imports it. In Semgrep Supply Chain, both a dependency's vulnerable version and code pattern must match for a vulnerability to be considered reachable. License detectionSemgrep Supply Chain's **license compliance** feature enables you to explicitly allow or disallow (block) a package's use in your repository based on its license. For example, your company policy may disallow the use of packages with the Creative Commons Attribution-NonCommercial (CC-BY-NC) license. SBOM generationSemgrep enables you to generate a software bill of materials (SBOM) to assess your third-party dependencies and comply with auditing procedures. Semgrep Supply Chain (SSC) can generate an SBOM for each repository you have added to Semgrep AppSec Platform. No need for lockfilesJava projects can be scanned **without** the need for lockfiles. See [Scan a project without lockfiles (beta)](/docs/semgrep-supply-chain/getting-started#scan-a-project-without-lockfiles-beta). ## Java support in Semgrep CE[​](#java-support-in-semgrep-ce) Semgrep CE is a fast, lightweight program analysis tool that can help you detect bugs in your code. It makes use of Semgrep's LGPL 2.1 open source engine. ### Analyses[​](#analyses) - Single-file, cross-function constant propagation - Single-function taint analysis - Semantic analysis ### Coverage[​](#coverage) tip - Check the `license` of a rule to ensure it meets your licensing requirements. See [Licensing](/docs/licensing) for more details. The Semgrep Registry provides the following Java rulesets: - [** `p/default`](https://semgrep.dev/p/default) - [** `p/java`](https://semgrep.dev/p/java) - [** `p/findsecbugs`](https://semgrep.dev/p/findsecbugs) Sample usage: `semgrep scan --config p/java`Not finding what you need in this doc? Ask questions in our [Community Slack group](https://go.semgrep.dev/slack), or see [Support](/docs/support/) for other ways to get help. Tags:**- [Semgrep Code](/docs/tags/semgrep-code)- [Semgrep Supply Chain](/docs/tags/semgrep-supply-chain)- [java](/docs/tags/java)[Edit this page](https://github.com/semgrep/semgrep-docs/edit/main/docs/languages/java.md)Last updated on **Sep 30, 2025** --- # JavaScript support Source: https://semgrep.dev/docs/languages/javascript - [](/docs/)- [Scan](/docs/getting-started/quickstart)- Get started- Supported languages- JavaScript**On this page- [Semgrep Code](/docs/tags/semgrep-code)- [Semgrep Supply Chain](/docs/tags/semgrep-supply-chain)- [Node.js](/docs/tags/node-js)- [javascript](/docs/tags/javascript)JavaScript support tipSemgrep’s JavaScript coverage leverages framework-specific analysis capabilities that are not present in Semgrep Community Edition (CE). As a result, many framework specific Pro rules will **fail** to return findings if run on Semgrep CE. To ensure full security coverage, run: `semgrep login && semgrep ci`. ## JavaScript support in Semgrep Code[​](#javascript-support-in-semgrep-code) Semgrep Code is a static application security testing (SAST) tool that detects security vulnerabilities in your first-party code. ### Analyses and frameworks[​](#analyses-and-frameworks) - Framework-specific control flow analysis - Interfile analysis (cross-file) - Interprocedural analysis (cross-function) - All analyses performed by [Semgrep Community Edition (CE)](#javascript-support-in-semgrep-ce) ### Coverage[​](#coverage) Semgrep aims to provide comprehensive and accurate detection of common OWASP Top 10 issues in source code. Semgrep uses **rules**, which are instructions based on which it detects patterns in code. These rules are usually organized in rulesets. By default, Semgrep Code provides you with the [** `p/comment`](https://semgrep.dev/p/comment) and [** `p/default`](https://semgrep.dev/p/default) rulesets. These rulesets provide the most accurate and comprehensive coverage across Semgrep's supported languages. In addition to rules, the Semgrep engine itself can analyze code and implicit dataflows in the context of the following supported frameworks: Supported frameworksType of frameworkExpressWeb frameworkKoaWeb frameworkHapiWeb frameworkNestJSWeb frameworkNextJSWeb framework **Semgrep Code supports 50+ libraries & frameworks based on their overall popularity.**Supported librariesType of library`axios`Network library`nodemail`Network library`node-fetch`Network library`needle`Network library`http`Network library`https`Network library`net`Network library`http2`Network library`got`Network library`request`Network library`marked`Markdown library`dot`Template engine`child-process`OS interaction library`nestjs`Web framework`express`Web framework`koa`Web framework`hapi`Web framework`sqlite`Database library`sqlite3`Database library`typeorm`Database library`mongoose`Database library`mongodb`Database library`knex`Database library`mikro-orm`Database library`@mikro-orm/core`Database library`@mikro-orm/better-sqlite`Database library`@mikro-orm/entity-generator`Database library`@mikro-orm/knex`Database library`@mikro-orm/libsql`Database library`@mikro-orm/mariadb`Database library`@mikro-orm/migrations-mongodb`Database library`@mikro-orm/migrations`Database library`@mikro-orm/mongodb`Database library`@mikro-orm/mssql`Database library`@mikro-orm/mysql`Database library`@mikro-orm/postgresql`Database library`@mikro-orm/reflection`Database library`@mikro-orm/seeder`Database library`@mikro-orm/sqlite`Database library`pg`Database library`pg-native`Database library`pg-pool`Database library`mysql`Database library`mysql2`Database library`sequelize`Database library`libxml`XML parsing library`xpath`XML parsing library`puppeteer`Library with code execution capabilities`vm2`Library with code execution capabilities`vm`Library with code execution capabilities`rimraf`File System Library`papaparse`File system library`fs-extra`File system library`fs`File system library`sharp`File system library`path`File system library`webcrypto`Cryptographic library`crypto`Cryptographic library`http-body`Express middleware`cors`Express middleware`express-session`Express middleware`helmet`Express middleware`@koa/cors`Koa middleware`lodash`Utility library`validator`String validation library`escape-string-regexp`String sanitization library`date-fns`Date manipulation library`moment`Date manipulation library`luxon`Date manipulation library`dayjsfns`Date manipulation library`mongo-sanitize`String sanitization library`express-mongo-sanitize`String sanitization library #### Benchmark results exclusive of [AI](/docs/semgrep-assistant/overview) processing[​](#benchmark-results-exclusive-of-ai-processing) Semgrep's benchmarking process involves scanning open source repositories, triaging the findings, and making iterative rule updates. This process was developed and is used internally by the Semgrep security research team to monitor and improve rule performance. Results as of **February 25, 2025**: BenchmarkValueTrue positive rate (before AI processing) for latest `p/default` ruleset63%Lines of code scanned~8 millionRepositories scanned153Findings triaged to date~600 ## JavaScript support in Semgrep Supply Chain[​](#javascript-support-in-semgrep-supply-chain) Semgrep Supply Chain is a software composition analysis (SCA) tool that detects security vulnerabilities in your codebase introduced by open source dependencies. ### Supported package managers[​](#supported-package-managers) Semgrep supports the following JavaScript package managers: - npm - Yarn - pnpm ### Analyses and features[​](#analyses-and-features) The following analyses and features are available for JavaScript: Reachability analysisReachability refers to whether or not a vulnerable code pattern from a dependency is used in the codebase that imports it. In Semgrep Supply Chain, both a dependency's vulnerable version and code pattern must match for a vulnerability to be considered reachable. License detectionSemgrep Supply Chain's **license compliance** feature enables you to explicitly allow or disallow (block) a package's use in your repository based on its license. For example, your company policy may disallow the use of packages with the Creative Commons Attribution-NonCommercial (CC-BY-NC) license. Semgrep can help enforce this restriction. Malicious dependency detectionSemgrep is able to detect malicious dependencies in your projects and in pull requests (PRs) or merge requests (MRs). SBOM generationSemgrep enables you to generate a software bill of materials (SBOM) to assess your third-party dependencies and comply with auditing procedures. Semgrep Supply Chain (SSC) can generate an SBOM for each repository you have added to Semgrep AppSec Platform. ## JavaScript support in Semgrep CE[​](#javascript-support-in-semgrep-ce) Semgrep CE is a fast, lightweight program analysis tool that can help you detect bugs in your code. It makes use of Semgrep's LGPL 2.1 open source engine. ### Analyses[​](#analyses) - Single-file, cross-function constant propagation - Single-function taint analysis - Semantic analysis ### Coverage[​](#coverage) tip - Check the `license` of a rule to ensure it meets your licensing requirements. See [Licensing](/docs/licensing) for more details. The Semgrep Registry provides the following JavaScript rulesets: - [** `p/javascript`](https://semgrep.dev/p/javascript) - [** `p/eslint`](https://semgrep.dev/p/eslint) - [** `p/expressjs`](https://semgrep.dev/p/expressjs) - [** `p/hapi`](https://semgrep.dev/p/hapi) - [** `p/headless-browser`](https://semgrep.dev/p/headless-browser) - [** `p/koa`](https://semgrep.dev/p/koa) - [** `p/nextjs`](https://semgrep.dev/p/nextjs) - [** `p/nestjs`](https://semgrep.dev/p/nestjs) - [** `p/nodejs`](https://semgrep.dev/p/nodejs) - [** `p/typescript`](https://semgrep.dev/p/typescript) Sample usage: `semgrep scan --config p/javascript`Not finding what you need in this doc? Ask questions in our [Community Slack group](https://go.semgrep.dev/slack), or see [Support](/docs/support/) for other ways to get help. Tags:**- [Semgrep Code](/docs/tags/semgrep-code)- [Semgrep Supply Chain](/docs/tags/semgrep-supply-chain)- [Node.js](/docs/tags/node-js)- [javascript](/docs/tags/javascript)[Edit this page](https://github.com/semgrep/semgrep-docs/edit/main/docs/languages/javascript.md)Last updated on **Sep 30, 2025** --- # Kotlin support Source: https://semgrep.dev/docs/languages/kotlin - [](/docs/)- [Scan](/docs/getting-started/quickstart)- Get started- Supported languages- Kotlin**On this page- [Semgrep Code](/docs/tags/semgrep-code)- [Semgrep Supply Chain](/docs/tags/semgrep-supply-chain)- [kotlin](/docs/tags/kotlin)Kotlin support tipSemgrep’s Kotlin coverage leverages framework-specific analysis capabilities that are not present in Semgrep Community Edition (CE). As a result, many framework specific Pro rules will **fail** to return findings if run on Semgrep CE. To ensure full security coverage, run: `semgrep login && semgrep ci`. ## Semgrep Code analyses[​](#semgrep-code-analyses) - Interfile analysis (cross-file) - Interprocedural analysis (cross-function) - All analyses performed by [Semgrep Community Edition (CE)](#kotlin-support-in-semgrep-ce) ## Coverage[​](#coverage) Semgrep aims to provide comprehensive and accurate detection of common OWASP Top 10 issues in source code. Semgrep uses **rules**, which are instructions based on which it detects patterns in code. These rules are usually organized in rulesets. By default, Semgrep Code provides you with the [** `p/comment`](https://semgrep.dev/p/comment) and [** `p/default`](https://semgrep.dev/p/default) rulesets. These rulesets provide the most accurate and comprehensive coverage across Semgrep's supported languages. The following is an example of a Kotlin rule: - [** CWE-327: Use of a broken or risky cryptographic algorithm. NullCipher does not encrypt anything; avoid](https://semgrep.dev/playground/r/kotlin.lang.security.no-null-cipher.no-null-cipher?editorMode=advanced) Many, but not all Kotlin rules require a Semgrep account. Sign in to Semgrep AppSec Platform to view this rule: - [** CWE-776: XML entity expansion. Securely configure your XML parser](https://semgrep.dev/orgs/-/editor/r/kotlin.xxe.xmlreader-xxe.xmlreader-xxe?editorMode=advanced) ## Kotlin support in Semgrep Supply Chain[​](#kotlin-support-in-semgrep-supply-chain) Semgrep Supply Chain is a software composition analysis (SCA) tool that detects security vulnerabilities in your codebase introduced by open source dependencies. No need for lockfilesKotlin projects can be scanned **without** the need for lockfiles. See [Scan a project without lockfiles (beta)](/docs/semgrep-supply-chain/getting-started#scan-a-project-without-lockfiles-beta). ### Supported package managers[​](#supported-package-managers) Semgrep supports the following Kotlin package managers: - Gradle - Maven ### Analyses and features[​](#analyses-and-features) The following analyses and features are available for Kotlin: Reachability analysisReachability refers to whether or not a vulnerable code pattern from a dependency is used in the codebase that imports it. In Semgrep Supply Chain, both a dependency's vulnerable version and code pattern must match for a vulnerability to be considered reachable. License detectionSemgrep Supply Chain's **license compliance** feature enables you to explicitly allow or disallow (block) a package's use in your repository based on its license. For example, your company policy may disallow the use of packages with the Creative Commons Attribution-NonCommercial (CC-BY-NC) license. SBOM generationSemgrep enables you to generate a software bill of materials (SBOM) to assess your third-party dependencies and comply with auditing procedures. Semgrep Supply Chain (SSC) can generate an SBOM for each repository you have added to Semgrep AppSec Platform. ## Kotlin support in Semgrep CE[​](#kotlin-support-in-semgrep-ce) Semgrep CE is a fast, lightweight program analysis tool that can help you detect bugs in your code. It makes use of Semgrep's LGPL 2.1 open source engine. ### Analyses[​](#analyses) - Single-file, cross-function constant propagation - Single-function taint analysis - Semantic analysis ### Coverage[​](#coverage) tip - Check the `license` of a rule to ensure it meets your licensing requirements. See [Licensing](/docs/licensing) for more details. The Semgrep Registry provides the following Kotlin rule sets (many rules require a Semgrep account): - [** `p/default`](https://semgrep.dev/p/default) - [** `p/kotlin`](https://semgrep.dev/p/kotlin) Sample usage: `semgrep scan --config p/kotlin`Not finding what you need in this doc? Ask questions in our [Community Slack group](https://go.semgrep.dev/slack), or see [Support](/docs/support/) for other ways to get help. Tags:**- [Semgrep Code](/docs/tags/semgrep-code)- [Semgrep Supply Chain](/docs/tags/semgrep-supply-chain)- [kotlin](/docs/tags/kotlin)[Edit this page](https://github.com/semgrep/semgrep-docs/edit/main/docs/languages/kotlin.md)Last updated on **Sep 30, 2025** --- # Python support Source: https://semgrep.dev/docs/languages/python - [](/docs/)- [Scan](/docs/getting-started/quickstart)- Get started- Supported languages- Python**On this page- [Semgrep Code](/docs/tags/semgrep-code)- [python](/docs/tags/python)Python support tipSemgrep’s Python coverage leverages framework-specific analysis capabilities that are not present in Semgrep Community Edition (CE). As a result, many framework specific Pro rules will **fail** to return findings if run on Semgrep CE. To ensure full security coverage, run: `semgrep login && semgrep ci`. ## Python support in Semgrep Code[​](#python-support-in-semgrep-code) Semgrep Code is a static application security testing (SAST) tool that detects security vulnerabilities in your first-party code. ### Analyses and frameworks[​](#analyses-and-frameworks) - Framework-specific control flow analysis - Interfile analysis (cross-file) - Interprocedural analysis (cross-function) - All analyses performed by [Semgrep Community Edition (CE)](#python-support-in-semgrep-ce) ## Coverage[​](#coverage) Semgrep aims to provide comprehensive and accurate detection of common OWASP Top 10 issues in source code. Semgrep uses **rules**, which are instructions based on which it detects patterns in code. These rules are usually organized in rulesets. By default, Semgrep Code provides you with the [** `p/comment`](https://semgrep.dev/p/comment) and [** `p/default`](https://semgrep.dev/p/default) rulesets. These rulesets provide the most accurate and comprehensive coverage across Semgrep's supported languages. In addition to rules, the Semgrep engine itself can analyze code and implicit dataflows in the context of the following supported frameworks: **Framework / library****Category**DjangoWeb frameworkFlaskWeb frameworkFastAPIWeb framework **In addition, Semgrep Code supports 100+ libraries & frameworks based on their overall popularity.**NoLibraryCategory0bcryptCryptographic Library1cryptographyCryptographic Library2passlibCryptographic Library3pycryptoCryptographic Library4pycryptodomeCryptographic Library5pycryptodomexCryptographic Library6rsaCryptographic Library7aiomysqlDatabase Library8aiopgDatabase Library9aiosqliteDatabase Library10djangoDatabase Library11djangoormDatabase Library12mysql-connectorDatabase Library13mysqldbDatabase Library14peeweeDatabase Library15pep249Database Library16ponyormDatabase Library17psycopg2Database Library18pymongoDatabase Library19pymssqlDatabase Library20pymysqlDatabase Library21pyodbcDatabase Library22sqlalchemyDatabase Library23sqlobjectDatabase Library24dillDeserialization Library25joblibDeserialization Library26jsonpickleDeserialization Library27langDeserialization Library28numpyDeserialization Library29pandasDeserialization Library30pyyamlDeserialization Library31ruamelDeserialization Library32ruamel.yamlDeserialization Library33torchDeserialization Library34aiofileFile System Library35djangoFile System Library36fileinputFile System Library37fsFile System Library38ioFile System Library39linecacheFile System Library40openpyxlFile System Library41osFile System Library42pickleshareFile System Library43pillowFile System Library44shelveFile System Library45shutilFile System Library46stdlibFile System Library47stdlib2File System Library48stdlib3File System Library49tempfileFile System Library50tomlFile System Library51ldap3LDAP Library52stdlibLibrary With Code Execution Capabilities53stdlib2Library With Code Execution Capabilities54stdlib3Library With Code Execution Capabilities55aiohttpNetwork Library56boto3Network Library57botocoreNetwork Library58httplib2Network Library59httpxNetwork Library60paramikoNetwork Library61pycurlNetwork Library62requestsNetwork Library63urllib3Network Library64commandsOS Interaction Library65dotenvOS Interaction Library66osOS Interaction Library67paramikoOS Interaction Library68popen2OS Interaction Library69stdlibOS Interaction Library70stdlib2OS Interaction Library71stdlib3OS Interaction Library72subprocessOS Interaction Library73libxml2Regex Library74reRegex Library75regexRegex Library76stdlibRegex Library77stdlib2Regex Library78stdlib3Regex Library79aws-lambdaServerless Framework80aiohttpWeb Framework81cherrypyWeb Framework82djangoWeb Framework83django-crispy-formsWeb Framework84django_allauthWeb Framework85django_channelsWeb Framework86django_rest_frameworkapiWeb Framework87fastapiWeb Framework88flaskWeb Framework89flask-jwt-extendedWeb Framework90flask-loginWeb Framework91flask-sessionWeb Framework92flask-talismanWeb Framework93flask-wtfWeb Framework94langWeb Framework95pyramidWeb Framework96starletteWeb Framework97wtformsWeb Framework98libxml2XML Parsing Library99lxmlXML Parsing Library100saxXML Parsing Library101stdlibXML Parsing Library102stdlib2XML Parsing Library103stdlib3XML Parsing Library104xmlXML Parsing Library105xml.domXML Parsing Library106xml.dom.minidomXML Parsing Library107xml.dom.pulldomXML Parsing Library108xml.etreeXML Parsing Library109xml.saxXML Parsing Library ### Benchmark results exclusive of [AI](https://semgrep.dev/docs/semgrep-assistant/overview) processing[​](#benchmark-results-exclusive-of-ai-processing) Semgrep's benchmarking process involves scanning open source repositories, triaging the findings, and making iterative rule updates. This process was developed and is used internally by the Semgrep security research team to monitor and improve rule performance. Results as of **September 9, 2024**: Benchmark true positive rate (before AI processing) for latest ruleset**84%**Lines of code scanned**~20 million**Repositories scanned**192**Findings triaged to date**~1000** ## Python support in Semgrep Supply Chain[​](#python-support-in-semgrep-supply-chain) Semgrep Supply Chain is a software composition analysis (SCA) tool that detects security vulnerabilities in your codebase introduced by open source dependencies. No need for lockfilesSome Python projects can be scanned **without** the need for lockfiles. See [Scan a project without lockfiles (beta)](/docs/semgrep-supply-chain/getting-started#scan-a-project-without-lockfiles-beta). ### Supported package managers[​](#supported-package-managers) Semgrep supports the following Python package managers: - pip - pip-tools - Pipenv - Poetry - uv ### Analyses and features[​](#analyses-and-features) The following analyses and features are available for Python: Reachability analysisReachability refers to whether or not a vulnerable code pattern from a dependency is used in the codebase that imports it. In Semgrep Supply Chain, both a dependency's vulnerable version and code pattern must match for a vulnerability to be considered reachable. License detectionSemgrep Supply Chain's **license compliance** feature enables you to explicitly allow or disallow (block) a package's use in your repository based on its license. For example, your company policy may disallow the use of packages with the Creative Commons Attribution-NonCommercial (CC-BY-NC) license. Semgrep can help enforce this restriction. Malicious dependency detectionSemgrep is able to detect malicious dependencies in your projects and in pull requests (PRs) or merge requests (MRs). SBOM generationSemgrep enables you to generate a software bill of materials (SBOM) to assess your third-party dependencies and comply with auditing procedures. Semgrep Supply Chain (SSC) can generate an SBOM for each repository you have added to Semgrep AppSec Platform. ## Python support in Semgrep CE[​](#python-support-in-semgrep-ce) Semgrep CE is a fast, lightweight program analysis tool that can help you detect bugs in your code. It makes use of Semgrep's LGPL 2.1 open source engine. ### Analyses[​](#analyses) - Single-file, cross-function constant propagation - Single-function taint analysis - Semantic analysis ### Coverage[​](#coverage) tip - Check the `license` of a rule to ensure it meets your licensing requirements. See [Licensing](/docs/licensing) for more details. The Semgrep Registry provides the following JavaScript rulesets: - [** `p/default`](https://semgrep.dev/p/default) - [** `p/python`](https://semgrep.dev/p/python) - [** `p/trailofbits`](https://semgrep.dev/p/trailofbits) - [** `p/xss`](https://semgrep.dev/p/trailofbits) Sample usage: `semgrep scan --config p/python`Not finding what you need in this doc? Ask questions in our [Community Slack group](https://go.semgrep.dev/slack), or see [Support](/docs/support/) for other ways to get help. Tags:**- [Semgrep Code](/docs/tags/semgrep-code)- [python](/docs/tags/python)[Edit this page](https://github.com/semgrep/semgrep-docs/edit/main/docs/languages/python.md)Last updated on **Sep 30, 2025** --- # Ruby support Source: https://semgrep.dev/docs/languages/ruby - [](/docs/)- [Scan](/docs/getting-started/quickstart)- Get started- Supported languages- Ruby**On this page- [Semgrep Code](/docs/tags/semgrep-code)- [Semgrep Supply Chain](/docs/tags/semgrep-supply-chain)- [ruby](/docs/tags/ruby)Ruby support tipSemgrep’s Ruby coverage leverages framework-specific analysis capabilities that are not present in Semgrep Community Edition (CE). As a result, many framework specific Pro rules will **fail** to return findings if run on Semgrep CE. To ensure full security coverage, run: `semgrep login && semgrep ci`. ## Semgrep Code analyses[​](#semgrep-code-analyses) - Interprocedural analysis (cross-function) - All analyses performed by [Semgrep Community Edition (CE)](#ruby-support-in-semgrep-ce) ## Coverage[​](#coverage) Semgrep aims to provide comprehensive and accurate detection of common OWASP Top 10 issues in source code. Semgrep uses **rules**, which are instructions based on which it detects patterns in code. These rules are usually organized in rulesets. By default, Semgrep Code provides you with the [** `p/comment`](https://semgrep.dev/p/comment) and [** `p/default`](https://semgrep.dev/p/default) rulesets. These rulesets provide the most accurate and comprehensive coverage across Semgrep's supported languages. Some examples of rules include: - [** CWE-502: Deserialization of untrusted data. Using `load` and `object_load` can cause remote code execution; use JSON securely instead](https://semgrep.dev/playground/r/ruby.lang.security.bad-deserialization.bad-deserialization?editorMode=advanced) - [** CWE-185: Incorrect regular expression. Incorrectly-bounded regex should be terminated correctly](https://semgrep.dev/playground/r/ruby.rails.security.brakeman.check-validation-regex.check-validation-regex?editorMode=advanced) ## Ruby support in Semgrep Supply Chain[​](#ruby-support-in-semgrep-supply-chain) Semgrep Supply Chain is a software composition analysis (SCA) tool that detects security vulnerabilities in your codebase introduced by open source dependencies. ### Supported package managers[​](#supported-package-managers) Semgrep supports the following Ruby package manager: - RubyGems ### Analyses and features[​](#analyses-and-features) The following analyses and features are available for Ruby: Reachability analysisReachability refers to whether or not a vulnerable code pattern from a dependency is used in the codebase that imports it. In Semgrep Supply Chain, both a dependency's vulnerable version and code pattern must match for a vulnerability to be considered reachable. License detectionSemgrep Supply Chain's **license compliance** feature enables you to explicitly allow or disallow (block) a package's use in your repository based on its license. For example, your company policy may disallow the use of packages with the Creative Commons Attribution-NonCommercial (CC-BY-NC) license. Semgrep can help enforce this restriction. Malicious dependency detectionSemgrep is able to detect malicious dependencies in your projects and in pull requests (PRs) or merge requests (MRs). SBOM generationSemgrep enables you to generate a software bill of materials (SBOM) to assess your third-party dependencies and comply with auditing procedures. Semgrep Supply Chain (SSC) can generate an SBOM for each repository you have added to Semgrep AppSec Platform. ## Ruby support in Semgrep CE[​](#ruby-support-in-semgrep-ce) Semgrep CE is a fast, lightweight program analysis tool that can help you detect bugs in your code. It makes use of Semgrep's LGPL 2.1 open source engine. ### Analyses[​](#analyses) - Single-file, cross-function constant propagation - Single-function taint analysis - Semantic analysis ### Coverage[​](#coverage) tip - Check the `license` of a rule to ensure it meets your licensing requirements. See [Licensing](/docs/licensing) for more details. The Semgrep Registry provides the following Ruby rulesets: - [** `p/default`](https://semgrep.dev/p/default) - [** `p/ruby`](https://semgrep.dev/p/ruby) - [** `p/brakeman`](https://semgrep.dev/p/brakeman) Sample usage: `semgrep scan --config p/ruby`Not finding what you need in this doc? Ask questions in our [Community Slack group](https://go.semgrep.dev/slack), or see [Support](/docs/support/) for other ways to get help. Tags:**- [Semgrep Code](/docs/tags/semgrep-code)- [Semgrep Supply Chain](/docs/tags/semgrep-supply-chain)- [ruby](/docs/tags/ruby)[Edit this page](https://github.com/semgrep/semgrep-docs/edit/main/docs/languages/ruby.md)Last updated on **Sep 30, 2025** --- # Scala support Source: https://semgrep.dev/docs/languages/scala - [](/docs/)- [Scan](/docs/getting-started/quickstart)- Get started- Supported languages- Scala**On this page- [Semgrep Code](/docs/tags/semgrep-code)- [Semgrep Supply Chain](/docs/tags/semgrep-supply-chain)- [scala](/docs/tags/scala)Scala support tipSemgrep’s Scala coverage leverages framework-specific analysis capabilities that are not present in Semgrep Community Edition (CE). As a result, many framework specific Pro rules will **fail** to return findings if run on Semgrep CE. To ensure full security coverage, run: `semgrep login && semgrep ci`. ## Semgrep Code analyses[​](#semgrep-code-analyses) - Interprocedural analysis (cross-function) - All analyses performed by [Semgrep Community Edition (CE)](#scala-support-in-semgrep-ce) ## Coverage[​](#coverage) Semgrep aims to provide comprehensive and accurate detection of common OWASP Top 10 issues in source code. Semgrep uses **rules**, which are instructions based on which it detects patterns in code. These rules are usually organized in rulesets. By default, Semgrep Code provides you with the [** `p/comment`](https://semgrep.dev/p/comment) and [** `p/default`](https://semgrep.dev/p/default) rulesets. These rulesets provide the most accurate and comprehensive coverage across Semgrep's supported languages. Some examples of rules include: - [** CWE-89: SQL injection. Avoid using unsanitized user input when generating SQL strings](https://semgrep.dev/playground/r/scala.play.security.tainted-slick-sqli.tainted-slick-sqli?editorMode=advanced) - [** CWE-78: OS command injection. Sanitize variables that are used in external processes.](https://semgrep.dev/playground/r/scala.lang.security.audit.dangerous-seq-run.dangerous-seq-run) ## Scala support in Semgrep Supply Chain[​](#scala-support-in-semgrep-supply-chain) Semgrep Supply Chain is a software composition analysis (SCA) tool that detects security vulnerabilities in your codebase introduced by open source dependencies. ### Supported package managers[​](#supported-package-managers) Semgrep supports the following Scala package manager: - Maven ### Analyses and features[​](#analyses-and-features) The following analyses and features are available for Scala: Reachability analysisReachability refers to whether or not a vulnerable code pattern from a dependency is used in the codebase that imports it. In Semgrep Supply Chain, both a dependency's vulnerable version and code pattern must match for a vulnerability to be considered reachable. License detectionSemgrep Supply Chain's **license compliance** feature enables you to explicitly allow or disallow (block) a package's use in your repository based on its license. For example, your company policy may disallow the use of packages with the Creative Commons Attribution-NonCommercial (CC-BY-NC) license. SBOM generationSemgrep enables you to generate a software bill of materials (SBOM) to assess your third-party dependencies and comply with auditing procedures. Semgrep Supply Chain (SSC) can generate an SBOM for each repository you have added to Semgrep AppSec Platform. ## Scala support in Semgrep CE[​](#scala-support-in-semgrep-ce) Semgrep CE is a fast, lightweight program analysis tool that can help you detect bugs in your code. It makes use of Semgrep's LGPL 2.1 open source engine. ### Analyses[​](#analyses) - Single-file, cross-function constant propagation - Single-function taint analysis - Semantic analysis ### Coverage[​](#coverage) tip - Check the `license` of a rule to ensure it meets your licensing requirements. See [Licensing](/docs/licensing) for more details. The Semgrep Registry provides the following Scala rule sets: tk - [** `p/default`](https://semgrep.dev/p/default) - [** `p/scala`](https://semgrep.dev/p/scala) Sample usage: `semgrep scan --config p/scala`Not finding what you need in this doc? Ask questions in our [Community Slack group](https://go.semgrep.dev/slack), or see [Support](/docs/support/) for other ways to get help. Tags:**- [Semgrep Code](/docs/tags/semgrep-code)- [Semgrep Supply Chain](/docs/tags/semgrep-supply-chain)- [scala](/docs/tags/scala)[Edit this page](https://github.com/semgrep/semgrep-docs/edit/main/docs/languages/scala.md)Last updated on **Sep 30, 2025** --- # Swift support Source: https://semgrep.dev/docs/languages/swift - [](/docs/)- [Scan](/docs/getting-started/quickstart)- Get started- Supported languages- Swift**On this page- [Semgrep Code](/docs/tags/semgrep-code)- [Semgrep Supply Chain](/docs/tags/semgrep-supply-chain)- [swift](/docs/tags/swift)Swift support tipSemgrep’s Swift coverage leverages framework-specific analysis capabilities that are not present in Semgrep Community Edition (CE). As a result, many framework specific Pro rules will **fail** to return findings if run on Semgrep CE. To ensure full security coverage, run: `semgrep login && semgrep ci`. ## Semgrep Code analyses[​](#semgrep-code-analyses) - Interprocedural analysis (cross-function) - All analyses performed by [Semgrep Community Edition (CE)](#swift-support-in-semgrep-ce) ## Coverage[​](#coverage) Semgrep aims to provide comprehensive and accurate detection of common OWASP Top 10 issues in source code. Semgrep uses **rules**, which are instructions based on which it detects patterns in code. These rules are usually organized in rulesets. By default, Semgrep Code provides you with the [** `p/comment`](https://semgrep.dev/p/comment) and [** `p/default`](https://semgrep.dev/p/default) rulesets. These rulesets provide the most accurate and comprehensive coverage across Semgrep's supported languages. Some examples of rules include: - [** CWE-477: Use of obsolete function. `ptrace` API is forbidden from iOS applications](https://semgrep.dev/orgs/-/editor/r/swift.lang.forbidden.forbidden-ios-api.swift-forbidden-ios-apis?editorMode=advanced) - [** CWE-327: Use of a broken or risky cryptographic algorithm. Avoid MD2](https://semgrep.dev/orgs/-/editor/r/swift.commoncrypto.insecure-hashing-algorithm-md2.insecure-hashing-algorithm-md2?editorMode=advanced) To view these rules, sign in to Semgrep AppSec Platform. ## Swift support in Semgrep Supply Chain[​](#swift-support-in-semgrep-supply-chain) Semgrep Supply Chain is a software composition analysis (SCA) tool that detects security vulnerabilities in your codebase introduced by open source dependencies. ### Supported package managers[​](#supported-package-managers) Semgrep supports the following Swift package manager: - SwiftPM ### Analyses and features[​](#analyses-and-features) The following analyses and features are available for Swift: Reachability analysisReachability refers to whether or not a vulnerable code pattern from a dependency is used in the codebase that imports it. In Semgrep Supply Chain, both a dependency's vulnerable version and code pattern must match for a vulnerability to be considered reachable. License detectionSemgrep Supply Chain's **license compliance** feature enables you to explicitly allow or disallow (block) a package's use in your repository based on its license. For example, your company policy may disallow the use of packages with the Creative Commons Attribution-NonCommercial (CC-BY-NC) license. SBOM generationSemgrep enables you to generate a software bill of materials (SBOM) to assess your third-party dependencies and comply with auditing procedures. Semgrep Supply Chain (SSC) can generate an SBOM for each repository you have added to Semgrep AppSec Platform. Not finding what you need in this doc? Ask questions in our [Community Slack group](https://go.semgrep.dev/slack), or see [Support](/docs/support/) for other ways to get help. Tags:**- [Semgrep Code](/docs/tags/semgrep-code)- [Semgrep Supply Chain](/docs/tags/semgrep-supply-chain)- [swift](/docs/tags/swift)[Edit this page](https://github.com/semgrep/semgrep-docs/edit/main/docs/languages/swift.md)Last updated on **Sep 30, 2025** --- # Semgrep Learning Guides Source: https://semgrep.dev/docs/learn - [](/docs/)- [Learning guides](/docs/learn)- Application Security- OverviewSemgrep Learning GuidesThis section is all about learning the concepts behind **Application Security** and **Secure Coding** with guided tutorials. Whether a seasoned security engineer looking for resources to share with your teams, a developer looking to improve code quality, or just getting started in cybersecurity, we hope you find these guides helpful. [###### Security FoundationsLearn the fundamentals for how Static Analysis Security Testing (SAST) and Software Composition Analysis (SCA) work and why it matters. ](/docs/learn/security-foundations/sast/overview)[###### VulnerabilitiesDeep dive into common security risks with code samples for what issues like SQL injection, Cross-Site Scripting, Open Redirects, and more look like. ](/docs/learn/vulnerabilities/overview)[###### Secure CodingLearn how to write code that's secure by design for popular programming languages with cheat sheets to use as a reference. ](/docs/cheat-sheets/overview)[###### Semgrep AcademyLearn core security concepts by viewing video courses led by experts in the field.** ](https://academy.semgrep.dev)Not finding what you need in this doc? Ask questions in our [Community Slack group](https://go.semgrep.dev/slack), or see [Support](/docs/support/) for other ways to get help. [Edit this page](https://github.com/semgrep/semgrep-docs/edit/main/docs/learn/overview.md)Last updated on Sep 30, 2025** --- # Licensing Source: https://semgrep.dev/docs/licensing - [](/docs/)- [Support & resources](/docs/trophy-case)- Licensing**On this page- [Support](/docs/tags/support)Licensing The following is a list of products offered by Semgrep, Inc., along with their license information. Semgrep RegistryThe [Semgrep Registry](https://semgrep.dev/explore) is a collection of rules and rulesets: - All rules, which includes both Community and Pro rules, listed in the [semgrep-rules](https://github.com/semgrep/semgrep-rules) repository are licensed under [Semgrep Rules License v.1.0](https://semgrep.dev/legal/rules-license). They are available only for internal business use. Vendors cannot use Semgrep-maintained rules in competing products or SaaS offerings. Individuals, security consultants, and companies are welcome to use the rules internally. - Rules from third-party repositories in the [Semgrep Registry](https://semgrep.dev/explore) inherit the licenses of their source repositories. These licenses are displayed within the rule definition in the editor. For example: [Rules written by Trail of Bits](https://semgrep.dev/p/trailofbits) security experts licensed under AGPL-3.0 license.Semgrep AppSec PlatformProprietary. See [Terms of Service](https://semgrep.dev/terms).Semgrep Code Proprietary. See [Terms of Service](https://semgrep.dev/terms).Semgrep SecretsProprietary. See [Terms of Service](https://semgrep.dev/terms).Semgrep Supply ChainProprietary. See [Terms of Service](https://semgrep.dev/terms).Semgrep Community Edition (CE)The Semgrep CE engine is an open source project licensed under [LGPL 2.1](https://github.com/semgrep/semgrep/blob/develop/LICENSE). The proprietary extension of Semgrep CE is Semgrep Code, see also [Terms of Service](https://semgrep.dev/terms). ## License Semgrep for use[​](#license-semgrep-for-use) If you are interested in using Semgrep products for your own solutions and code analysis tools, send us an email at [partnerships@semgrep.com](mailto:partnerships@semgrep.com) Not finding what you need in this doc? Ask questions in our [Community Slack group](https://go.semgrep.dev/slack), or see [Support](/docs/support/) for other ways to get help. Tags:**- [Support](/docs/tags/support)[Edit this page](https://github.com/semgrep/semgrep-docs/edit/main/docs/licensing.md)Last updated on **Nov 25, 2025** --- # Semgrep - Official llms.txt Reference Source: https://semgrep.dev/llms.txt --- # Semgrep > Make it expensive to exploit software. ## Documentation - [docs](https://semgrep.dev/docs/) - [api docs](https://semgrep.dev/api/v1/docs/) - [rule registry](https://semgrep.dev/registry) - [github repo](https://github.com/semgrep/semgrep) ## MCP - [official mcp server](https://github.com/semgrep/mcp) ## Key Features - Static analysis with pattern-matching for custom security rules - Support for multiple programming languages - Flexible rules for security scanning - Integration with CI/CD pipelines - Rule registry with community rules For more information, visit https://semgrep.dev/ --- # Semgrep MCP Server (beta) Source: https://semgrep.dev/docs/mcp - [](/docs/)- Set up and deploy scans- Integrations- MCP Server**On this page- [MCP](/docs/tags/mcp)- [Semgrep Code](/docs/tags/semgrep-code)Semgrep MCP Server (beta) Semgrep's open source [Model Context Protocol (MCP)](https://modelcontextprotocol.io/) server scans AI-generated code for security vulnerabilities using Semgrep Code, Supply Chain, and Secrets. The IDE re-generates code until Semgrep returns no findings or the user prompts the IDE to ignore Semgrep's findings. This article includes instructions for setting up the MCP server with Cursor and Claude Code, but it also works with any IDE-based MCP client. ## Prerequisites[​](#prerequisites) - Python 3.10 or later - Homebrew or Pip to install Semgrep - A Semgrep account ## Installation[​](#installation) - Cursor- Claude Code- Other IDEs - Install Semgrep: `# install through homebrewbrew install semgrep# install through pippython3 -m pip install semgrep` - Verify that you've installed the [latest version](https://github.com/semgrep/semgrep/releases) of Semgrep by running the following: `semgrep --version` - Log in to Semgrep and install Semgrep Pro `semgrep login && semgrep install-semgrep-pro` - [Add Semgrep to Cursor](cursor://anysphere.cursor-deeplink/mcp/install?name=semgrep&config=eyJjb21tYW5kIjoic2VtZ3JlcCBtY3AifQ%3D%3D). Review the prefilled information and click **Install** to proceed. - Create a `hooks.json` file in your project's `.cursor` directory and paste the following configuration: `{"version": 1,"hooks": { "stop": [ { "command": "semgrep mcp -k stop-cli-scan -a cursor" } ], "afterFileEdit": [ { "command": "semgrep mcp -k record-file-edit -a cursor" } ]}}` - Install Semgrep: `# install through homebrewbrew install semgrep# install through pippython3 -m pip install semgrep` - Verify that you've installed the [latest version](https://github.com/semgrep/semgrep/releases) of Semgrep by running the following: `semgrep --version` - Sign in to your Semgrep account. Running this command launches a browser window, but you can also use the link that's returned in the CLI to proceed: `semgrep login` In the **Semgrep CLI login**, click **Activate** to proceed. - Return to the CLI, and install the Semgrep Pro engine: `semgrep install-semgrep-pro` - Add the Semgrep MCP Server to Claude: `claude mcp add --scope user semgrep semgrep mcp` - Install Semgrep: `# install through homebrewbrew install semgrep# install through pippython3 -m pip install semgrep` - Verify that you've installed the [latest version](https://github.com/semgrep/semgrep/releases) of Semgrep by running the following: `semgrep --version` - Sign in to your Semgrep account. Running this command launches a browser window, but you can also use the link that's returned in the CLI to proceed: `semgrep login` In the **Semgrep CLI login**, click **Activate** to proceed. - Return to the CLI, and install the Semgrep Pro engine: `semgrep install-semgrep-pro` - Add the Semgrep MCP Server to your IDE. Semgrep provides [sample configuration information](https://github.com/semgrep/semgrep/tree/develop/cli/src/semgrep/mcp#integrations) that you can use as a starting point for your configuration. Refer to your IDE’s documentation for specific details on where to add the MCP server configuration information. ## Scan your code[​](#scan-your-code) - Open up your IDE's AI chat window. - Ensure that you're in the correct context to use Semgrep. - Prompt your IDE to scan with Semgrep. By default, the MCP Server runs all three Semgrep products: Code, Supply Chain, and Secrets. ## Additional resources[​](#additional-resources) - Semgrep's `#mcp` [Slack community](https://go.semgrep.dev/slack) - The [Semgrep MCP server repo on GitHub](https://github.com/semgrep/semgrep/tree/develop/cli/src/semgrep/mcp) Not finding what you need in this doc? Ask questions in our [Community Slack group](https://go.semgrep.dev/slack), or see [Support](/docs/support/) for other ways to get help. Tags:**- [MCP](/docs/tags/mcp)- [Semgrep Code](/docs/tags/semgrep-code)[Edit this page](https://github.com/semgrep/semgrep-docs/edit/main/docs/mcp.md)Last updated on **Dec 22, 2025** --- # Semgrep metrics Source: https://semgrep.dev/docs/metrics - [](/docs/)- [What's Semgrep](/docs/faq/overview)- Semgrep metrics**On this pageSemgrep metrics Semgrep CLI may collect aggregate metrics to help improve the product. This document describes: - [the principles that guide our data-collection decisions](#principles) - [how to change when Semgrep sends metrics](#automatic-collection-opt-in-and-opt-out) - [what data is not collected](#data-not-collected) - [what data is collected](#data-collected-as-metrics) ## Principles[​](#principles) These principles inform our decisions around data collection: - **Transparency**: Collect and use data in a way that is clearly explained to the user and benefits them - **User control**: Put users in control of their data at all times - **Limited data**: Collect what is needed, pseudoanonymize where possible, and delete when no longer necessary ## Automatic collection, opt-in, and opt-out[​](#automatic-collection-opt-in-and-opt-out) `$ semgrep --config=myrule.yaml # → no metrics (loading rules from local file)$ semgrep --config=p/python # → metrics enabled (fetching Registry)$ semgrep login && semgrep ci # → metrics enabled (logged in to semgrep.dev)` Semgrep does **not** enable metrics when running with only local configuration files or command-line search patterns. Semgrep does enable metrics if rules are loaded from the [Semgrep Registry](https://semgrep.dev/r). This helps maintainers improve the correctness and performance of registry rules. Metrics may also be configured to be sent on every run, or never sent. To configure metrics, pass the `--metrics` option to Semgrep: - `--metrics auto`: (default) metrics are sent whenever rules are pulled from the [Semgrep Registry](https://semgrep.dev/r) or the user is logged in. - `--metrics on`: metrics are sent on every Semgrep run - `--metrics off`: metrics are never sent Alternatively, set the `SEMGREP_SEND_METRICS` environment variable to `auto`, `on`, or `off`. Note that certain Semgrep integrators turn on metrics for every run. For example, [GitLab's Semgrep SAST analyzer](https://gitlab.com/gitlab-org/security-products/analyzers/semgrep) uses `--metrics on` by default. ## Data NOT collected[​](#data-not-collected) ### Data NOT collected ever[​](#data-not-collected-ever) We strive to balance our desire to collect data for improving Semgrep with our users' need for privacy and security. After all, we are a security tool! The following never leave your environment and are not sent or shared with anyone. - Source code - Private rules ### Data NOT collected unless explicitly requested[​](#data-not-collected-unless-explicitly-requested) The following data will never leave your environment as part of metrics. - Filenames - Git commit hashes, timestamps, messages, authors - User-identifiable data about Semgrep’s findings in your code, including finding messages This data will be sent to Semgrep AppSec Platform only if you explicitly request it, such as with `semgrep login && semgrep ci` to connect with Semgrep AppSec Platform. Even in that case, your source code and private rules will never be sent. ## Data collected as metrics[​](#data-collected-as-metrics) Semgrep CLI collects data to improve the user experience. Five types of data are collected: ### Environmental[​](#environmental) Environmental data provide contextual data about Semgrep CLI’s runtime environment, as well as information that helps debug any issues users may be facing; e.g. - How long the command took to run - The version of Semgrep CLI - An [anonymous user ID](#anonymous-user-id) that identifies the machine - IP address that triggers a run - Value of the CI environment variable, if set - Pseudoanonymized hash of the scanned project’s name - Pseudoanonymized hash of the rule definitions run - Pseduoanonymized hash of the config option. *(Note that when a config option downloads a ruleset from the [https://semgrep.dev](https://semgrep.dev) registry, [feature usage metrics](#feature-usage) still include the ruleset name in plain text.)* ### Performance[​](#performance) Performance data enable understanding of which rules and types of files are slow in the aggregate so Semgrep, Inc can improve the program-analysis engine, query optimizer, and debug slow rules; e.g. - Runtime duration - Duration of individual phases (e.g. parsing) - Total number of rules - Total number of files - Project size in bytes ### Parse Rates[​](#parse-rates) Aggregated parse rate information is reported on a per-language basis; e.g., - Number of targeted files - Number of files without any parse-related error - Number of bytes across targeted files - Number of bytes without any parse-related error ### Errors[​](#errors) High-level error and warning classes encountered when run; e.g. - Semgrep’s return code - The number of errors - Compile-time error names, e.g., MaxFileSizeExceeded, SystemOutOfMemory, UnknownFileEncoding ### Value[​](#value) Data that indicate how useful a run is for the end user; e.g. - Number of raised findings - Number of ignored findings - Pseudoanonymized hashes of the rule definitions that yield findings - The [features used](#feature-usage) during the scan - The engine type requested for the scan ### Extension[​](#extension) Additional data is reported when used in conjunction with an IDE integration, such as the [Semgrep VS Code Extension](https://github.com/semgrep/semgrep-vscode), that help us understand what IDEs are used and how helpful the integrations are for users; e.g. - IDE being used - Version of IDE integration - Number of fixes triggered through the integration - Number of findings ignored through the integration Note: For all officially supported Semgrep IDE integrations, these metrics can be disabled via settings in the IDE. By default these settings follow any global telemetry/metrics settings the user may have already set for the IDE itself. ### Pseudoanonymization[​](#pseudoanonymization) Certain identifying data (e.g. project URLs) are pseudoanonymized before being sent to the Semgrep, Inc backend. "Pseudoanonymized" means the data are transformed using a deterministic cryptographically secure hash. When the input data are unknown, this hash is expensive to reverse. However, when input data are known, a reverse dictionary of identifiers to hashes can be built. Hence, data are anonymous only when the source values are unknown. We use a deterministic hash to: - Track performance and value improvements over successive runs on projects - Remove test data from our metrics Using a deterministic hash, however, implies: - An entity that independently knows the value of an input datum AND who has access to Semgrep, Inc's metrics data could access metrics for that known datum Semgrep, Inc will: - Treat collected metrics data as secret, using application-security best practices, including (but not limited to) Encryption during transit and rest - Strict access control to data-storage systems - Application-security-policy requirements for third parties (e.g. cloud-service providers; see "data sharing" below) - Only correlate hashed data to input data when these inputs are already known to Semgrep, Inc (e.g. publicly available project URLs for open-source projects, or projects that log in to the Semgrep Registry) ## Description of metrics fields[​](#description-of-metrics-fields) CategoryFieldDescriptionUse CaseExample DatumTypeEnvironmentTimestamps (started/sent)Time when the event firedUnderstanding tool usage over time2021-05-10T21:05:06+00:00StringEvent IDA random UUID generated when sending the event.Deduplicating events in case of issues during transmission222bcccd-9dc2-4d10-ac3a-5692460e77eeString[Anonymous User ID](#anonymous-user-id)A random UUID generated on first run.Unique users per ruleset and feature. Understanding percentage of logged in users.5f52484c-3f82-4779-9353-b29bbd3193b6StringVersionSemgrep version being usedReproduce and debug issues with specific versions0.51.0StringProject hashOne-way hash of the project URLUnderstand performance and accuracy improvements`c65437265631ab2566802d4d90797b27fbe0f608dceeb9451b979d1671c4bc1a`StringRules hashOne-way hash of the rule definitionsUnderstand performance improvements`b03e452f389e5a86e56426c735afef13686b3e396499fc3c42561f36f6281c43`StringConfig hashOne-way hash of the config argumentUnderstand performance and accuracy improvements`ede96c41b57de3e857090fb3c486e69ad8efae3267bac4ac5fbc19dde7161094`StringIs authenticatedWhether the user logged in to semgrep.dev with `semgrep login`Understand popularity of logged in features`false`BooleanDeployment IDThe ID organization associated with the logged in accountUnderstand popularity of logged in features by organization1234NumberIntegration nameIf Semgrep is being called by another tool, optional name of that integrationReproduce and debug issues specific integrations`gitlab`StringCINotes if Semgrep is running in CI and the name of the providerReproduce and debug issues with specific CI providersGitLabCI v0.13.12StringClient IPIP address that triggered a runUnderstand broad ruleset usage0.0.0.0StringPerformanceDurationHow long the command took to runUnderstanding aggregate performance improvements and regressions14.13NumberTotal RulesCount of rulesUnderstand how duration is affected by #rules137NumberTotal FilesCount of filesUnderstand how duration is affected by #files4378NumberTotal BytesSummation of target file sizeUnderstand how duration is related to total size of all target files40838239NumberRule StatsPerformance statistics (w/ rule hashes) for slowest rulesDebug rule performance`[{"ruleHash": "7c43c962dfdbc52882f80021e4d0ef2396e6a950867e81e5f61e68390ee9e166","parseTime": 0,"matchTime": 0.05480456352233887,"runTime": 0.20836973190307617,"bytesScanned": 0}]`StatsClass[]File StatsPerformance statistics for slowest filesDebug rule performance`[{"size": 6725,"numTimesScanned": 147,"parseTime": 0.013289928436279297,"matchTime": 0.05480456352233887,"runTime": 0.20836973190307617}]`StatsClass[]ParsingTotal FilesCount of files, on a per-language basisUnderstand parsing performance143NumberTotal BytesSummation of target file size, likewise groupedUnderstand parsing performance41244NumberParsed FilesCount of files without parse errorsUnderstand parsing performance140NumberParsed BytesCount of bytes without any parse errorsUnderstand parsing performance40312NumberErrorsExit CodeNumeric exit codeDebug commonly occurring issues and aggregate error counts1NumberNumber of ErrorsCount of errorsUnderstanding avg #errors2NumberNumber of WarningsCount of warningsUnderstanding avg #warnings1NumberErrorsArray of Error Classes (compile-time-constant)Understand most common errors users encounter`["UnknownLanguage", "MaxFileSizeExceeded"] `ErrorClass[]WarningsArray of Warning Classes (compile-time-constant)Understand most common warnings users encounter`["TimeoutExceeded"]`WarningClass[]ValueEngine requestedThe engine type requested by the userUnderstand which engines are being used; debug engine-specific problems`"OSS"`Engine configurationThe specific engine configurationUnderstand which engines are being used; debug engine-specific problems`{ analysis_type: "Interfile", pro_langs: true, code_config: {} }`strInterfile languages usedThe languages for which the interfile engine was actually invokedUnderstand which interfile languages are being used; measure performance impact and errors`["C#"]`str[Features used](#feature-usage)List of strings that identify Semgrep features usedUnderstand what features users find valuable, and what we could deprecate`["language/python", "option/deep", "option/no-git-ignore", "key/metavariable-comparison"]`ObjectRule hashes with findingsMap of rule hashes to number of findingsUnderstand which rules are providing value to the user; diagnose high false-positive rates`{"7c43c962dfdbc52882f80021e4d0ef2396e6a950867e81e5f61e68390ee9e166": 4}`ObjectTotal FindingsCount of all findingsUnderstand if rules are super noisy for the user7NumberFindings per productCount of findings broken down by productUnderstand the value that each product provides to the user`{"code": 5, "secrets": 7, "supply-chain": 10}`ObjectTotal NosemsCount of all `nosem` annotations that tell semgrep to ignore a findingUnderstand if rules are super noisy for the user3Number |Extension|||||| | |Machine ID|A random UUID generated by the IDE itself|Understanding number of unique users using IDE integrations|`222bcccd-9dc2-4d10-ac3a-5692460e77ee`|String| | |Is New App Install|If the user just installed the IDE integration|Understand common issues with setting up IDE integrations|`false`|Boolean| | |Session ID|A random UUID generated everytime the integration starts up, usually when opening a project|Understand errors that commonly happen together, deduplicate errors|`222bcccd-9dc2-4d10-ac3a-5692460e77ee`|String| | |Integration version|Current version of the IDE integration|Reproduce and debug issues with specific versions|`1.8.0`| String| | |Integration type|IDE being used|Reproduce and debug issues with specific integrations|`vscode`|String| | |Autofix count|How many autofixes have been triggered through the integration|Understand the value that the integration provides to the user in helping remediate code issue|10|Number| | |Ignore count|How many findings have been ignored by the user through the integration|Understand the quality and noisiness of rules|5|Number| ### Anonymous user ID[​](#anonymous-user-id) `anonymous_user_id: "5f52484c-3f82-4779-9353-b29bbd3193b6"` To help improve Semgrep products, the Semgrep CLI generates a Universally Unique Identifier (UUID) which is saved locally to a `~/.semgrep/settings.yml` file when the ID does not already exist. The Semgrep team uses this ID to help answer the following questions: - How many people use a given rule/ruleset/snippet? This enables the Semgrep team to assess their performance, and we're planning to make these numbers public for all rule authors in the community. - What percentage of users log in? We use this to evaluate our success as we build new authenticated features for the Semgrep Cloud Platform. - How often are individual subcommands and CLI features used? This helps our product and developer experience teams measure feature adoption rate, analyze anonymized usage, and compare cohort behavior to improve our product offerings. ### Feature usage[​](#feature-usage) `"features": ["language/python", "option/deep", "option/no-git-ignore", "key/metavariable-comparison"]` Examples of such features are: languages scanned, CLI options passed, keys used in rules, or certain code paths reached, such as using an :include instruction in a .semgrepignore file. These strings do NOT include user data or specific settings. As an example, for `semgrep scan --output=secret.txt` Semgrep sends `"option/output"` but will NOT send `"option/output=secret.txt"`. The list of features tracked as of June 2022 is: - `language`: What languages were scanned - `cli-flag`/`cli-envvar`: What options were configured (does NOT include their value) - `config`: What method was used to retrieve rules (does NOT include any of the rule) - `registry-query`: The value of a `--config r/foo.bar.baz` setting, limited to the first word (e.g. `r/foo..` in this example) - `ruleset`: The value of a `--config p/foobar` setting - `semgrepignore`: Whether an `:include` statement was used in a .semgrepignore file - `subcommand`: What subcommand was used (e.g. `scan` or `ci`) The Semgrep team uses this to answer the following questions: - How many people use a given feature? This guides our development, and lets us decide when and how to deprecate features. - How does feature usage affect finding counts, error counts, and performance? We use this to evaluate experimental features and understand their production-readiness. Engine requested (OSS, Pro, Interfile) The engine requested is stored separately from the other features. This is the engine indicated by the user through app toggles or CLI flags. We use this for debugging as well as to understand which engines people are using. ### Sample metrics[​](#sample-metrics) This is a sample blob of the aggregate metrics described above: `{ "started_at": "2021-05-10T21:05:06+00:00", "sent_at": "2021-05-10T21:05:09+00:00", "event_id": "222bcccd-9dc2-4d10-ac3a-5692460e77ee", "anonymous_user_id": "5f52484c-3f82-4779-9353-b29bbd3193b6", "environment": { "version": "0.51.0", "ci": "true", "configNamesHash": "ede96c41b57de3e857090fb3c486e69ad8efae3267bac4ac5fbc19dde7161094", "projectHash": "c65437265631ab2566802d4d90797b27fbe0f608dceeb9451b979d1671c4bc1a", "rulesHash": "b03e452f389e5a86e56426c735afef13686b3e396499fc3c42561f36f6281c43", "isAuthenticated": false }, "performance": { "runTime": 37.1234233823, "numRules": 2, "numTargets": 573, "totalBytesScanned": 33938923, "ruleStats": [{ "ruleHash": "7c43c962dfdbc52882f80021e4d0ef2396e6a950867e81e5f61e68390ee9e166", "parseTime": 0, "matchTime": 0.05480456352233887, "runTime": 0.20836973190307617, "bytesScanned": 0 }], "fileStats": [{ "size": 6725, "numTimesScanned": 147, "parseTime": 0.013289928436279297, "matchTime": 0.05480456352233887, "runTime": 0.20836973190307617 }] }, "parse_rate": { "python": { "num_targets": 102, "targets_parsed": 101, "num_bytes": 985123, "bytes_parsed": 993419 }, "ruby": { "num_targets": 12, "targets_parsed": 12, "num_bytes": 341027, "bytes_parsed": 341027 } }, "errors": { "returnCode": 1, "errors": ["UnknownLanguage"], "warnings": ["MaxFileSizeExceeded", "TimeoutExceeded"] }, "value": { "ruleHashesWithFindings": {"7c43c962dfdbc52882f80021e4d0ef2396e6a950867e81e5f61e68390ee9e166": 4}, "numFindings": 7, "numIgnored": 3, "features": ["language/python", "option/deep", "option/no-git-ignore", "key/metavariable-comparison"], "engineRequested": "OSS", "engineConfig": { analysis_type: "Intraprocedural", pro_langs: false } }}` ## Data collected when explicitly requested[​](#data-collected-when-explicitly-requested) For Semgrep AppSec Platform users running `semgrep ci` while logged in, data is sent to power your dashboard, notification, dependency search, and finding management features. These data are ONLY sent when using `semgrep ci` in a platform-connected mode and are not sent when not logged in. Three types of data are sent to Semgrep, Inc servers for this logged-in use case: scan data, findings data, and dependencies data. **Scan data** provide information on the environment and performance. They power dashboards, identify anomalies with the product, and are needed for billing. The classes of scan data are: - Project identity (e.g., name, URL) - Scan environment (e.g., CI provider, OS) - Author identity (e.g., committer email) - Commit metadata (e.g., commit hash and timestamp) - Review and review-requester identifying data (e.g., pull-request ID, branch, merge base, request author) - Scan metadata, including type of scan and scan parameters (e.g., paths scanned and extensions of ignored files) - Timing metrics (e.g., time taken to scan per-rule and per-path) - Parse metrics (e.g., number of files targeted and parsed per-language) - Semgrep CLI environment (e.g., version, interpreter, timestamp) **Findings data** are used to provide human readable content for notifications and integrations, as well tracking results as new, fixed, or duplicate. The classes of findings data are: - Check ID and metadata (as defined in the rule definition; e.g., OWASP category, message, severity) - Code location, including file path, that triggered findings - A one-way hash of a unique code identifier that includes the triggering code content - Dependency name and version (only sent when using Semgrep Supply Chain) - Source code is NOT collected **Dependencies data** are used to power Dependency Search and License Compliance. The classes of dependencies data are: - Package name (e.g., lodash) - Package version (e.g., 1.2.3) - File path for lockfile (e.g., frontend/yarn.lock) - Analysis of external dependency calls. (e.g., from flask import Response, Response(status=204)) ## Debugging data collected when traces are requested[​](#debugging-data-collected-when-traces-are-requested) To help debug performance issues, Semgrep CLI can send traces, enabled via `--trace`. Traces are never sent unless the `--trace` flag is included. There are three modes of tracing. - Info (`--trace`): basic tracing. Sends timings about each file as it undergoes pre-processing and then matching. Includes the file path and sometimes rule names. - Debug (`--trace` with `SEMGREP_TRACE_LEVEL=debug`): debug tracing. Sends additional timings, particularly around functions run during taint analysis. - Trace (`--trace` with `SEMGREP_TRACE_LEVEL=trace`): even more detailed debug tracing. All traces are sent in Opentelemetry format and may include: - Semgrep function currently running (e.g. `Match_tainting_mode.check_rules`) - Start time (e.g. `1718775054055113`) - Duration (e.g. `934956`) - Path (e.g. `test/example/test_code.py`) - Size of a file in bytes (e.g. `12927`) - Rule name (e.g. `tainted-sql-from-http-request`) - Is a taint rule (e.g. `true`) Additionally, summary data is always included in the top level trace, such as: - Repo name (e.g. `semgrep-app`) - Folder name (e.g. `tests`) - Number of matches (e.g. `2`) - Number of errors (e.g. `1`) - Number of OSS rules (e.g. `12`) - Number of targets (e.g. `128`) - Languages (e.g. `Java: true`) - Is a diff scan (e.g. `false`) - Is an interfile scan (e.g. `true`) - Other scan settings of a similar nature. Summary data will only include information that `semgrep ci` has access to. Additionally, informational, warning, and error logs will be included when tracing is enabled, which may include: - Stacktraces from when Semgrep crashes - Warnings about high memory usage - Informational logs about which stage of scanning Semgrep is performing No information will be sent in the info mode that would not be sent by `semgrep ci`. In debug and trace mode only, traces may also include: - Hashed function names (e.g. `d40fdc8ef9bf7b7dd1b014533a58a05e9b98d7dd856784352201388fe5e22673`) - Hashed variable names (e.g. `0268934f5c43d1b5fc7d52d9efe17c69f1144b108c384c3513cbe493043712b3`) These data help us establish if a function is being analyzed for taint more times than expected. Debug and trace mode are meant for one-off debugging of slow scans, and data from these trace modes will not be retained for more than a week. ## Registry fetches[​](#registry-fetches) Certain Registry resources require log-in to the Semgrep Registry. Log in may be performed using your project URL, or a Semgrep.dev API token. When using these resources, your project's identity will be recorded by the Semgrep Registry servers. ## Data sharing[​](#data-sharing) We use some third party companies and services to help administer and provide Semgrep, for example for hosting, customer support, product usage analytics, and database management. These third parties are permitted to handle data only to perform these tasks in a manner consistent with this document and are obligated not to disclose or use it for any other purpose. We do not share or sell the information provided to us with other organizations without explicit consent, except as described in this document. Not finding what you need in this doc? Ask questions in our [Community Slack group](https://go.semgrep.dev/slack), or see [Support](/docs/support/) for other ways to get help. [Edit this page](https://github.com/semgrep/semgrep-docs/edit/main/docs/metrics.md)Last updated on Oct 13, 2021** --- # Prerequisites Source: https://semgrep.dev/docs/prerequisites - [](/docs/)- [Scan](/docs/getting-started/quickstart)- Get started- Prerequisites**On this page- [Deployment](/docs/tags/deployment)Prerequisites This document details the required software or services to run Semgrep products. ## Overall[​](#overall) A programming language must be supported by Semgrep for your chosen product. ProductScan typeLinkSemgrep Community Edition (CE)SAST[Supported languages](/docs/supported-languages#language-maturity-levels)Semgrep CodeSAST[Supported languages](/docs/supported-languages#language-maturity-levels)Semgrep Supply ChainSCA[Supported languages](/docs/supported-languages#semgrep-supply-chain)Semgrep SecretsSecretsLanguage-agnostic ## Semgrep command-line tool[​](#semgrep-command-line-tool) These requirements apply to both Semgrep AppSec Platform and Semgrep CE. ### Software[​](#software) - Python 3.10 or later installed on the machine you are running Semgrep on. ### Operating system[​](#operating-system) - macOS - Linux - Windows (beta) ## Semgrep AppSec Platform[​](#semgrep-appsec-platform) These requirements apply to Semgrep AppSec Platform. - A GitHub or GitLab cloud account. The credentials are used to authenticate and identify you. - A Git repository to scan, stored in any of the following source code managers: GitHub - GitLab - Bitbucket - Azure DevOps - A CI provider and sufficient permissions to create CI jobs. Not finding what you need in this doc? Ask questions in our [Community Slack group](https://go.semgrep.dev/slack), or see [Support](/docs/support/) for other ways to get help. Tags:**- [Deployment](/docs/tags/deployment)[Edit this page](https://github.com/semgrep/semgrep-docs/edit/main/docs/prerequisites.md)Last updated on **Nov 17, 2025** --- # Documentation Source: https://semgrep.dev/docs/release-notes ## [November 2025](/docs/release-notes/november-2025)December 9, 2025 · 6 min readThe following updates were made to Semgrep in November 2025. ## 🌐 Semgrep AppSec Platform[​](#-semgrep-appsec-platform) ### Added[​](#added) - **Cortex** and **Sysdig** integrations are now generally available. Semgrep now uses deployment status and, for Cortex, internet-exposure data from these CNAPP providers to better prioritize findings. - The **Settings > General** tab now displays all Semgrep product settings on a single page. - Added the ability for non-admin users to complete the Semgrep GitHub App installation process using an install-request link. This ensures that private GitHub App installations can proceed, even when the initiating user lacks org admin permissions. - Added a new **Validate** button and improved **connection status visibility** for CNAPP integrations. You can now see the validation state, last successful sync time, and clearer error conditions directly in Semgrep AppSec Platform. - You can now update and delete customizable and saved views using the API. The endpoint returns a 404 if the view does not exist. - Added support for filtering projects by status, including `setup`, `uninitialized`, and `archived`, in the Projects API endpoints, enabling more precise control when retrieving project lists. - Added support for filtering projects by status, including `setup`, `uninitialized`, and `archived`, in the Projects API endpoints, enabling more precise control when retrieving project lists. - Added missing fields `commit` and `enabled_products` to the `GetScan` v2 API response to achieve parity with v1 and ensure you receive complete scan metadata. - Added support for updating a project's **primary branch** through the Public API v2, enabling parity with the v1 Projects API endpoint. - Added support to the Public API for mutating project tags, enabling automated workflows to add, remove, or update tags on projects. ### Changed[​](#changed) - The **API tokens** and **CLI tokens** tabs under *Settings → Tokens* are now paginated, significantly improving page load speed for teams with many tokens. ### Fixed[​](#fixed) - Fixed several issues with RBAC team-based filtering that caused you to see incorrect repository or findings access in certain deployments. You should now see correct repository and findings access based on their team permissions. - Fixed an issue where the self-service checkout flow failed with an "Unrecognized enum value" error when starting a billing upgrade. You can now successfully initiate checkout sessions again. - Fixed an issue where Jira automations persisted after deleting the Jira integration. Automations are now deleted when the integration is removed. - Fixed an issue with the **Settings** pages where some searches resulted in no results on later pages. - Fixed an issue where organization admins could not see projects without team assignments when RBAC was enabled. All projects now correctly appear in the **Projects** page for admins. - Fixed an authorization issue in Network Broker key management. - Fixed an issue where GitLab merge-base requests were serialized incorrectly, causing errors or inconsistent diff detection for GitLab users. - Fixed an issue where rule descriptions on the **Findings** page used a fixed width. Descriptions now scale responsively again. - Fixed an issue where GitHub SSO orgs using personal GitHub accounts made unnecessary calls to GitHub during user sync. - Fixed an issue where new CNAPP integrations displayed an incorrect error state in Semgrep AppSec Platform. - Fixed an issue where opening the scan's **Details** reset existing URL filters. Semgrep now preserves all active filters when you navigate to the **Details** page. - Removed the ability for users to remove their own access in **Access Control**. - You can no longer click the *Run a new scan* buttons on the **Projects** list and **Project Details** pages if you disable Managed Scans for the project. ## 💻 Semgrep Code[​](#-semgrep-code) ### Added[​](#added-1) - MCP: added the `-k` / `--hook` flag to enable Semgrep scans from Claude Code Agent post-tool hooks. - **Go**: enabled taint tracking across goroutines, improving detection accuracy in Go projects. ### Changed[​](#changed-1) - Semgrep now uses your source code manager to determine changes between branches during a scan. If you're using Network Broker, you must upgrade to benefit from this improvement if you are on **GitLab self-managed v0.36.0 or earlier** or **GitHub Enterprise v0.31.0 or earlier**. ### Fixed[​](#fixed-1) - The progress bar for `semgrep scan` and `semgrep ci` now consistently reaches 100%. - **Rust**: Fixed missing type alias translations so that Semgrep can correctly match the `()` type in type declarations. - **Scala**: Fixed several issues with Scala match-expression handling in dataflow analysis, improving accuracy. ## ⛓️ Semgrep Supply Chain[​](#️-semgrep-supply-chain) ### Added[​](#added-2) - Malicious dependency detection is now generally available. Semgrep detects malicious packages, including malware, typosquatting, and credential-stealing dependencies, using over 80,000 rules. - Added a toggle in **Supply Chain settings** that allows you to disable malicious dependency rules. This provides an opt-out for teams who prefer not to run these rules or who encounter performance issues. - Added a new checkbox in the Jira **Customize ticket creation** dialog that allows teams to automatically create tickets for malicious dependency findings on any branch. ### Fixed[​](#fixed-2) - Semgrep AppSec Platform now displays the correct severity for Supply Chain findings, resolving a mismatch with automations and the CLI. Some existing findings may show updated severities, but policies and Jira workflows are unaffected. - Fixed an issue that caused Supply Chain scans to fail when encountering newer manifest types. - Fixed an issue where searches for dependencies only filtered the first page of results. Dependency filters now correctly return complete, accurate results. - Fixed inaccurate dependency and lockfile counts in Supply Chain pages. ## 🤖 Semgrep Assistant[​](#-semgrep-assistant) ### Added[​](#added-3) - You can now see rule and analysis explanations on the finding’s **Details** page. When a finding is classified as a true or false positive, an alert appears, and a detailed explanation is available in the **Finding description** tab. For true positives, it includes code context and threat-model rationale; for false positives, it includes reasoning only. ### Changed[​](#changed-2) - Assistant now automatically analyzes all new **Critical** and **High** severity findings with **Medium** or **High** confidence in full scans, removing the previous 10-issue limit. ### Fixed[​](#fixed-3) - Removed outdated warning text from the Assistant autofix. - Fixed an issue where agreeing with an auto-triage verdict incorrectly marked findings as ignored. Findings are now only auto-ignored when user assigns it as a **False Positive**. ## 📝 Documentation and knowledge base[​](#-documentation-and-knowledge-base) ### Added[​](#added-4) - Added the following knowledge base articles: [Semgrep Managed Scans doesn't run for pull requests in GitHub merge queues](/docs/kb/semgrep-appsec-platform/no-runs-in-github-merge-queues) - [Why does the Projects page display a different dependency count from the Dependencies page?](/docs/kb/semgrep-appsec-platform/dependency-count-differ-platform) ## 🔧 OSS Engine[​](#-oss-engine) ### Added[​](#added-5) - The following versions of the OSS Engine were released in November 2025: [** 1.143.0](https://github.com/semgrep/semgrep/releases/tag/v1.143.0) - [** 1.144.0](https://github.com/semgrep/semgrep/releases/tag/v1.144.0) **Tags:**- [Release notes](/docs/release-notes/tags/release-notes) --- # Run a successful proof-of-value (POV) trial with Semgrep Source: https://semgrep.dev/docs/run-a-successful-pov - [](/docs/)- [What's Semgrep](/docs/faq/overview)- Support & resources- Run a successful trial with Semgrep**On this page- [Semgrep AppSec Platform](/docs/tags/semgrep-app-sec-platform)- [Support](/docs/tags/support)Run a successful proof-of-value (POV) trial with Semgrep Start a POVTo start a proof-of-value (POV), contact Sales at [** sales@semgrep.com](mailto:sales@semgrep.com). Run a POV to learn more about Semgrep solutions and receive support that is specific to your infrastructure and business needs. During a POV, you receive dedicated sales, engineering, and support resources to ensure that every Semgrep feature that supports your infrastructure is implemented quickly and reliably. ## POV requirements[​](#pov-requirements) To run a successful POV, the Semgrep team needs your organization's decisions regarding these factors: - **The team involved in running the POV** Who among your organization will be evaluating Semgrep? Semgrep creates accounts for everyone on the team who is involved in the POV. - **The method to scan the repositories used in the POV** **Recommended: Semgrep Managed Scans (SMS)** This is the fastest way to deploy Semgrep to the repositories you want to scan. It requires access to your code, which can be limited to only certain repositories. - **CI/CD** This method relies on a CI configuration file, such as a GitHub Actions workflow file. A CI/CD job must be created for each repository you want to scan. - **The technical resources** You must decide on and communicate the repositories you want Semgrep to scan for the POV. - You must decide on and communicate to Semgrep your account management, infra, and tech needs. Benefits of Semgrep Managed ScansSMS is the **fastest** and **most scalable** deployment method, since it enables you to add repositories for scanning without the need for CI integrations. However, SMS requires access to your code. ## Summary[​](#summary) The following table includes a short summary of the POV process. StepActivitiesBoth parties agree to run a POV- Verify that your technical stack is supported by Semgrep.- Begin gathering necessary permissions from your organization for **technical resources** to run the POV.Pre-POV kickoff call and preparation- Both parties establish success criteria and alignment of the POV goals through a **kickoff call**.- Semgrep prepares for the POV by creating a dedicated Slack channel and other necessary accounts.Formal POV period- Semgrep deployment rollout.- Detection and remediation of findings.- Analysis of Semgrep ROI.Optional POV activities- A roadmap call with the Semgrep product team.- A rule-writing session where you can learn how to write custom Semgrep rules.POV conclusionSemgrep sets up a wrap-up call that discusses Semgrep's performance and your feedback about Semgrep. ## General steps[​](#general-steps) Running a POV involves the following steps: - POV agreement between both parties - Pre-POV or kickoff period - Formal POV period - POV conclusion You can also participate in optional activities: - Roadmap call - Rule-writing session Refer to the following sections for details. ### Both parties agree to run a POV[​](#both-parties-agree-to-run-a-pov) - From your end (the buyer), a need has been identified and a budget has been allocated. - From Semgrep's end, the team has verified, with your help, that your technical stack is supported by Semgrep. This includes: Programming languages - Source code managers - Account management - Other factors - **Optional**: If you'd like a **technical deep dive** of Semgrep from a sales engineer, you can request one through your account executive. - Semgrep recommends that **the buyer (you) start gathering and gaining approvals** from your organization for resources needed to run the POV, such as repository access. ### Pre-POV stage[​](#pre-pov-stage) #### Kickoff call[​](#kickoff-call) - During the pre-POV kickoff call, both parties set **success criteria**. - You and your organization can define the success criteria, or Semgrep can assist you in creating them. - The pre-POV kickoff call ensures that all stakeholders are aligned for the goals of the POV. - It also ensures that the technical requirements for both parties are clearly communicated. #### Preparation for POV[​](#preparation-for-pov) In preparation for the POV, Semgrep performs the following tasks: - Sets up **one (1) trial license** for your organization. - Sets up a **dedicated Slack channel** where you can reach out to the team during the POV. - Creates an account in Semgrep AppSec Platform for your organization. - Connects your source code manager, such as GitHub or Bitbucket, to Semgrep. - Sets up SSO if you require it. - For on-premise environments, Semgrep sets up the Network Broker to facilitate secure access between Semgrep and your private network. ### Formal POV period[​](#formal-pov-period) This is a **two-week** period in which Semgrep assists you in deployment, scanning, triage, reporting, and all other related functions for a successful security program. It is broken into three smaller phases. #### Semgrep deployment rollout[​](#semgrep-deployment-rollout) In this phase, the Semgrep team assists you in completing the following tasks: - Add repositories for scanning through SMS or through a CI/CD job - View findings in Semgrep AppSec Platform for scanned repositories within the POV's scope - Enable Assistant, ensuring that it's analyzing full scan findings - Prepare to set up pull request or merge request comments (PR or MR comments) and involve developers in Semgrep #### Detection and remediation of findings[​](#detection-and-remediation-of-findings) In this phase, the Semgrep team assists you in completing the following tasks: - Review the quality of findings with out-of-the-box rules - Show how Semgrep **filters out noise** with: Assistant Memories and triage for Semgrep Code - Direct and transitive reachability for Semgrep Supply Chain - Secrets validation for Semgrep Secrets - Improve developer experience through contextual, actionable vulnerability information: Inline PR comments or MR comments - Tailored remediation guidance in PR comments or MR comments - Breaking changes and upgrade guidance for Supply Chain findings - Integrate Jira for ticket creation and Slack for notifications if these are part of the success criteria #### Semgrep return-on-investment[​](#semgrep-return-on-investment) In the final phase, the Semgrep team provides you with data on the return on investment that Semgrep provides, compared to your existing security program. Some metrics include: - The number of developers in your company and the cost per developer per hour - Number of hours **reduced** per developer, per year in triage time, research and fix time by having Semgrep Assistant provide autofix and triage recommendations - Number of hours reduced in triage time per developer by having the ability to detect if secrets are valid or invalid - Reduction in review time with Semgrep Supply Chain reachability analysis ### Optional POV activities[​](#optional-pov-activities) Feel free to request the following: - **Roadmap call**. You can request a call with the Product team to learn about Semgrep's upcoming features and approaches. - **Rule-writing session**. Learn how to write Semgrep rules to customize Semgrep for your organization's unique code standards. ### POV conclusion[​](#pov-conclusion) When the POV ends, Semgrep sets up a wrap-up call that discusses the following: - Semgrep's performance measured against the evaluation criteria - Your feedback about Semgrep ## Trial license duration[​](#trial-license-duration) The trial license duration lasts for 30 days. ## Appendix: common questions and evaluation criteria[​](#appendix-common-questions-and-evaluation-criteria) Click to view a sample of common questions you and your team may ask to identify specific needs and criteria to evaluate Semgrep. - **Feature set** What features and language support do you need? - How easy is it to set up a Semgrep POV environment? - **Deployment** Does Semgrep support your unique infrastructure or network needs? - Does Semgrep support your SCM and CI provider? Can you easily deploy Semgrep through SMS? - **Integrations and notifications** Do the Semgrep integrations support your workflows for that tool? For example, does Semgrep support your custom fields in Jira? - Are your custom workflows supported by the Semgrep API? - **Findings and reports** What percent of findings are true positives? How does this compare with previous tools? - Is Semgrep Assistant (AI) able to reduce false positives? - Does the dashboard assist you in tracking secure guardrails? - **Security** Can Semgrep handle your sensitive data securely? - Can Semgrep successfully block PRs based on the criteria you need to set? - **Support and documentation** How easy is it to work with the Semgrep support team? Do they respond within the timeframe provided to you? - Does the documentation provide you with a clear explanation of the product and features? Was it easy for you to find answers? Not finding what you need in this doc? Ask questions in our [Community Slack group](https://go.semgrep.dev/slack), or see [Support](/docs/support/) for other ways to get help. Tags:**- [Semgrep AppSec Platform](/docs/tags/semgrep-app-sec-platform)- [Support](/docs/tags/support)[Edit this page](https://github.com/semgrep/semgrep-docs/edit/main/docs/run-a-successful-pov.md)Last updated on **Nov 25, 2025** --- # Secure guardrails in Semgrep Source: https://semgrep.dev/docs/secure-guardrails/secure-guardrails-in-semgrep - [](/docs/)- [Scan](/docs/getting-started/quickstart)- Set up and deploy scans- Secure guardrails**On this page- [Secure guardrails](/docs/tags/secure-guardrails)Secure guardrails in Semgrep Secure guardrails guide **developers** towards fixing security issues in the early stages of development. By deploying secure guardrails, you can: - Prevent issues from merging into production or default branches. This improves security posture and reduces the growth of the vulnerability backlog. - Reduce the time and cost to address issues—the earlier a vulnerability is detected, the faster it is to fix. The deployment of secure guardrails maximizes the impact of early detection by providing **specific** and **actionable** remediation guidance to developers. Customization enables you to set the **amount of alerts** that developers receive. This document defines secure guardrails and presents an overview of the guardrail deployment process in Semgrep. ***Figure**. Secure guardrails maximize the potential impact of early detection by providing tailored remediation guidance to developers. (Chart for illustration purposes only.)* Secure guardrails consist of: ContentThe content that identifies, explains, and provides remediation guidance for the security issue, such as the Semgrep rule and Semgrep Assistant (AI) remediation guidance. Semgrep uses **rules**, which are instructions that detect patterns in your code, such as security issues, bugs, and more. Semgrep generates and reports **findings** to you whenever it finds code that matches the patterns defined by rules. Semgrep rules also include a **message** that guides remediation and provides other metadata about the vulnerability, such as its OWASP category, which are presented to the developer. Further improvements to this guidance are made through Semgrep Assistant. InterfaceThe developer-native **interface** where the developer can see the content and triage or remediate the finding, such as Visual Studio Code (VS Code), pre-commit on CLI, or GitHub pull request comments. See [all supported interfaces](#support-for-developer-interfaces-pre-build). ***Figure**. Semgrep products provide the content of the guardrail, namely its rules and suggested remediations. The [Semgrep web app](https://semgrep.dev/login) provides the means to configure and deploy guardrails: what rules to deploy as well as where and how to alert developers.* ## Qualities of secure guardrails[​](#qualities-of-secure-guardrails) ### Speed[​](#speed) Scans must be quick to successfully integrate into developer workflows without slowing them down. The following table lists the speed of a Semgrep scan in relation to the environment the scan is run in: InterfaceScope of scanAnalysisTypical speedIDE (per keystroke and on save)Current fileSingle-function, single-fileIn a few secondsCLI on commit (through [`pre-commit`](https://pre-commit.com/))Files staged for commit (cross-function, single-file analysis)Cross-function, single-fileUnder 5 minutesPR or MR commentsAll committed files and changes in the PR or MRCross-function, single-file analysisUnder 5 minutes ### Support for developer interfaces (pre-build)[​](#support-for-developer-interfaces-pre-build) Guardrails should be able to provide remediation guidance and means to triage findings or give feedback within developer interfaces. Semgrep supports the following interfaces: InterfaceSupported providers and appsTriage and remediation actionsIDEs[Visual Studio Code (VS Code)](https://marketplace.visualstudio.com/items?itemName=Semgrep.semgrep)- Receive human-written remediation guidance. - Ignore or apply a [1-click autofix](/docs/writing-rules/autofix), if it is available, to findings individually.[IntelliJ-based IDEs](https://plugins.jetbrains.com/plugin/22622-semgrep)PR or MR comments[All GitHub plans](/docs/semgrep-appsec-platform/github-pr-comments)- Receive human-written and Semgrep Assistant remediation guidance*; you can customize the confidence level at which the AI leaves a comment. - Ignore or apply a [1-click autofix](/docs/writing-rules/autofix), if it is available, to findings individually.[All GitLab plans](/docs/semgrep-appsec-platform/gitlab-mr-comments)[All Bitbucket plans](/docs/category/bitbucket-pr-comments)[Azure Devops Cloud](/docs/semgrep-appsec-platform/azure-pr-comments)CLI through `pre-commit`Most terminal emulator apps- Receive human-written remediation guidance. - Ignore or apply [a 1-click autofix](/docs/writing-rules/autofix), if it is available, to findings individually. **To receive Assistant guidance, check that your source code manager (SCM) is supported: [list of supported source code managers (SCMs)](/docs/semgrep-assistant/overview#support-and-availability).* ***Figure**. Remediation message provided in VS Code. The message appears when a user hovers over findings, which are marked with squiggly lines. Developers can click the **Quick Fix** button to either ignore the finding or, if the rule provides an autofix, apply the fix.* ***Figure**. A PR comment detecting a hardcoded secret.* ### Customizability[​](#customizability) Every organization has its own secure coding practices. Customizability ensures that the tool can adapt to the unique needs of an organization. Semgrep provides customizability through: - Custom rules - You can create custom rules and deploy them as guardrails. Learn more about Semgrep rule structure in [the next section](#remediation-guidance). - Assistant Memories - this feature allows you to add and save additional context when Semgrep Assistant provides remediation. For example, you can provide organization-specific public keys, which Semgrep Assistant remembers. ***Figure**. A form on a finding's details page where you can enter additional instructions or context.* ### Remediation guidance[​](#remediation-guidance) Remediation guidance can come in three forms: - The rule's `message` - AI-generated remediation guidance through Semgrep Assistant - The rule's `fix` Much of the remediation guidance originates from the rule itself, which is also used to generate Semgrep Assistant's advice (if Assistant is enabled). Learning the basic Semgrep rule structure can help you: - Customize remediation through your organization-specific rules. Writing your own rules provides you with a means to tailor Semgrep to your organization with or without Assistant. - Write and deploy guardrails of your own. The following example illustrates a basic Semgrep rule. ***Figure**. A simple Semgrep rule that illustrates the common fields or keys used to create guardrails. Scroll through the **Rule** pane to view all the fields used to define the rule.* Click to view a line-by-line explanation of each field in the sample rule.`rules: # The name of the rule (required): - id: fix-and-message-demo-copy # The language of the target code (required): languages: - python # How severe the impact of the finding is (required): severity: HIGH # Description and advice that appears in the IDE, # PR or MR comment, or CLI (required): message: >- You're using an unsafe function. Prefer safe_function() if possible. # The matching logic of the rule (required): pattern: unsafe_function(...) # A substitution that resolves the finding (optional). fix: safe_function(...) # Metadata is optional but helpful to AI-generated remediation. metadata: # A category that describes the rule. Typically security: category: security # Confidence of the rule to detect true positives: confidence: HIGH # How likely an attacker can exploit the issue: likelihood: HIGH # Indicates how much damage a vulnerability can cause: impact: HIGH # A sub-type under category. Typically vuln, audit, or secure default: subcategory: - vuln` #### The rule `message`[​](#the-rule-message) This description explains **why** the finding was generated and outlines **general advice** on resolving the issue. Messages notify developers in all interfaces where you've deployed a guardrail. #### AI-generated remediation guidance and code suggestions (Semgrep Assistant)[​](#ai-generated-remediation-guidance-and-code-suggestions-semgrep-assistant) This is a tailored, **step-by-step** outline of what a developer must change to fix the insecure code. The guidance makes use of the Semgrep rule, AI's understanding of code, and a prompt tree that incorporates inputs such as: - Prior triage decisions - Custom instructions - Broader context of the file ***Figure**. AI-generated guidance. Developers are able to commit the suggestion directly.* info - Within developer-native interfaces, Semgrep Assistant only appears in PR or MR comments. Assistant guidance does not appear in the IDE or `pre-commit`. - You can adjust when the guidance is shown to developers based on the level of confidence in the guidance. #### The rule's human-written autofix (`fix`)[​](#the-rules-human-written-autofix-fix) Sometimes a rule can resolve a finding by replacing, for example, an insecure function with a secure one. These rules make use of Semgrep's [autofix](/docs/writing-rules/autofix) feature, which enables rule-writers to provide a human-written fix. Semgrep Assistant does **not** provide a code snippet suggestion when a human-written fix is provided in the rule. ## Deploy secure guardrails[​](#deploy-secure-guardrails) ### Prerequisites[​](#prerequisites) #### For AppSec engineers[​](#for-appsec-engineers) - You have completed a [Semgrep core deployment](/docs/deployment/core-deployment). - Your [Policies](https://semgrep.dev/orgs/-/policies) page should have at least one rule. #### For developers[​](#for-developers) - You must have a Semgrep account. - You must have joined your Semgrep organization. - To use Semgrep with your IDE, you must install the extension for the IDE and sign in to Semgrep through the extension. - To use Semgrep with `pre-commit`, you must install and set up `pre-commit`, then sign in to Semgrep through the CLI. Rules can be **configured on a per-product, per-interface basis** to notify developers when a finding from that rule is detected. The customization enables you to manage the amount of notifications a developer may receive. The following table describes how to deploy guardrails for each product and interface: InterfaceSemgrep CodeSemgrep SecretsSemgrep Supply ChainIDETo notify developers of findings from a rule, add the rule to your Policies.Coming soonPR or MR commentsTo notify developers, a rule must be in Comment mode; you can configure your Policies to include only **high confidence, high severity rules**.Developers receive comments about any **reachable vulnerability of high or critical severity.**CLI through `pre-commit`To notify developers of findings from a rule, add the rule to your Policies.Developers are notified of **all** findings by default. ***Figure**. **Policies page > Code tab**. Rules should be in either Comment or Block mode to leave a PR or MR comment.* ## Next steps[​](#next-steps) - Learn about [secure defaults and their implementation in Semgrep](/docs/secure-guardrails/secure-defaults). - Create custom rules that you can [deploy as guardrails](/docs/secure-guardrails/custom-guardrails-rules). Not finding what you need in this doc? Ask questions in our [Community Slack group](https://go.semgrep.dev/slack), or see [Support](/docs/support/) for other ways to get help. Tags:**- [Secure guardrails](/docs/tags/secure-guardrails)[Edit this page](https://github.com/semgrep/semgrep-docs/edit/main/docs/secure-guardrails/overview.md)Last updated on **Oct 21, 2025** --- # Security Source: https://semgrep.dev/docs/security - [](/docs/)- [Support & resources](/docs/trophy-case)- Security- [Support](/docs/tags/support)Security If you’ve found a vulnerability in Semgrep, our web application, or broader infrastructure, please email [security@semgrep.com](mailto:security@semgrep.com) and we’ll respond promptly. We appreciate your contribution and take all submissions seriously. Not finding what you need in this doc? Ask questions in our [Community Slack group](https://go.semgrep.dev/slack), or see [Support](/docs/support/) for other ways to get help. **Tags:**- [Support](/docs/tags/support)[Edit this page](https://github.com/semgrep/semgrep-docs/edit/main/docs/security.md)Last updated on **Nov 25, 2025** --- # Dashboard Source: https://semgrep.dev/docs/semgrep-appsec-platform/dashboard - [](/docs/)- [Scan](/docs/getting-started/quickstart)- Set up and deploy scans- Dashboard**On this page- [Semgrep AppSec Platform](/docs/tags/semgrep-app-sec-platform)- [Secure guardrails](/docs/tags/secure-guardrails)Dashboard The [Semgrep dashboard](https://semgrep.dev/orgs/-/) is an overview of your organization’s security posture based on data aggregated within Semgrep AppSec Platform. It helps you: - Evaluate your AppSec program, enabling you to know your current security risk. - Assess the deployment and adoption of **[secure guardrails](/docs/secure-guardrails/secure-guardrails-in-semgrep)** to your organization. - Become aware of trends and opportunities that you can use to improve your security posture. - Quickly filter data granularly for all the charts on the page and view priority findings. - Export the information as a PDF report. ## Dashboard overview[​](#dashboard-overview) The dashboard is divided into several sections: Section****Description**Reporting summary top barSets the filters for all the data in the page. Production backlogDisplays data about all the findings detected in your primary or default branch and helps you answer the following questions: - How is my security posture doing over time? - Is my backlog decreasing or increasing? - Is the team addressing findings faster than new findings are coming in? [Secure guardrails](/docs/secure-guardrails/secure-guardrails-in-semgrep)Displays data relevant to the deployment and adoption of secure guardrails. It helps address the following: - How many vulnerabilities did Semgrep prevent from entering production over time? - Am I effectively introducing guardrails to my developers? - Of the issues shown to developers, are they being fixed, or are they being ignored? Most findings by projectLists projects arranged by most open findings to least, grouped by **product** or **severity**. Helps answer the following: - Which of my projects have the most findings in a particular product area? - Which of my projects have the most findings for a particular severity? Median open ageA graph showing the middle age of all Open findings, grouped by product or severity. Half of the open findings are older than this age, and half are newer. Helps you answer: - What is the amount of time a finding remains open, by product or by severity? tipUse the **filters** to quickly generate views for a single Semgrep product or all products. When viewing data for a single Semgrep product, you can't group by product in **Most findings by project** and **Median open age**. ## Export reports[​](#export-reports) To generate reports from the current view, click **Dashboard > ** Download**. ## Triage states[​](#triage-states) The following triage states are displayed: - Open - Ignored, including provisionally ignored - Fixed Additional triage states, such as **Fixing** or **Reviewing**, are not displayed at this time. ## Filters and configuration[​](#filters-and-configuration) Use the filters to gain a top-level view or zoom in to a single product, specific period of time, or other slice of data. Create quarterly overviews or recent incident statements for various AppSec stakeholders. Configurations set here apply to the entire page. The following quick filters are visible on the page: - Time period - Semgrep product or type of scan (SAST, SCA, or Secrets) - Project (a repository or a subfolder of a monorepo) - [Recommended priority](#recommended-priority) toggle info - By default, the Dashboard displays data for projects that members or managers have access to. Admins can view findings from all the projects in the organization. See the [Teams documentation](/docs/deployment/teams#teams-beta) for more information. - It can take up to a day **(24 hours)** for the Dashboard to correctly update and remove findings if you have recently deleted a project. To access **all** filters: - Click **All filters** to open the filter drawer. - Turn off the **** Recommended priority** toggle. This displays the following filters in the filter drawer: - [Severity](/docs/writing-rules/rule-syntax#required) - [Confidence](/docs/contributing/contributing-to-semgrep-rules-repository#confidence) - [Reachability](/docs/semgrep-supply-chain/findings#reachability) - [Validation](/docs/semgrep-secrets/conceptual-overview#validate-secrets) - Time period - Product - Project - Tags - Teams ### Recommended priority[​](#recommended-priority) This refers to any finding that is **Critical** or **High** severity in **addition** to being: - [High confidence](/docs/contributing/contributing-to-semgrep-rules-repository#confidence) - if the finding is from Semgrep Code. - [Reachable](/docs/semgrep-supply-chain/findings#reachability) - if the finding is from Semgrep Supply Chain. - [Valid](/docs/semgrep-secrets/conceptual-overview#validate-secrets) - if the finding is from Semgrep Secrets. By default, **** Recommended priority** filters are enabled. If you choose to turn off recommended priority filters, **all** findings are displayed. ## Production backlog[​](#production-backlog) This pane displays analytics related to findings detected in your **primary or default branch**. This typically means that the finding, usually a security issue, has made it to production environments. ### Key metrics[​](#key-metrics) Key metricsDescriptionTotal openedTotal number of findings set to **Open** during the time period. This includes new findings as well as re-opened findings that were previously in a different state.Total fixedTotal number of **Fixed** findings during the time period that **remained** fixed until the end of the time period.Total ignoredTotal number of **Ignored** findings during the time period that **remained** ignored until the end of the time period. **Ignored** findings includes those with a status of **Provisionally ignored**.Total net newThe difference between the number of **Open** findings at the beginning of the time period and the end of the time period. tipA low or negative value for **Total net new** is ideal. It indicates that, within the period, more findings are being triaged or resolved than opened. This reduces the backlog of security issues. ### Charts[​](#charts) ChartDescriptionOpen backlogThis tracks the total findings from each scan and displays them. Lower values are better. **Clicking on this chart opens a drawer that provides a breakdown of findings by product for the selected time period.Backlog activityDisplays the number of new, net new, fixed, and ignored, including provisionally ignored, findings. A greater **Fixed** value is better. Clicking on this chart opens a drawer that provides a breakdown of findings by triage state for that selected time period. ## Secure guardrails[​](#secure-guardrails) This provides an overview of how secure guardrails in **PR or MR comments** are used in your organization, including how often Semgrep shows findings to developers, how the developers handle the findings, and how often Semgrep flags a finding as provisionally ignored. Other guardrail interfaces, such as the IDE or `pre-commit`, are not counted in this section. ### Key metrics[​](#key-metrics-1) Key metricsDescriptionFindings shown to devsNumber of findings shown to developers in PR or MR comments (the numerator) against the total findings count (denominator). An upward or stable trend is better.Findings fixed in developmentNumber of findings that were fixed before they could be detected in a default branch or production backlog (numerator) against the total findings count in the specified time period (denominator). An upward or stable trend is better. Clicking on this chart opens a drawer that provides a breakdown of findings by triage state for that selected time period. ### Charts[​](#charts-1) ChartDescriptionSecure guardrails adoptionPercent of new findings shown to developers over the specified time period. An upward or stable trend is better.Guardrails activityThis chart displays a breakdown of the status of findings shown to developers; whether they were ignored, provisionally ignored, fixed, or remained open. A greater **Fixed** value is better.Clicking on this chart opens a drawer that provides a breakdown of findings by triage state for that selected time period. ## Most findings by project[​](#most-findings-by-project) A table listing projects from most open findings to least, grouped by product or severity. Lower values are better. tipIt is recommended to prioritize triage and remediation for the top projects listed in this table, especially if the priority filters are enabled. ***Figure**. Findings by project; group them by product or severity.* ## Median open age[​](#median-open-age) ***Figure**. Median open age of a finding.* A chart displaying the median open age of a finding in **days** over the specified time period. Lower is better. For a finding to be remediated, it must have any of the following statuses: - Fixed - Ignored, including provisionally ignored Not finding what you need in this doc? Ask questions in our [Community Slack group](https://go.semgrep.dev/slack), or see [Support](/docs/support/) for other ways to get help. Tags:**- [Semgrep AppSec Platform](/docs/tags/semgrep-app-sec-platform)- [Secure guardrails](/docs/tags/secure-guardrails)[Edit this page](https://github.com/semgrep/semgrep-docs/edit/main/docs/semgrep-appsec-platform/dashboard.md)Last updated on **Dec 10, 2025** --- # Alerts and notifications Source: https://semgrep.dev/docs/semgrep-appsec-platform/notifications - [](/docs/)- [Scan](/docs/getting-started/quickstart)- Set up and deploy scans- Notifications**On this page- [Deployment](/docs/tags/deployment)- [Semgrep AppSec Platform](/docs/tags/semgrep-app-sec-platform)Alerts and notifications You can receive notifications for Semgrep findings in the following channels: ChannelSemgrep CodeSemgrep Supply ChainSemgrep Secrets[Slack](/docs/semgrep-appsec-platform/slack-notifications)Integrate with Semgrep through **Settings > Integrations**. Customize through rule modes in [Policies page](/docs/semgrep-code/policies).Integrate with Semgrep through **Settings > Integrations**. Limited customizability; configured by default to send notifications on **reachable** findingsIntegrate with Semgrep through **Settings > Integrations**. Customize through policies in [Policies page](/docs/semgrep-secrets/policies) [Email](/docs/semgrep-appsec-platform/email-notifications)Not availableNot available[Webhooks](/docs/semgrep-appsec-platform/webhooks)Not availableNot available Setting up notifications involves the following steps: - Integrating the notification channel, such as Slack, with Semgrep. - Customizing the conditions under which a notification is sent to that channel. Available conditions and how they are set up varies depending on the Semgrep product; see the following table. Semgrep Code **rule modes** define workflow actions (**Monitor**, **Comment**, or **Block**) that Semgrep Code performs when a rule detects a finding. In addition to these workflow actions, you can also configure Semgrep to send notifications on any rule mode. Click to expand table of rule modesRule modeDescriptionMonitorRules in **Monitor mode** display findings only in: - Semgrep AppSec Platform- **For Semgrep Code and Supply Chain**: User-defined notificationsSet rules to this mode to evaluate their true positive rate and other criteria you may have. By keeping rules in Monitor, developers do not receive potentially noisy findings in their PRs or MRs.CommentRules in **Comment mode** display findings in:- Developers' PRs or MRs- Semgrep AppSec Platform- **For Semgrep Code and Supply Chain**: User-defined notificationsSet rules that have met your performance criteria to this mode when you are ready to display findings to developers.BlockRules in **Block mode** cause the scan job to fail with an exit code of `1` if Semgrep Secrets detects a finding from these rules. You can use this result to enforce a block on the PR or MR. For example, GitHub users can enable branch protection and set the PR to fail if the Semgrep step fails. These rules display findings in:- Developers' PRs or MRs- Semgrep AppSec Platform- **For Semgrep Code and Supply Chain**: User-defined notificationsThese are typically high-confidence, high-severity rules. ## View integrations[​](#view-integrations) To view all integrations available to you in Semgrep AppSec Platform, follow these steps: - Sign in to your [Semgrep AppSec Platform ](https://semgrep.dev/orgs/-/settings/integrations) account. - Click **Settings > Integrations**. ***Figure***. The integrations available in Semgrep AppSec Platform. ## Next steps[​](#next-steps) Refer to the specific documentation page for the notification channel you want to set up. Not finding what you need in this doc? Ask questions in our [Community Slack group](https://go.semgrep.dev/slack), or see [Support](/docs/support/) for other ways to get help. Tags:**- [Deployment](/docs/tags/deployment)- [Semgrep AppSec Platform](/docs/tags/semgrep-app-sec-platform)[Edit this page](https://github.com/semgrep/semgrep-docs/edit/main/docs/semgrep-appsec-platform/notifications.md)Last updated on **Jul 28, 2025** --- # Analyze Semgrep Code findings with Semgrep Assistant Source: https://semgrep.dev/docs/semgrep-assistant/analyze - [](/docs/)- [Scan](/docs/getting-started/quickstart)- Semgrep Assistant- Analyze Code findings**On this page- [Deployment](/docs/tags/deployment)- [Semgrep Assistant](/docs/tags/semgrep-assistant)Analyze Semgrep Code findings with Semgrep Assistant Once you've [enabled Assistant](/docs/semgrep-assistant/getting-started), you can use the **Analyze** button on the [Findings page](/docs/semgrep-code/findings) to trigger all Assistant functions for Semgrep Code, including autofix, auto-triage, and component tagging, on existing findings. ## Analyze your findings with Assistant[​](#analyze-your-findings-with-assistant) - On the [Findings](https://semgrep.dev/orgs/-/findings?tab=open) page, select the findings that you want Assistant to analyze. - Click **Analyze**. - In the confirmation dialog that appears, confirm that you want to analyze your findings with Assistant. After Assistant performs these functions, you can see its results on the **Code** page using the **Recommendation** or **Component** filters. When viewing your findings, you can see false positive and true positive recommendations in a finding's **Details** page. The amount of time required to analyze your findings varies. Before running the analysis, the confirmation dialog provides an estimated wait time. info - For Team tier users with less than 10 contributors: There is a cap of 50 Assistant runs per month using the **Analyze** button. - For Team or Enterprise users with an active subscription: There is a cap of 10,000 Assistant runs per month using the **Analyze** button. It is rate-limited to 1,000 Assistant runs per hour. - For users of any tier: Assistant runs against pull requests (PRs) and merge requests (MRs) do not count against this limit. ## When Assistant auto-analyzes findings[​](#when-assistant-auto-analyzes-findings) Assistant automatically analyzes new findings from a **full scan** that have **Critical** or **High** severity AND **High** or **Medium** confidence. On a diff-aware scan, Assistant auto-analyzes up to a maximum 10 new findings, regardless of severity or confidence. noteSome findings created before November 2025 may not be auto-analyzed, even if they meet the criteria. ### Request analysis for existing findings[​](#request-analysis-for-existing-findings) If you want Assistant analyses for findings that weren't automatically analyzed, you can request them in bulk through Semgrep AppSec Platform. See the [Analyze your findings with Assistant](#analyze-your-findings-with-assistant) section for details. If you need assistance with bulk analysis requests or have questions about backfilling analyses for your findings, contact [Semgrep Support](/docs/support). ## View Assistant recommendations[​](#view-assistant-recommendations) You can [view all of Semgrep Assistant's recommendations](/docs/semgrep-code/findings#filter-findings) by going to the Semgrep **Findings** page and filtering by **Recommendation** or **Component**. ## Provide feedback on Assistant recommendations[​](#provide-feedback-on-assistant-recommendations) Semgrep Assistant prompts you for feedback whenever it suggests that a finding is a false positive. Because Assistant content is generated by large language models (LLMs), your feedback helps the Semgrep team improve Assistant. Semgrep Assistant lets you leave feedback in the following places: - In Semgrep AppSec Platform: the Assistant recommendation appears in Semgrep Code's **Finding Details** page under **Activity**, along with **Agree and ignore** or **Disagree** buttons. - In Slack notifications: the **Agree** and **Disagree** buttons appear under the Assistant recommendation message. If Semgrep Assistant suggests that a finding is a true positive and supplies an autofix suggestion, there is no automated mechanism to leave feedback on this outcome. Feel free to contact [Semgrep Support](/docs/support) to let us know your thoughts. Not finding what you need in this doc? Ask questions in our [Community Slack group](https://go.semgrep.dev/slack), or see [Support](/docs/support/) for other ways to get help. Tags:**- [Deployment](/docs/tags/deployment)- [Semgrep Assistant](/docs/tags/semgrep-assistant)[Edit this page](https://github.com/semgrep/semgrep-docs/edit/main/docs/semgrep-assistant/analyze.md)Last updated on **Dec 12, 2025** --- # Enable Semgrep Assistant Source: https://semgrep.dev/docs/semgrep-assistant/getting-started - [](/docs/)- [Scan](/docs/getting-started/quickstart)- Semgrep Assistant- Getting started**On this page- [Deployment](/docs/tags/deployment)- [Semgrep Assistant](/docs/tags/semgrep-assistant)Enable Semgrep Assistant This article walks you through enabling Semgrep Assistant for your deployment. Prerequisites - You have completed a [Semgrep core deployment](/docs/deployment/core-deployment). - You have set rules to **Comment** or **Block** mode in your [** Policies page](https://semgrep.dev/orgs/-/policies). - Azure DevOps Cloud- Bitbucket Cloud- GitHub- GitLabSemgrep Assistant extends standard Semgrep capabilities by providing contextually aware AI-generated suggestions. Building that context requires Azure DevOps permissions, specifically code access granted through an access token you generate through Azure DevOps. Ensure that the token has the following scopes: - `Code: Read & write` - `Pull Request Threads: Read & write` You can provide this token to Semgrep by adding [Azure DevOps as a source code manager](/docs/deployment/connect-scm#connect-to-cloud-hosted-orgs). Semgrep recommends using a service account, not a personal account, to [generate the personal access token](https://learn.microsoft.com/en-us/azure/devops/organizations/accounts/use-personal-access-tokens-to-authenticate) provided to Semgrep. Regardless of whether you use a personal or service account, the account must be assigned the **Owner** or **Project Collection Administrator** role for the organization. Semgrep Assistant extends standard Semgrep capabilities by providing contextually aware AI-generated suggestions. Building that context requires Bitbucket permissions, specifically code access granted through an access token you generate through Bitbucket. Your token must be a [Workspace Access Token](https://support.atlassian.com/bitbucket-cloud/docs/workspace-access-tokens/), which are available to users with a Bitbucket Cloud Premium plan or higher. The token must have the following scopes: - `Projects: Read` - `Repositories: Read` - `Pull requests: Read & Write` - `Webhooks: Read and write` You can provide this token to Semgrep by [adding Bitbucket as a source code manager](/docs/deployment/connect-scm#connect-to-cloud-hosted-orgs). Semgrep Assistant extends normal Semgrep capabilities by providing contextually aware AI-generated suggestions. In order to build that context, it requires GitHub permissions in addition to the [** standard permissions required for Semgrep](/docs/deployment/checklist#permissions). Semgrep Assistant requires [read access to your code in GitHub](https://docs.github.com/en/rest/overview/permissions-required-for-github-apps?apiVersion=2022-11-28). This is done through a private Semgrep GitHub app that you install during Assistant setup. This private Semgrep GitHub app: - Is fully under your control so you can revoke access or specific permissions at any time by visiting **Settings > Applications** in GitHub. - Only accesses source code repositories on a file-by-file basis; it does not need or request org-level access to your codebase. - Can be configured to limit its scope to specific repositories. You do not need to give read access to all repositories in your GitHub organization. ### Enable Assistant[​](#enable-assistant) - Sign in to [Semgrep AppSec Platform](https://semgrep.dev/login). - Click **[** Settings](https://semgrep.dev/orgs/-/settings/)**. - In the **Assistant** section, click the **** Allow code snippets in AI prompts** toggle. * This launches the **Set up Semgrep Assistant** prompt. - Select a source code manager (SCM) by clicking **github.com**. - Semgrep provides you with information on why Assistant requires access to your source code. Click **Accept & Enable Assistant** to proceed. - You are redirected to the page where you can add a GitHub Private App that grants Semgrep read access to your code. Enter your GitHub information. Select whether you're installing the app on an **organization** or **Personal Account**, and provide its name. - Click **Review permissions** to see the permissions requested by Semgrep. - Click **Register GitHub App** to proceed. - When prompted, click **Continue** to allow redirection to GitHub to finalize app creation. Follow the instructions to finish creating and installing a private `semgrep-app`. - You are redirected to Semgrep AppSec Platform's **Source Code Managers** page. Navigate back to the **General > Assistant** page. Verify that all of the features are enabled: **Allow code snippets in AI prompts**: Required for Semgrep to auto-triage findings, provide AI remediation guidance, and tag findings with code context. - **Weekly priority emails**: Enable weekly emails to all organization admins with information on Assistant's top three backlog tasks across all findings. - **Noise filter for Code PR/MR comments**: Enable the filtering of findings flagged as false positives. You can choose to suppress any PR or MR comments Semgrep might push, or you can choose to show developers information regarding false positives using PR or MR comments. - **Remediation**: Enable Assistant-generated autofix suggestions in comments from Assistant. You can also set the minimum confidence level for Assistant-written fixes if the Semgrep rule doesn't include a human-written autofix. Semgrep Assistant extends normal Semgrep capabilities by providing contextually aware AI-generated suggestions. In order to build that context, Semgrep Assistant requires the **API scope** to run in both GitLab SaaS and GitLab self-managed instances. This can be specified at either the [project access token level](https://docs.gitlab.com/ee/user/project/settings/project_access_tokens.html) or [personal access token level](https://docs.gitlab.com/ee/user/profile/personal_access_tokens.html). - You can revoke [project access tokens](https://docs.gitlab.com/ee/user/project/settings/project_access_tokens.html#revoke-a-project-access-token) or [personal access tokens](https://docs.gitlab.com/ee/user/profile/personal_access_tokens.html#revoke-a-personal-access-token) at any time. - Semgrep Assistant only accesses source code repositories (projects) on a file-by-file basis; it does not need or request org-level access to your codebase. - The token can be configured to limit its scope to specific projects or individuals. You do not need to give read access to all projects in your GitLab organization. ## Enable Assistant - Sign in to [Semgrep AppSec Platform *](https://semgrep.dev/login) using your GitLab account. - Click **[** Settings](https://semgrep.dev/orgs/-/settings/)**. - In the **Assistant** section, click the **** Allow code snippets in AI prompts** toggle. This launches the **Set up Semgrep Assistant** prompt. - Follow the on-screen instructions to complete the setup process. - Navigate back to the **Deployment** page. Under the **Assistant** section, verify that all of the features are enabled: **Allow code snippets in AI prompts**: Required for Semgrep to auto-triage findings, provide AI remediation guidance, and tag findings with code context. - **Weekly priority emails**: Enable weekly emails to all organization admins with information on Assistant's top three backlog tasks across all findings. - **Noise filter for Code PR/MR comments**: Enable the filtering of findings flagged as false positives. You can choose to suppress any PR or MR comments Semgrep might push, or you can choose to show developers information regarding false positives using PR or MR comments. - **Remediation**: Enable Assistant-generated autofix suggestions in comments from Assistant. You can also set the minimum confidence level for Assistant-written fixes if the Semgrep rule doesn't include a human-written autofix. Once you have enabled Semgrep Assistant, you can [customize your deployment by enabling or disabling the Assistant features](/docs/semgrep-assistant/customize) that best fit your software development lifecycle. Not finding what you need in this doc? Ask questions in our [Community Slack group](https://go.semgrep.dev/slack), or see [Support](/docs/support/) for other ways to get help. Tags:**- [Deployment](/docs/tags/deployment)- [Semgrep Assistant](/docs/tags/semgrep-assistant)[Edit this page](https://github.com/semgrep/semgrep-docs/edit/main/docs/semgrep-assistant/getting-started.md)Last updated on **Aug 13, 2025** --- # Semgrep Assistant overview Source: https://semgrep.dev/docs/semgrep-assistant/overview#autofix - [](/docs/)- [Scan](/docs/getting-started/quickstart)- Semgrep Assistant- Overview**On this page- [Deployment](/docs/tags/deployment)- [Semgrep Assistant](/docs/tags/semgrep-assistant)Semgrep Assistant overview Semgrep Assistant provides AI-powered security recommendations to help you review, triage, and remediate your Semgrep findings. ***Figure.** Semgrep Assistant detects the use of untrusted, unsanitized data.* ## Support and availability[​](#support-and-availability) Semgrep Assistant: - Primarily supports findings generated by Semgrep Code - Supports [the same languages as Semgrep Code](/docs/supported-languages) - Is available to users of the following source code managers (SCMs): Azure DevOps Cloud - Bitbucket Cloud Premium and Bitbucket Data Center - GitHub Cloud and GitHub Enterprise Server (self-hosted) - GitLab, including SaaS and self-managed plans - Requires the Semgrep AppSec Platform for its use - Auto-analyzes many, but not all, findings during scans For full scans, all *new* issues that have **Critical** or **High** severity AND **High** or **Medium** confidence are auto-analyzed - For diff-aware scans (pull pequest or merge request scans), up to 10 new issues are auto-analyzed per scan ## Features[​](#features) ### Remediation[​](#remediation) Semgrep Assistant can provide remediation advice and autofixes, or suggested fixes, for Semgrep Code findings. #### Guidance[​](#guidance) With Assistant enabled, PR or MR comments from Semgrep include step-by-step remediation instructions for the finding identified by Semgrep Code. ***Figure.** PR comment displaying the rule message followed by a comment that contains Assistant-generated remediation guidance.* Semgrep also displays remediation information on Semgrep AppSec Platform's **Findings page** under **Your code & fix** in the [finding's details](/docs/semgrep-code/findings#view-details-about-a-specific-finding) page. ***Figure.** Findings detail page with the Your code & fix section displaying the suggested fix.* infoSemgrep only waits for a limited amount of time for Assistant guidance before posting a PR or MR comment, since comments are time-sensitive. If guidance is missing from the PR or MR comment because it was not yet available, it should still be present on Semgrep AppSec Platform's **Findings page** for the finding. #### Autofix[​](#autofix) Semgrep Assistant can suggest [autofix](/docs/writing-rules/autofix) code snippets for Semgrep Code findings when it identifies a true positive. Assistant only suggests an autofix if the rule doesn't have a human-written autofix. You can set the minimum autofix confidence level required to display autofix suggestions from Semgrep Assistant on Semgrep AppSec Platform's **Settings** page. To receive as many Assistant suggestions as are available, set the minimum to **low confidence**. Assistant customizes the code snippets it provides based on previous feedback, if any, and your rule customizations. For example, if you have a custom rule recommending a specific sanitizer, Assistant can recommend its use in the autofix suggestion for the issue in your code. Autofixes are available in PR and MR comments, so developers can review and verify Semgrep's generated fixes before applying them. ***Figure.** Semgrep Assistant generates a potential fix in a PR comment.* Autofixes are also available on Semgrep AppSec Platform's **Findings page** under **Assistant suggested fix** in the [finding's details](/docs/semgrep-code/findings#view-details-about-a-specific-finding). *Figure*. Semgrep Assistant showing a potential fix in Semgrep AppSec Platform. infoIf many new issues are found in a given scan, Assistant auto-triage and autofix may not run on every issue. ### Component tags[​](#component-tags) **Component tags** use AI to categorize a finding based on its function, such as: - Payments - User authentication - Infrastructure By categorizing your code through component tags, Semgrep Assistant can help you prioritize **high-risk issues**, such as remediating a code finding related to payments or user authentication. Component tags can be viewed in Semgrep AppSec Platform's **Findings** page. ***Figure.** Semgrep AppSec Platform's Findings page showing the Component filter.* ### Auto-triage[​](#auto-triage) Semgrep Assistant uses AI's understanding of programming languages and libraries, and your code and triage history, to auto-triage findings and suggest whether a finding can safely be ignored. For every recommendation to ignore a finding, Semgrep also provides guidance with an explanation on why this is the case. Auto-triage recommendations are available in Semgrep AppSec Platform's **Findings** page when you filter for findings that Assistant suggests should be ignored, and in the [finding's details](/docs/semgrep-code/findings#view-details-about-a-specific-finding). ***Figure.** Semgrep Assistant auto-triage in the Findings page.* Assistant's suggestions to ignore findings are also surfaced in PR or MR comments, so developers can triage an issue directly without leaving their PR or MR. ### Weekly priority emails[​](#weekly-priority-emails) Semgrep sends weekly emails with information on Assistant's top three backlog tasks across all findings. Unlike other Assistant features, these suggestions can include information for all Semgrep products that you have enabled. The emails are sent out on Monday to all organization admins. ### Noise filtering (beta)[​](#noise-filtering-beta) Noise filtering increases developer velocity by reducing interruptions from potential false positives. With Noise Filtering, Assistant evaluates each finding to determine if it's a true positive using additional context. If Assistant thinks a finding may be a false positive, it prevents a PR comment from being posted in the developer workflow. Security teams can review filtered findings at any time on Semgrep's [**Code > Pre-production** page](https://semgrep.dev/orgs/-/findings?tab=open&last_opened=All+time&backlog=preprod). Semgrep also allows you to agree or disagree with the filtering. If you agree with the suggestion, Semgrep closes the finding, but if you disagree, Semgrep reopens the finding. Assistant is [over 95% accurate in categorizing Semgrep Code findings as false positives](/docs/semgrep-assistant/metrics). ### Memories[​](#memories) Assistant Memories allows AppSec teams and developers to tailor Assistant's remediation guidance to their organization's standards and defaults on a per-project, per-rule basis. When Assistant gives a suggested fix, you can provide feedback by adding custom instructions. For example, if the code contains a hardcoded secret, Assistant might suggest using an SDK that handles credentialing. However, if your company prefers to use a different secrets manager, you can provide this information to Assistant. Assistant then generates remediation guidance that works with your specific secrets manager in the future. ### Upgrade guidance (beta)[​](#upgrade-guidance-beta) Semgrep Supply Chain's dependency upgrade guidance uses AI to analyze if a finding can be **safely upgraded** or if upgrading the package can cause **breaking changes**. Semgrep's click to fix capability can then create a PR to upgrade the package. Read more about [Upgrade guidance and Click to fix](/docs/semgrep-supply-chain/triage-and-remediation). ## Reliability[​](#reliability) Assistant supports fallback between model providers to ensure optimal performance and reliability. OpenAI is the primary provider in most cases, with automatic fallback to AWS Bedrock as needed. Semgrep's fallback decisions are based on an internal ranking system informed by ongoing research. Semgrep ranks models by performance and dynamically selects the best available from [your enabled options](/docs/semgrep-assistant/customize#select-your-ai-provider). Enabling additional model providers for your Semgrep organization can improve performance in some scenarios, while removing them could result in reduced performance. Not finding what you need in this doc? Ask questions in our [Community Slack group](https://go.semgrep.dev/slack), or see [Support](/docs/support/) for other ways to get help. Tags:**- [Deployment](/docs/tags/deployment)- [Semgrep Assistant](/docs/tags/semgrep-assistant)[Edit this page](https://github.com/semgrep/semgrep-docs/edit/main/docs/semgrep-assistant/overview.md)Last updated on **Dec 12, 2025** --- # Supported languages for Semgrep Community Edition (CE) Source: https://semgrep.dev/docs/semgrep-ce-languages - [](/docs/)- Semgrep Community Edition- Supported languages**On this page- [Semgrep CE](/docs/tags/semgrep-ce)- [Semgrep Code](/docs/tags/semgrep-code)Supported languages for Semgrep Community Edition (CE) This document provides information about supported languages for Semgrep Code and Semgrep CE. ## Semgrep Code and CE[​](#semgrep-code-and-ce) Semgrep CE is a fast, lightweight program analysis tool that can help you detect bugs in your code. It makes use of Semgrep's LGPL 2.1 open source engine. These languages are supported by the Semgrep community, at best effort. Semgrep Code is a static application security testing (SAST) solution designed to detect complex security vulnerabilities. It makes use of proprietary Semgrep analyses, such as cross-file (interfile) dataflow analysis and framework specific analyses, in addition to Semgrep CE. This results in a [**higher true positive rate than Semgrep CE**](/docs/semgrep-pro-vs-oss). Semgrep Code provides the highest quality support by the Semgrep team: reported issues are resolved promptly. Use either tool to scan local code or integrate it into your CI/CD pipeline to automate the continuous scanning of your repositories. **Languages****🚀 Semgrep Code:** [Free for small teams](https://semgrep.dev/pricing)**Semgrep CE**C / C++**Generally available** • Cross-file dataflow analysis • 150+ Pro rules Community supported • Limited to single-function analysis • Community rules C#**Generally available ** • Cross-file dataflow analysis • Supports up to C# 13 • 170+ Pro rules Community supported • Limited to single-function analysis • Community rules • Supports up to C# 7.0Go**Generally available** • Cross-file dataflow analysis • 80+ Pro rules Community supported • Limited to single-function analysis • Community rules Java**Generally available** • Cross-file dataflow analysis • Framework-specific control flow analysis • 190+ Pro rules JavaScript**Generally available** • Cross-file dataflow analysis • Framework-specific control flow analysis • 250+ Pro rulesKotlin**Generally available ** • Cross-file dataflow analysis • 60+ Pro rules[Python](/docs/languages/python)**Generally available** • Cross-file dataflow analysis • Framework-specific control flow analysis • 710+ Pro rules • See [Python-specific support details](/docs/languages/python)Typescript**Generally available ** • Cross-file dataflow analysis • Framework-specific control flow analysis • 230+ Pro rulesRuby**Generally available ** • Cross-function dataflow analysis • 40+ Pro rulesRust**Generally available ** • Cross-function dataflow analysis • 40+ Pro rulesJSX**Generally available ** • Cross-function dataflow analysis • 70+ Pro rulesPHP**Generally available ** • Cross-function dataflow analysis • 50+ Pro rulesScala**Generally available ** • Cross-function dataflow analysis • Community rulesSwift**Generally available ** • Cross-function dataflow analysis • 60+ Pro rulesTerraform**Generally available** • Cross-function dataflow analysis • Community rulesGeneric**Generally available **Community supportedJSON**Generally available **APEX**Beta**Not availableElixir**Beta**Click to view experimental languages. - Bash - Cairo - Circom - Clojure - Dockerfile - Hack - HTML - Jsonnet - Julia - Lisp - Lua - Move on Aptos - Move on Sui - OCaml - R - Scheme - Solidity - YAML - XML ## Language maturity definitions[​](#language-maturity-definitions) Semgrep Code languages can be classified into four maturity levels: - Generally available (GA) - Beta - Experimental - Community supported* *Community supported languages meet the parse rate and syntax requirements of **Experimental** languages. Users can still access community rules or write their own rules. **Feature****GA****Beta****Experimental****Community supported**SupportHighest quality support by the Semgrep team. Reported issues are resolved promptly.Supported by the Semgrep team. Reported issues are fixed after GA languages.There are limitations to this language's functionality. Reported issues are tracked and prioritized with best effort.These languages are supported by the Semgrep community. While Semgrep may develop rules or engine updates for these languages, they are not prioritized.Parse Rate99%+95%+90%+Number of Pro rules10+5+0+. Query the [Registry](https://semgrep.dev/r) to see if any rules exist for your language.Semgrep syntaxRegex, equivalence, deep expression operators, types and typing. All features supported in Beta.Complete metavariable support, metavariable equality. All features supported in Experimental.Syntax, ellipsis operator, basic metavariable functionality.Not finding what you need in this doc? Ask questions in our [Community Slack group](https://go.semgrep.dev/slack), or see [Support](/docs/support/) for other ways to get help. Tags:**- [Semgrep CE](/docs/tags/semgrep-ce)- [Semgrep Code](/docs/tags/semgrep-code)[Edit this page](https://github.com/semgrep/semgrep-docs/edit/main/docs/semgrep-ce-languages.md)Last updated on **Sep 17, 2025** --- # View findings' details Source: https://semgrep.dev/docs/semgrep-code/finding-details - [](/docs/)- [Scan](/docs/getting-started/quickstart)- Scan and triage- SAST (Code)- View findings- View finding details**On this page- [Semgrep Code](/docs/tags/semgrep-code)- [Semgrep AppSec Platform](/docs/tags/semgrep-app-sec-platform)View findings' details The finding's details page displays in-depth information about the finding, including: - A detailed description of the finding - Rule details, including the rule pattern itself, the vulnerability class, and identifiers such as the CWE ID - Finding details, such as when the finding was identified, the project and branch name, and commit ID where the issue was introduced - The code snippet where the issue was identified, along with a link to the source code where Semgrep identified the issue - Suggested fixes for the issue, either generated by Semgrep Assistant or from the rule itself - Activity history for the finding, including when it was first identified, whether it has been analyzed by Semgrep Assistant, whether there are any accompanying Jira tickets, notes written by other Semgrep users specifically about this finding, and more. ## View a finding's details[​](#view-a-findings-details) - Log in to [Semgrep AppSec Platform](https://semgrep.dev/login). - In the **Navigation bar**, click **[Code](https://semgrep.dev/orgs/-/findings)**. - Identify the finding whose details you want to view: If the default **Group by Rule** is enabled, click the ** **Details** icon on the card of the finding. - If the **No grouping** view is enabled, click the **header hyperlink** on the card of the finding. ### Semgrep Assistant’s rule and analysis explanation[​](#semgrep-assistants-rule-and-analysis-explanation) When Semgrep Assistant is enabled and classifies a finding as a true or false positive, an alert appears at the top of the finding’s details page. You can also view a detailed explanation that, if applicable, includes steps to exploitability in the **Finding description** tab. For true positives, the detailed explanation includes a summary and rationale for why the finding was flagged. It draws on the code that matched the rule pattern and the surrounding code to provide context for the rule message. For security-related rules, it also explains how the finding relates to the rule’s threat model. For false positives, the explanation contains only Assistant’s reasoning, without additional code context. Some explanations refer to memories, which Assistant uses to determine whether a finding is a false positive. However, memories are not used when generating the explanation itself. If Assistant flags a finding as a false positive, you can provide feedback by selecting **Agree and Ignore** or **Disagree**. ## Dataflow traces[​](#dataflow-traces) Dataflow traces allow you to visualize the path of tainted, or untrusted, data in findings. This path can help you track the sources and sinks of the tainted data as they propagate through the body of a function or a method. For general information about taint analysis, see [Taint tracking](/docs/writing-rules/data-flow/taint-mode/overview). ### View dataflow traces[​](#view-dataflow-traces) PrerequisiteNot all Semgrep rules or rulesets make use of dataflow traces, or taint tracking. Ensure that you have a ruleset, such as the **default ruleset** added in your **[Policies page](https://semgrep.dev/orgs/-/policies)**. If this ruleset is not added, go to [https://semgrep.dev/p/default](https://semgrep.dev/p/default), and then click **Add to Policy**. You can add rules that use taint tracking from [Semgrep Registry](https://semgrep.dev/explore). To view the detailed path of tainted data with dataflow traces: - Log in to Semgrep AppSec Platform, and click **[Code](https://semgrep.dev/orgs/-/findings)** in the **Navigation Bar** to view your findings. - Select the finding you're interested in, then do one of the following actions: If the default **Group by Rule** is enabled, click ** **View details** icon on the card of the finding. - If **No grouping** view is enabled, click the **header hyperlink** on the card of the finding. In the example screenshot below, the link is titled **tainted-sql-string**. - In the section titled **Your code**, you can see the source, traces, and sink of the tainted data. Clicking on a specific line in the trace will highlight it in the context of the file, while clicking on the file name at the top of the right pane will take you directly to that file in your source code manager, such as GitHub or GitLab. ## Available actions on the finding details' page[​](#available-actions-on-the-finding-details-page) Click on the **kebab** icon to see the menu that includes the following options: - **Mark as reviewing** to change its status to **Reviewing** and flag the finding as one that is under further manual review - **Copy file path** of the source code where Semgrep identified the issue - **Copy link** to the finding's details page ### Scan with Assistant[​](#scan-with-assistant) If the finding hasn't been analyzed by Assistant, click the **Analyze** button to begin analysis. Assistant can: - Recommend whether the finding should be fixed or ignored - Provide remediation guidance and generate a recommended code fix, if appropriate - Tag the finding with a component tag, such as `auth` or `payments`. ### Ignore the finding[​](#ignore-the-finding) Click **Ignore...** to ignore the finding. Provide an **Ignore reason**, and add **Comments** on why you think that this finding should be ignored. If the file for the finding in question is a test file or something similar, you can choose the **Ignore files in future scans...** option, then select the file. Semgrep ignores the file in subsequent scans. Click **Ignore** to proceed. ### Fix the finding[​](#fix-the-finding) Click **Fix** see the menu that includes the following options: - View the associated Jira ticket, if available - Open a PR that fixes the issue, if possible - Change the status of the issue as **To fix**, indicating that you plan to return to the finding in the future Semgrep automatically marks findings as fixed when they're no longer detected in subsequent scans. ### Add notes to findings[​](#add-notes-to-findings) To **add notes** to the activity history of a finding: - Select a finding where you want to view details or add notes, and then do one of the following actions: If the default **Group by Rule** is enabled, click ** **Details** icon on the card of the finding. - If **No grouping** view is enabled, click the **header hyperlink** on the card of the finding. - Go to the **Activity** section, then click **New note**. Not finding what you need in this doc? Ask questions in our [Community Slack group](https://go.semgrep.dev/slack), or see [Support](/docs/support/) for other ways to get help. Tags:**- [Semgrep Code](/docs/tags/semgrep-code)- [Semgrep AppSec Platform](/docs/tags/semgrep-app-sec-platform)[Edit this page](https://github.com/semgrep/semgrep-docs/edit/main/docs/semgrep-code/finding-details.md)Last updated on **Dec 10, 2025** --- # Semgrep Code overview Source: https://semgrep.dev/docs/semgrep-code/overview - [](/docs/)- [Scan](/docs/getting-started/quickstart)- Scan and triage- SAST (Code)- Overview**On this page- [Semgrep Code](/docs/tags/semgrep-code)Semgrep Code overview Semgrep Code is a static application security testing (SAST) tool that detects security vulnerabilities in your first-party code. You can use Semgrep Code to scan local repositories or integrate it into your CI/CD pipeline to automate the continuous scanning of your code. ## Rules[​](#rules) Semgrep Code uses **rules**, which encapsulate pattern matching logic and data flow analysis, to scan your code for security issues, style violations, bugs, and more. Semgrep generates and reports **findings** to you whenever it finds code that matches the patterns defined by rules. In addition to rules available in the [Registry](https://semgrep.dev/r), you can write custom rules to determine what Semgrep Code detects in your repositories. Whether you use pre-existing rules or write custom rules, knowing *which* rules Semgrep Code runs can help you understand how it detects security issues. Semgrep Code is transparent; you can configure the rules it runs and inspect its syntax to understand how the finding was detected. You can also customize the content of a rule to improve the true positive rate of a rule or have Semgrep send a relevant message to developers. ## Findings[​](#findings) Semgrep AppSec Platform displays Semgrep Code's findings. Additionally, the platform allows you to: - Triage findings - Send alerts and notifications or create tickets to track findings identified by Semgrep Code - Customize how Semgrep Code scans your repositories - Manage your users and facilitate team collaboration in remediating security issues ## Semgrep Community Edition (CE) versus Semgrep Code analysis[​](#semgrep-community-edition-ce-versus-semgrep-code-analysis) By default, Semgrep Code can analyze interactions beyond a single function but within a single file, a process known as **cross-function or interprocedural analysis**. This smaller scope of analysis makes it faster and easier to integrate into developer workflows. Semgrep CE can only analyze interactions within a single function, known as intraprocedural or single-function analysis. However, this means that Semgrep CE is slightly faster than Semgrep Code. Semgrep Code also supports **[cross-file analysis](/docs/semgrep-code/semgrep-pro-engine-intro)** (interfile) analysis. These scans produce fewer false positives and more true positives, but take longer to complete. ## Enable Semgrep Code[​](#enable-semgrep-code) - Sign in to [** Semgrep AppSec Platform](https://semgrep.dev/login). - Go to **[Settings > General > Code](https://semgrep.dev/orgs/-/settings/general/code)**. - Click the **** Code scans** toggle if it is not already enabled. Subsequent scans now include Code scans. ### Run Semgrep Code scans with single-function analysis[​](#run-semgrep-code-scans-with-single-function-analysis) In some cases, you may want to scan using Semgrep CE's single-function analysis. To do this, edit your `semgrep ci` command in your CI provider's configuration file with either the `--pro-languages` or `--oss-only` flags: `# Preferred; includes support for all Semgrep Code languagessemgrep ci --pro-languages# Does not include all Semgrep Code language featuressemgrep ci --oss-only` ## Augment Semgrep Code with Semgrep Assistant[​](#augment-semgrep-code-with-semgrep-assistant) [Semgrep Assistant](/docs/semgrep-assistant/overview) provides AI-powered security recommendations to help you review, triage, and remediate your Semgrep findings. More specifically, Assistant can: - Provide [remediation advice](/docs/semgrep-assistant/overview#remediation) and autofixes, or suggested fixes, for Semgrep Code findings. This information is displayed in Semgrep AppSec Platform. - Provide [remediation guidance](/docs/semgrep-assistant/overview#guidance) with step-by-step instructions on how to remediate the finding identified by Semgrep Code in every pull request or merge request comment Semgrep pushes. Assistant supports the tailoring of its remediation guidance using [Memories](/docs/semgrep-assistant/overview#memories). - [Tag your findings](/docs/semgrep-assistant/overview#component-tags) in Semgrep AppSec Platform to help identify high-priority issues. - [Auto-triage findings](/docs/semgrep-assistant/overview#auto-triage) and suggest whether a finding can safely be ignored. - [Filter out potential false positives](/docs/semgrep-assistant/overview#noise-filtering-beta) to help increase developer velocity. ## Next steps[​](#next-steps) - [View your findings](/docs/semgrep-code/findings). - Customize how Semgrep Code scans your repository by modifying the [default rules set](https://semgrep.dev/p/default) or [writing your own rules](/docs/semgrep-code/editor#write-a-new-rule-by-forking-an-existing-rule). - Enable [autofix](/docs/writing-rules/autofix) so that Semgrep can push code suggestions to GitHub or GitLab to help your developers resolve findings. - Enable [cross-file scanning](/docs/semgrep-code/semgrep-pro-engine-intro). ## Further reading[​](#further-reading) - Read the [Trail of Bits Automated Testing Handbook](https://appsec.guide/) to learn about configuring and optimizing security tools, including Semgrep. Not finding what you need in this doc? Ask questions in our [Community Slack group](https://go.semgrep.dev/slack), or see [Support](/docs/support/) for other ways to get help. Tags:**- [Semgrep Code](/docs/tags/semgrep-code)[Edit this page](https://github.com/semgrep/semgrep-docs/edit/main/docs/semgrep-code/overview.md)Last updated on **Dec 10, 2025** --- # Manage rules and policies Source: https://semgrep.dev/docs/semgrep-code/policies - [](/docs/)- [Scan](/docs/getting-started/quickstart)- Set up and deploy scans- Core deployment- Customize core deployment- Manage rules and policies**On this page- [Semgrep Code](/docs/tags/semgrep-code)- [Semgrep AppSec Platform](/docs/tags/semgrep-app-sec-platform)Manage rules and policies The Policies page displays the [** rules](/docs/running-rules) that Semgrep Code uses when scanning all of your repositories. Modifications to the rules on the Policies page allow you to increase the breadth and depth of your scan coverage or remove noise from scans. You can also determine whether findings detected by a given rule can help block merges for pull requests (PRs) or merge requests (MRs). ## Language coverage and scan speeds[​](#language-coverage-and-scan-speeds) Semgrep Code identifies the languages used in your repositories and only runs rules applicable to those languages. For example, adding Ruby and Python rules in your Policies doesn't affect the scan speed for Python-only repositories. Only Python rules are run for Python repositories. ## Policies page structure[​](#policies-page-structure) * ***Figure.*** Default view of the Policies page, known as the **Group by vulnerability class** view. The Policies page consists of a header and three main panes: Policies headerThe top header consists of:- **Policies view drop-down**, which lets you choose between:Grouping rules by vulnerability class- No grouping- * Rule Modes** button where you can view **rule modes** and edit **notifications** for each rule mode. Rule modes define what **workflow actions** Semgrep Code performs when a rule detects a finding. For example, setting a rule's mode to **Comment** means that Semgrep posts PR or MR comments from findings generated by that rule. See [Block a PR or MR through rule modes](#block-a-pr-or-mr-through-rule-modes) for more information.- **Add rules** button that takes you to the [** Semgrep Registry](https://semgrep.dev/explore) where you can add rules to the Policies page and assign their initial modes.Filter paneDisplays filters to quickly select and perform operations on rules in bulk. See [Policies filter reference](#policies-filter-reference) for more information.Rule paneThe rule pane displays the rules that Semgrep scans use to detect findings and allows you to edit their assigned rule modes. You can make these edits either one by one or through bulk editing of many rules. You can also use the **Search for rule names or ids** box. See [Policies filter reference](#policies-filter-reference) for more information. ### Policies page filters[​](#policies-page-filters) This section defines the Policies page filters: FilterDescriptionExamples or possible valuesModesFilter by the workflow action Semgrep performs when a rule detects a finding. An additional filter, **Disabled**, is provided for rules that you have turned off and are no longer included for scanning.See [Rule modes](#block-a-pr-or-mr-through-rule-modes) documentation.CategoryFilter by the type of security issue or vulnerability that the rule detects.- Dangerous method or function- SQL injection- Active debug codeSeveritiesThe higher the severity, the more critical the issues that a rule detects.- Critical- High- Medium- LowConfidenceFilter by the confidence of the rule to detect true positives.- High- Medium- LowSourceFilter by the origin of a rule.- **Pro:** Authored by Semgrep with cross-file (interfile) and cross-function (interprocedural) analysis capabilities, providing you with enhanced scan accuracy. For more information, see [** Pro rules.](/semgrep-code/pro-rules/)- **Community:** Authored by Semgrep, Inc or external contributors such as Trail of Bits.- **Custom:** Rules created within your Semgrep organization. For more information, see [** Private rules](/writing-rules/private-rules/)..Available rule upgradesFilter for rules where there exist improved versions to those using paid Semgrep products.RulesetFilter by the name of an existing ruleset.- [** XSS ruleset](https://semgrep.dev/p/xss)- [** React ruleset](https://semgrep.dev/p/react)LanguageFilter by programming language- Python- JavaScipt- RubyMinimum count of findingsFilter by the number of findings.- 10- 100- 500 tipUse **Minimum count of findings** to identify rules generating a lot of findings. This may be an indication of false positives or noise. ### Rule entries reference[​](#rule-entries-reference) This section defines the columns of the rule entries in the Policies page: FilterDescriptionExamples or possible valuesRule nameName of the rule that Semgrep Code uses for scanning.[** `docs-print-to-logger`](https://semgrep.dev/playground/s/KPzL)LabelsMetadata describing the rule. This includes the rule's language, category (good security practices, coding standards), and more.- Security- Code injection- PHPOpen findingsThe number of open findings that the rule has detected across all scans.n/aFix rateThe percentage of findings that are fixed through changes to the code.n/aSeverityThe higher the severity, the more critical the issues that a rule detects.- High- Medium- LowConfidenceIndicates confidence of the rule to detect true positives.- High- Medium- LowSourceIndicates the origin of a rule.- **Pro:** Authored by Semgrep with cross-file (interfile) and cross-function (interprocedural) analysis capabilities, providing you with enhanced scan accuracy. For more information, see [** Pro rules.](/semgrep-code/pro-rules/)- **Community:** Authored by Semgrep, Inc or external contributors such as Trail of Bits.- **Custom:** Rules created within your Semgrep organization. For more information, see [** Private rules](/writing-rules/private-rules/)..RulesetRules are also organized in rulesets. Rulesets are groups of rules related through a programming language, OWASP category, or framework.- [** XSS ruleset](https://semgrep.dev/p/xss)- [** React ruleset](https://semgrep.dev/p/react)ModeSpecifies what workflow action Semgrep performs when a rule detects a finding. An additional filter, **Disabled**, is provided for rules that you have turned off and are no longer included for scanning.See [Rule modes](#rule-modes) documentation. ## Add rules[​](#add-rules) To add rules, follow these steps: - On the [** Policies](https://semgrep.dev/orgs/-/policies) page, click **Add Rules**. - You are redirected to the [** Semgrep Registry](https://semgrep.dev/explore) page. Explore the page, open cards of individual rules, and then click **Add to Policy**. - Specify the workflow action of the rule that you are adding. Select either: Monitor - Comment - Block ### Add custom rules to your Policies[​](#add-custom-rules-to-your-policies) To add custom rules, use the Semgrep Editor. See [** Setting code standards with the Policies page](/docs/semgrep-code/editor#add-a-rule-to-the-policies-page). ### Add rulesets to your Policies from the Registry[​](#add-rulesets-to-your-policies-from-the-registry) Instead of adding individual rules to your Policies, you can add rulesets, which are groups of rules related through a programming language, OWASP category, or framework. The Semgrep team curates the rulesets. - On the [** Policies](https://semgrep.dev/orgs/-/policies) page, click **Add Rules**. - You are redirected to the [** Semgrep Registry](https://semgrep.dev/explore) page. Explore the page to find the ruleset you're interested in adding. - Click the ruleset to open its **Explore** page. This page lets you view the included rules and provides instructions for testing and running the ruleset locally before adding it to your policies. - Click **Add to Policy**. - Specify the workflow action for the rules that you are adding by selecting one of these options: Monitor - Comment - Block If Semgrep adds rules to the ruleset in the future, they will automatically be added to your Policies in the same mode that you select. You can change the default mode for the current and future rules by re-adding the ruleset through the Registry and choosing a different mode. You *cannot* change the mode of all existing rules associated with the ruleset using the Policies page, since this only makes every rule that you changed an exception to the default. #### Filtering behavior[​](#filtering-behavior) - Filter types such as **Language** and **Technology** use `AND` logic. This means that search terms must match all filters. For example, selecting Java (a **Language**) and security (a **Category**) shows only rules with both properties (Java and security). - Adding filters of the same type use `OR `logic. This means that search terms can match any of the filters for that type. For example, selecting Java and Python (both **Languages**) shows rules with either language. - A gem icon (💎) denotes Semgrep Pro rules. ## Disable rules[​](#disable-rules) See [Triage and remediate findings](/docs/semgrep-code/triage-remediation#turn-off-a-ruleset-or-a-rule) for information on how to disable a rule or a ruleset. ## Rule modes[​](#rule-modes) Semgrep enables you to choose a **workflow action** based on the presence of a finding. Workflow actions include: - Failing a CI job. Semgrep returns exit code `1`, and you can use this result to set up additional checks to enforce a block in your CI/CD pipeline. This action applies to both full scans and [diff-aware scans](/docs/semgrep-code/glossary#diff-aware-scan). - Leaving a PR or MR comment. - Notifying select channels, such as private Slack channels or webhooks. Semgrep Code provides three rule modes: Rule modeDescriptionMonitorRules in **Monitor mode** display findings only in: - Semgrep AppSec Platform- **For Semgrep Code and Supply Chain**: User-defined notificationsSet rules to this mode to evaluate their true positive rate and other criteria you may have. By keeping rules in Monitor, developers do not receive potentially noisy findings in their PRs or MRs.CommentRules in **Comment mode** display findings in:- Developers' PRs or MRs- Semgrep AppSec Platform- **For Semgrep Code and Supply Chain**: User-defined notificationsSet rules that have met your performance criteria to this mode when you are ready to display findings to developers.BlockRules in **Block mode** cause the scan job to fail with an exit code of `1` if Semgrep Secrets detects a finding from these rules. You can use this result to enforce a block on the PR or MR. For example, GitHub users can enable branch protection and set the PR to fail if the Semgrep step fails. **These rules display findings in:- Developers' PRs or MRs- Semgrep AppSec Platform- **For Semgrep Code and Supply Chain**: User-defined notificationsThese are typically high-confidence, high-severity rules. Semgrep Code provides first-time users with the [** Default ruleset](https://semgrep.dev/p/default). These rules are initially placed in the Monitor column. As you develop confidence in these rules, you are able to change their modes to Comment or Block, ensuring that developers remain free of friction from false positives. ## Block a PR or MR through rule modes[​](#block-a-pr-or-mr-through-rule-modes) The following instructions walk you through changing the rule mode for rules that generate high severity findings to **block**. Whenever Semgrep identifies such findings, it returns exit code `1`. You can use this result to set up additional checks to enforce a block in your CI/CD pipeline, such as not allowing the merge of the PR/MR. The process to implement a block on a PR or MR after Semgrep exits with error code `1` is dependent on your CI provider. Review your CI provider's documentation for further information. - Sign in to [** Semgrep AppSec Platform](https://semgrep.dev/login). - Navigate to **Rules > Policies > Code**. - Filter for the applicable rules. For example, select **High** under **Severities** to find all of the rules that generate high severity findings if they match any part of your code. - Select either the box next to **Number matching rules** or select individual checkboxes next to one or more rules. These are the rules whose mode you will change in the next step. - Click **Change modes Number** and select **Block**. ## Multiple policies[​](#multiple-policies) Multiple policies feature (private beta)If you have the **multiple policies** feature, you can customize the Code rules that run on specific repositories. Currently, this beta is not accepting new participants. The multiple policies feature enables users to customize the Semgrep Code rules that run on specific projects (repositories). Users create different policies that projects can be assigned to. This feature makes use of a **Global Policy** that runs on **all** projects. Projects cannot be unassigned from it. You can create a new policy and add one or more projects, then select rules to add to the policy. Projects are assigned manually to additional policies, and multiple projects can be added by searching repository names or tags. During a scan, the repositories assigned to your custom policy run all of the rules from the **Global Policy** as well as all the rules from your custom policy. ### Policy limit[​](#policy-limit) Current users of the Multiple Policies beta can create up to 10 policies. Some users from earlier phases of the beta may have a higher limit. ### Resolve workflow actions in multiple policies[​](#resolve-workflow-actions-in-multiple-policies) If a rule is in multiple policies, then the rule is deduplicated and Semgrep prioritizes the workflow action based on the rule mode, where precedence is as follows: - Block - Comment - Monitor For example, if an instance of `Rule A` is set to **Block**, the scan fails for PRs with any findings from that rule, even if the same `Rule A` is set to **Monitor** in another policy applied to that repository. To ensure that the workflow action is resolved as expected, add the specific rule to the desired policy mode. This will override any behavior that it inherits from the rulesets it belongs to. Not finding what you need in this doc? Ask questions in our [Community Slack group](https://go.semgrep.dev/slack), or see [Support](/docs/support/) for other ways to get help. Tags:**- [Semgrep Code](/docs/tags/semgrep-code)- [Semgrep AppSec Platform](/docs/tags/semgrep-app-sec-platform)[Edit this page](https://github.com/semgrep/semgrep-docs/edit/main/docs/semgrep-code/policies.md)Last updated on **Dec 10, 2025** --- # Remove duplicate findings Source: https://semgrep.dev/docs/semgrep-code/remove-duplicates - [](/docs/)- [Scan](/docs/getting-started/quickstart)- Scan and triage- SAST (Code)- Remove duplicate findings**On this page- [Semgrep Code](/docs/tags/semgrep-code)- [Semgrep AppSec Platform](/docs/tags/semgrep-app-sec-platform)Remove duplicate findings Semgrep scans are performed on both mainline (trunk) and non-mainline branches. The scope of the scan can differ depending on if Semgrep is called on a mainline or non-mainline branch. Full scanScans the repository in its entirety. It is recommended to perform full scans on mainline branches, such as `master` or `main`. Full scans are typically performed on a scheduled basis or on merge to a default branch.Diff-aware scanDiff-aware scans are performed on non-mainline branches, such as in pull requests and merge requests. Diff-aware scans traverse the repository's files based on the commit where the branch diverged from the mainline branch. ## How Semgrep distinguishes between new and duplicate findings[​](#how-semgrep-distinguishes-between-new-and-duplicate-findings) Semgrep generates a finding whenever it scans a repository and one of its rules matches a piece of code. Since Semgrep usually scans a repository multiple times, it needs a way to track the same finding in a file over time. Semgrep does this using two types of fingerprints: `match_based_id` and `syntactic_id`. infoThe calculations used to determine whether findings are new are subject to change at any time as Semgrep improves its deduplication logic. ### `match_based_id`[​](#match_based_id) Using the `match_based_id`, Semgrep can determine if a given finding in a file is the same as a finding identified during a different scan, even if the code snippet that the rule matched had been moved to a different location in the file. This allows Semgrep to avoid generating a new finding and to deduplicate its records accordingly, even across multiple branches associated with the project. It also means that Semgrep can cross-correlate findings, so a finding that has been triaged in one branch will be flagged as triaged if it's identified in another branch. Semgrep generates the `match_based_id` for a finding using the following information: - The file path - The name of the rule that generated the finding - The rule pattern with the metavariables' values substituted in This information is combined and then hashed. At this point, Semgrep appends the **index**, a value generated by determining the number of times the rule involved matched code in the file. Note that the index is appended to the hash, not combined with the other finding information before hashing. This is done to preserve information on how findings are related. For example, `finding0` with `match_based_id = 123_0` and `finding1` with `match_based_id = 123_1` indicate that both were generated from the same rule matching the same code pattern in the same file. ***Figure**. Semgrep AppSec Platform groups together the same finding identified as present on multiple branches.* Semgrep uses the rule pattern with the metavariables' values, which originate from the code itself, substituted in to generate match_based_id. Therefore, code changes that result in the same rule pattern when abstracted to the level of the rule pattern match, with the appropriate values substituted, in don't hinder Semgrep's ability to recognize that the finding isn't a duplicate of an existing finding. For example, if the original file scanned is: `a = 1b = 2spcd.get("foo")c = 3d = 4sink("foo")` The rule pattern identified and used in generating the `match_based_id` is: `spcd.get($X)...sink($X)` Which, with metavariables substituted in, becomes: `spcd.get("foo")...sink("foo")` If the following change is made to the original file: `a = 1b = 2spcd.get("foo")c = 3c_1 = 5d = 4sink("foo")` The rule pattern identified and used in generating the `match_based_id` doesn't change: `spcd.get("foo")...sink("foo")` This means that the `match_based_id` itself doesn't change, allowing Semgrep to identify that the two findings are the same and to deduplicate them. Furthermore, this process enables Semgrep to ignore lines that do not impact code function. ### `syntactic_id`[​](#syntactic_id) Semgrep generates the `syntactic_id` for a finding using the following information: - The file path - The name of the rule that generated the finding - The code syntax, or the literal piece of code that matched the rule - The index, a value generated by determining the number of times the rule involved matched code in the file This information is combined and then hashed for privacy before being stored. infoThe `syntactic_id` is primarily used by Semgrep for internal debugging purposes, since no code is stored except in cases where you have provided code access permissions to Semgrep. ## Update findings by rescanning the project[​](#update-findings-by-rescanning-the-project) Semgrep's correlation of findings across branches based on their unique fingerprint allows for automatic consolidation of findings and makes it simpler to triage findings. If a finding is fixed in one branch (such as `main`), possibly because there hasn't been a follow-up scan on the branch, but open in another (such as `production`), and the code fixes are present in both branches, initiate scans through your CI job or SCM tool on the branches with open findings. Semgrep will reconcile the findings and mark them as fixed. ## Remove duplicate findings using Semgrep API[​](#remove-duplicate-findings-using-semgrep-api) Semgrep API does not automatically group findings with the same match-based ID across branches. If you use Semgrep API to receive or pull findings data, set the `dedup` flag to `true` to deduplicate findings across refs or branches. Refer to [List code or supply chain findings](https://semgrep.dev/api/v1/docs/#tag/FindingsService/operation/FindingsService_ListFindings) in the Semgrep API docs for more information. Not finding what you need in this doc? Ask questions in our [Community Slack group](https://go.semgrep.dev/slack), or see [Support](/docs/support/) for other ways to get help. Tags:**- [Semgrep Code](/docs/tags/semgrep-code)- [Semgrep AppSec Platform](/docs/tags/semgrep-app-sec-platform)[Edit this page](https://github.com/semgrep/semgrep-docs/edit/main/docs/semgrep-code/remove-duplicates.md)Last updated on **Dec 1, 2025** --- # Triage and remediate findings Source: https://semgrep.dev/docs/semgrep-code/triage-remediation - [](/docs/)- [Scan](/docs/getting-started/quickstart)- Scan and triage- SAST (Code)- Triage and remediation**On this page- [Semgrep Code](/docs/tags/semgrep-code)- [Semgrep AppSec Platform](/docs/tags/semgrep-app-sec-platform)Triage and remediate findings This article shows you how to manage and triage identified by Semgrep Code using Semgrep AppSec Platform. The specific actions available to you when managing your findings include: - **Fixing the issue detected.** This is Semgrep's primary goal. If the rule produces a **true positive** finding, such as a security issue, developers must change or address the code so that the rule no longer matches it. - **Triaging the finding.** Deprioritize a finding if it's not helpful or important through triage. Triage actions include ignoring and reopening a previously ignored finding. Triaging a finding to **ignore** is one method to handle **false positives** without changing a rule or your code. - **Removing the rule or code that generated the finding.** There are cases where Semgrep scans a file it should ignore or scans the file with an irrelevant rule. You can [disable the rule](/docs/semgrep-code/policies#disable-rules) from the **Policies** page or [add the file to the ignore list](/docs/ignoring-files-folders-code). ### Semgrep Assistant[​](#semgrep-assistant) If you have Semgrep Assistant enabled, you receive AI-powered security recommendations to help you review, triage, and remediate your Semgrep findings: - [Remediation advice](/docs/semgrep-assistant/overview#remediation) shown in Semgrep AppSec Platform, including: [Guidance](/docs/semgrep-assistant/overview#guidance) with step-by-step instructions on how to remediate the finding identified by Semgrep Code in every pull request or merge request comment Semgrep pushes - [Autofixes](/docs/semgrep-assistant/overview#autofix), or suggested code fixes - [Component tagging](/docs/semgrep-assistant/overview#component-tags) to help identify high-priority issues Semgrep Assistant can also [auto-triage findings](/docs/semgrep-assistant/overview#auto-triage), suggest whether a finding can safely be ignored, and [filter out potential false positives](/docs/semgrep-assistant/overview#noise-filtering-beta) to help increase developer velocity. ## Triage statuses[​](#triage-statuses) **Triage** is the prioritization of a finding based on policies or criteria set by your team or organization, such as severity, coding standards, business goals, and product goals. Semgrep AppSec Platform uses the logic specified in the table below to automatically mark findings as either fixed or removed when they are no longer present in the code. Additionally, Semgrep can automatically mark findings as **provisionally ignored** based on AI analysis, validation results, and reachability analysis. You can manually **Ignore** findings or set them as **To fix** or **Reviewing** in Semgrep AppSec Platform directly through **triage** or **bulk triage** actions. The triage statuses are as follows: StatusDescription**Open**Findings are open by default. A finding is open if it was present the last time Semgrep scanned the code and has not been ignored. An open finding represents a match between the code and a rule enabled in the repository. Open findings require action, such as rewriting the code to eliminate the detected vulnerability.**Reviewing**Indicates that the finding requires investigation to determine what the next steps in the triage process should be.**Provisionally ignored**Findings that Semgrep Assistant has flagged as false positives. You can change the status to **Ignored** if you agree with Assistant's assement. Otherwise, you can change the status to **To fix** if you disagree.**To fix**Findings that you have decided to fix. Commonly used to indicate that these findings are tracked in Jira or assigned to developers for further work.**Fixed**Fixed findings were detected in a previous scan but are no longer detected in the most recent scan of that same branch due to changes in the code.**Ignored**Findings marked as ignored are present in the code but have been labeled unimportant. Ignore false positives or deprioritized issues. Mark findings as [ignored through Semgrep AppSec Platform](/docs/semgrep-code/triage-remediation) or by adding a [nosemgrep code comment](/docs/ignoring-files-folders-code#reference-summary). You can also provide a reason for ignoring a finding: **False positive**, **Acceptable risk**, **No time to fix**.**Closed**Vulnerabilities that are no longer detected after a scan. This can be due to changes in the underlying rule or the code. ### Removed findings[​](#removed-findings) Findings can also be **removed**. Semgrep considers a finding removed if it is not found in the most recent scan of the branch where Semgrep initially detected it due to any of the following conditions: - The rule that detected the finding isn't enabled in the policy anymore. - The rule that detected the finding was updated in a way that it no longer detects the finding. - The file path where the finding appeared is no longer found. The file path was deleted, renamed, added to a `.semgrepignore` file, added to a `.gitignore` file, or added to the list of ignored paths in Semgrep AppSec Platform. - For GitHub organization accounts: the pull request or merge request where the finding was detected has been closed without merging. Your removed findings do not count toward the fix rate or the number of findings. The removed findings also do not appear in Semgrep AppSec Platform. ### Triage behavior across refs and branches[​](#triage-behavior-across-refs-and-branches) - When you triage a finding as ignored, reviewing, fixing, or reopened, Semgrep always triages across other branches and [Git references](https://git-scm.com/book/en/v2/Git-Internals-Git-References) (refs). - At scan time, there's automatic triaging that occurs in specific cases, and the behavior changes depending on the type of scan: **Full scans**: if the current branch includes a finding that was Previously introduced in another branch ***and*** - Triaged to a specific state **Then** the finding in the current branch is triaged to that same state. - **Diff-aware scan**: findings introduced in a diff-aware scan are **not** automatically triaged at scan time, even if there are other instances of that finding on branches that have been triaged. ## Triage and remediation[​](#triage-and-remediation) The following sections show you how to manage your findings by: - Fixing the underlying code - Disabling a rule or a ruleset - Ignoring a finding - Reopening a finding Note that some actions, such as ignoring and reopening findings, require different steps based on whether you have chosen **Group by Rule** or **No Grouping** when viewing your results on the **Findings** page. ### Fix a finding[​](#fix-a-finding) To **fix a finding**, update or refactor the code so that the Semgrep rule pattern no longer matches it. ## Review provisionally ignored findings[​](#review-provisionally-ignored-findings) If you have Semgrep Assistant enabled, review the findings that have been **provisionally ignored**. These are findings that Semgrep Assistant has flagged as false positives. For each finding, you can change the status to **Ignored** if you agree with Assistant's assement. Otherwise, you can change the status to **To fix** if you disagree. Findings with a status of **provisionally ignored** block pull requests and merge requests if the matching rule is included in a blocking policy. ### Ignore findings[​](#ignore-findings) To handle **false positives** without changing the rule or your code, set the finding's triage status to **ignore**. Ignore findings in Group by Rule** viewTo **ignore findings** in the **Group by Rule** view: - Go to [**Code > All**](https://semgrep.dev/orgs/-/findings?tab=open), and ensure that your filters are set to display all **Open** findings. - Perform one of these steps: To select all findings for the same rule, select the first checkbox on the finding's card, then click **Triage > Ignored** . - To select individual findings reported by a rule, fill in the checkboxes of the finding, and then click **Triage > Ignored**. - Select **Ignore reason**, and optionally, provide **Comments** to describe why the finding was ignored. - Click **Submit**. Ignore findings in ** No grouping** viewTo **ignore individual finding** in the **No grouping** view, follow these steps: - Go to [Code > All](https://semgrep.dev/orgs/-/findings?tab=open), and ensure that your filters are set to display all **Open** findings. - Select the checkbox next to a finding you want to ignore, and click **Triage > Ignored**. - Select **Ignore reason**, and optionally, provide **Comments** to describe why the finding was ignored. - Click **Submit**. To **ignore multiple findings** in the **No grouping** view, follow these steps: - Go to [Code > All](https://semgrep.dev/orgs/-/findings?tab=open), and ensure that your filters are set to display all **Open** findings. - Perform one of these steps: Select all findings on the page displayed by clicking on the header row checkbox that states **X matching findings**. You can navigate to succeeding pages and add other results to the current selection. - Select all findings of interest by clicking on their checkboxes. - Click **Triage > Ignored**. - Select **Ignore reason**, and optionally, provide **Comments** to describe why the findings were ignored. - Click **Submit**. ### Reopen findings[​](#reopen-findings) You can **reopen** a finding at any time, whether you previously marked it as **ignored** or Semgrep automatically marked it as **provisionally ignored**. Reopen findings in **Group by Rule** viewTo **reopen findings** in the **Group by Rule** view, follow these steps: - Go to [Code > All](https://semgrep.dev/orgs/-/findings?tab=open), and ensure that your filters are set to display all **Ignored**, **Provisionally Ignored**, or **Fixed** findings. - Perform one of these steps: To select all findings for the same rule, select the first checkbox on the finding's card, then click **Triage > Open** . - To select individual findings reported by a rule, fill in the checkboxes of the finding, and then click **Triage > Open**. - Optional: Write a reason to describe why the finding was reopened. - Click **Submit**. Reopen findings in **No grouping** viewTo **reopen individual findings** in the No grouping view, follow these steps: - Go to [Code > All](https://semgrep.dev/orgs/-/findings?tab=open), and ensure that your filters are set to display all **Ignored**, **Provisionally Ignored**, or **Fixed** findings. - Select the checkbox next to a finding you want to reopen. Click **Triage > Open**. - Optional: Write a reason to describe why the finding was reopened. - Click **Submit**. To **reopen multiple findings** in the **No grouping** view, follow these steps: - Go to [Code > All](https://semgrep.dev/orgs/-/findings?tab=open), and ensure that your filters are set to display all **Ignored**, **Provisionally Ignored**, or **Fixed** findings. - Perform one of these steps: Select all findings on the page displayed by clicking on the header row checkbox that states **X matching findings**. You can navigate to succeeding pages and add other results to the current selection. - Select all findings of interest by clicking on their checkboxes. - Click **Triage > Open**. - Optional: Write a reason to describe why the finding was reopened. - Click **Submit**. ### Turn off a ruleset or a rule[​](#turn-off-a-ruleset-or-a-rule) You can turn off a specific rule or ruleset to prevent Semgrep Code from using it when scanning your codebase. infoWhen you turn off a rule, existing findings from that rule remain open until you re-scan your code. Disable rules and rulesetsTo disable a **rule**: - Go to the [**Policies** page](https://semgrep.dev/orgs/-/policies) and select either: The top **Number Matching Rules** checkbox to select all rules. - Individual checkboxes next to a rule to turn off rules one by one. - Click **(Number) Change modes**, then click **Disabled**. You can also set the state in the **Mode** column to **Disabled** for individual rules. To turn off a **ruleset** using the Policies page: - Go to the [**Policies** page](https://semgrep.dev/orgs/-/policies), . - Use the **Ruleset** filter's drop-down box to find and click the ruleset to remove. - Click ** **Matching rules**. - Click **Change modes > Disabled**. ## Triage findings through PR and MR comments[​](#triage-findings-through-pr-and-mr-comments) You can triage your Semgrep AppSec Platform findings displayed as comments in PRs and MRs by replying with another comment. Before proceeding, ensure that you have: - One or more repositories hosted by a [Semgrep-supported source code manager (SCM)](/docs/getting-started/scm-support). - Configured [PR or MR comments](/docs/category/pr-or-mr-comments) for your SCM. To triage a finding: - Find an open comment created by Semgrep in your pull request or merge request. - In a subsequent comment, reply with the action you want to take. You must provide a reason to help the reader understand why the finding has been triaged as ignored: CommentDescription`/fp <COMMENT>`Triage a finding as **Ignored** with the triage reason **false positive**. Provide a `<COMMENT>` with information about the triage decision.`/ar <COMMENT>`Triage a finding as **Ignored** with the triage reason **acceptable risk**. Provide a `<COMMENT>` with information about the triage decision.`/other <COMMENT>`Triage a finding as **Ignored** without specifying the reason; the triage reason value is set to **No triage reason**. Provide a `<COMMENT>` with information about the triage decision.`/open <REASON>`Reopen a finding that has been triaged as **Ignored**. Optionally, provide a `<COMMENT>` with information about the decision to reopen the finding. Semgrep attempts to reply to your comment if it successfully triages the finding. Triaging a finding as **Ignored** through a comment changes the status of the finding to **Ignored** in Semgrep AppSec Platform. However, the pull request or merge request conversation itself is **not** automatically resolved by this process. Legacy commandsSemgrep supports older versions of this feature that used the following commands: - `/semgrep ignore <REASON>` - triage a finding as **Ignored**. - `/semgrep open <REASON>` - reopen a finding that has been triaged as **Ignored**. ## Triage findings in bulk through the Semgrep API[​](#triage-findings-in-bulk-through-the-semgrep-api) Semgrep provides an API endpoint you can use to triage findings in bulk, either by passing a list of `issue_ids` or filter query parameters to select findings. You must also specify an `issue_type`, such as `sast` or `sca`, and either `new_triage_state` or `new_note`. The available `new_triage_state` values you can set are: - `open` - `reviewing` - `fixing` - `ignored` - `fixed` If specifying a `new_triage_reason`, you must also use `new_triage_state=ignored`. noteWhen retrieving findings through the API, you may also see the `provisionally_ignored` status. This status is automatically set by Semgrep and cannot be manually assigned through the bulk triage API. Refer to [** Bulk triage API documentation](https://semgrep.dev/api/v1/docs/#tag/TriageService) for complete details. Not finding what you need in this doc? Ask questions in our [Community Slack group](https://go.semgrep.dev/slack), or see [Support](/docs/support/) for other ways to get help. **Tags:**- [Semgrep Code](/docs/tags/semgrep-code)- [Semgrep AppSec Platform](/docs/tags/semgrep-app-sec-platform)[Edit this page](https://github.com/semgrep/semgrep-docs/edit/main/docs/semgrep-code/triage-remediation.md)Last updated on **Dec 10, 2025** --- # Semgrep Secrets overview Source: https://semgrep.dev/docs/semgrep-secrets/conceptual-overview - [](/docs/)- [Scan](/docs/getting-started/quickstart)- Scan and triage- Secrets- Overview**On this page- [Semgrep Secrets](/docs/tags/semgrep-secrets)Semgrep Secrets overview **Semgrep Secrets** scans code to detect exposed API keys, passwords, and other credentials. When exposed, these can be used by malicious actors to leak data or gain access to sensitive systems. Semgrep Secrets allows you to determine: - What secrets have been committed to your repository. - The validation status of the secret; for example, **valid** secrets are those that have been tested against a web service and confirmed to successfully grant resources or authentication. They are actively in use. - For GitHub repositories: if there are credentials in public or private repositories. Semgrep saves security engineers time and effort by prioritizing valid leaked secrets and informs developers of valid secrets in their PRs and MRs by posting comments directly. ## How Semgrep Secrets works[​](#how-semgrep-secrets-works) To ensure that findings are high-signal, comprehensive, and easy for users to prioritize, a Semgrep Secrets scan performs the following: - Search using regex - Semantic analysis - Validation - Entropy analysis The following sections explain how each step works. ### Detect secrets through regex[​](#detect-secrets-through-regex) Semgrep Secrets uses a regex language detector to find secrets in various file types. This is done by detecting a commonly defined prefix and then searching for the secret using its expected length and format. To reduce the number of false positives this process raises, Semgrep uses and combines as many of the following processes with its search using regex when possible: - Removal of results that are likely to be false positives - Validation - Entropy analysis ### Detect secrets through semantic analysis[​](#detect-secrets-through-semantic-analysis) Semantic analysis refers to Semgrep Secrets' ability to understand how data is used within your code. This differentiates Semgrep Secrets from regex-based detectors that simply define a pattern to match a piece of code. Semgrep Secrets uses several mechanisms to perform semantic analysis. It uses [** dataflow analysis](/docs/writing-rules/data-flow/data-flow-overview) and [** constant propagation](/docs/writing-rules/data-flow/constant-propagation) which means that it is able to track data, such as variables, and the flow of that data across files and functions in your codebase. Performing semantic analysis is encapsulated in [** rules](/docs/running-rules). By running these rules, Semgrep Secrets is able to detect if a variable is renamed, reassigned, or used in a function in such a way that a secret is exposed. See the following rule and JavaScript test code for an example. * ### Validate secrets[​](#validate-secrets) After scanning your codebase, Semgrep Secrets uses a proprietary **validator** to determine if a secret is actively being used or some other state if there is a validator defined in the rule used. infoAll validations, such as API calls, are done **locally** in your environment. No tokens are sent to Semgrep servers. - The validator detects the service, such as Slack or AWS, that the secret is used for. - If the validator doesn't support the service that the secret is used for, Semgrep notes that there is **No validator** finding for the secret. - Semgrep Secrets performs an API call if the validator supports the service. The following outcomes can occur: **Confirmed valid:** Semgrep made an HTTP request using the secret, and it returned an HTTP status code of 200 or similar **and** some indication of valid access. For example, a service can include a `"message": "ok"` in the response body. - **Confirmed invalid:** Semgrep made an HTTP request using the secret and it returned an HTTP status code of 401 or similar. - **Validation error:** Semgrep made an HTTP request using the secret, but either the network request could not be made, a timeout occurred, or the HTTP status code returned a different HTTP status code. In this case, the Semgrep Team recommends manually reviewing the finding. - **No Validator:** The rule does not have a validator. The Semgrep Team recommends manually reviewing the finding. By performing this validation check, you can prioritize and triage the most high-priority, active findings. note - For a list of all supported detectors that Semgrep offers, see the [Policies](/docs/semgrep-secrets/policies) page in your deployment. - See [Validators](/docs/semgrep-secrets/validators) for syntax and examples. ### Fine-tune findings through entropy analysis[​](#fine-tune-findings-through-entropy-analysis) Entropy is the measure of a **string's randomness**. It's used to measure how likely a string is random. If a string is highly entropic, it's highly random. For certain types of secrets, such as API keys, randomness indicates that a string could be a secret. By performing entropy analysis, Semgrep Secrets can reduce false positives and produce more true positives. Examples of high-entropy (random) strings: `EXAMPLE_HIGH_ENTROPY_STRING_REDACTED` Examples of low-entropy strings: `XXXXXXtxtPassword1` ## Next steps[​](#next-steps) See [* Scan for secrets](/docs/semgrep-secrets/getting-started) to learn how to: - Enable secrets scanning for your repositories - Manage the rules in your [policy](/docs/semgrep-secrets/policies) to control how your scan runs. - View and triage secrets-related findings - Receive notifications and post tickets whenever Semgrep Secrets identifies issues - Write [custom rules](/docs/semgrep-secrets/rules) with [validators](/docs/semgrep-secrets/validators) to find bespoke secrets Not finding what you need in this doc? Ask questions in our [Community Slack group](https://go.semgrep.dev/slack), or see [Support](/docs/support/) for other ways to get help. Tags:**- [Semgrep Secrets](/docs/tags/semgrep-secrets)[Edit this page](https://github.com/semgrep/semgrep-docs/edit/main/docs/semgrep-secrets/conceptual-overview.md)Last updated on **Oct 15, 2025** --- # Scan third-party dependencies Source: https://semgrep.dev/docs/semgrep-supply-chain/getting-started#scan-a-project-without-lockfiles-beta - [](/docs/)- [Scan](/docs/getting-started/quickstart)- Scan and triage- SCA (Supply Chain)- Open source security vulnerabilities**On this page- [Semgrep Supply Chain](/docs/tags/semgrep-supply-chain)Scan third-party dependencies This article walks you through the setup needed to scan your project with Semgrep Supply Chain and its configuration and customization options. Once you enable Semgrep Supply Chain, it automatically scans repositories that you have added to Semgrep AppSec Platform, but your repository must first meet the requirements for a successful scan. ## Project directory structure[​](#project-directory-structure) To scan your project with Semgrep Supply Chain, it must have a manifest file or lockfile and use [supported package managers and filenames](/docs/supported-languages#semgrep-supply-chain). Semgrep Supply Chain can correctly parse code files, manifest files, and lockfiles in subfolders as well. Code files that use the dependencies in the manifest file or lockfile must be nested in the same directory as the manifest file or lockfile. Manifest files and lockfiles must all use supported file names. In the following example, Semgrep Supply Chain assumes that all code files using the dependencies in `my-project/running/lockfile.json` are nested in `my-project/running/` or deeper directories. `/my-project├───/running│ ├───lockfile.json│ ├───bar.js│ └───/uphill│ ├───lockfile.json│ └────foo.js├───/biking` If you have code files in `my-project/biking,` Semgrep Supply Chain does not associate them with the dependencies in `my-project/running/lockfile.json.` If there is another manifest file or lockfile in `my-project/running`, such as `my-project/running/uphill/lockfile.json`, then this overrides the original `my-project/running/lockfile.json` for all code files in `my-project/running/uphill/` or deeper directories. Apache MavenTo run a Semgrep Supply Chain scan, generate a [dependency tree for Apache Maven](/docs/semgrep-supply-chain/setup-maven). ## Enable Semgrep Supply Chain[​](#enable-semgrep-supply-chain) - Sign in to [** Semgrep AppSec Platform](https://semgrep.dev/login). - Go to **[Settings > General > Supply Chain](https://semgrep.dev/orgs/-/settings/general/supplyChain)**. - Click the **** Supply Chain scans** toggle if it is not already enabled. ## Scan frequency[​](#scan-frequency) You can modify your CI configuration so that Semgrep Supply Chain scans your code at a specified frequency or whenever a specific event occurs, such as opening a pull request or merge request. ### Rule updates[​](#rule-updates) Semgrep Supply Chain frequently receives rule updates. To take advantage of these updates, adjust the frequency with which Semgrep Supply Chain scans your codebase. If a rule is updated, findings generated against the revised rule are considered **new findings**, even if the previous version generated a finding. The new finding is not affected by any triage actions on findings related to the prior version of the rule. Because the finding is new, you'll also receive notifications through the channels you've set up, such as Slack. ### Schedule scans[​](#schedule-scans) The following table is a summary of methods and resources to set up schedules for different CI providers. CI providerWhere to set scheduleGitHub ActionsSee [Sample CI configs](/docs/semgrep-ci/sample-ci-configs#sample-github-actions-configuration-file) for information on how to modify your `semgrep.yml` fileGitLab CI/CDRefer to [GitLab documentation](https://docs.gitlab.com/ee/ci/pipelines/schedules.html)JenkinsRefer to [Jenkins documentation](https://www.jenkins.io/doc/book/pipeline/running-pipelines/#scheduling-jobs-in-jenkins)Bitbucket PipelinesRefer to [Bitbucket documentation](https://support.atlassian.com/bitbucket-cloud/docs/pipeline-triggers/)CircleCIRefer to [CircleCI documentation](https://circleci.com/docs/scheduled-pipelines#get-started-with-scheduled-pipelines-in-circleci)BuildkiteRefer to [Buildkite documentation](https://buildkite.com/docs/pipelines/scheduled-builds)Azure PipelinesRefer to [Azure documentation](https://docs.microsoft.com/en-us/azure/devops/pipelines/process/scheduled-triggers?view=azure-devops&tabs=yaml)SemaphoreRefer to [Semaphore documentation](https://docs.semaphore.io/using-semaphore/tasks) ### Event-triggered scans[​](#event-triggered-scans) You can configure your CI/CD system to trigger a Semgrep Supply Chain scan whenever one of the following events occurs: **Event****Scope of scan****Dependency rule set**Pull request or merge request[Diff-aware scan](/docs/deployment/customize-ci-jobs#set-up-diff-aware-scans)All dependency rulesPush or scheduled event, such as a cron jobFull scanAll dependency rules ## Scan a project without lockfiles (beta)[​](#scan-a-project-without-lockfiles-beta) infoThis feature is currently in invite-only beta. Please contact [Semgrep Support](/docs/support) for more information. Semgrep Supply Chain can scan projects without the need for lockfiles. This simplifies the configuration of Supply Chain scans. This feature is available for the following languages: - C# - Java projects built using Maven or Gradle Wrapper - Kotlin - Python - Ensure that the environment where you run Semgrep scans has installed all of the dependencies required to build your project, such as Java and Maven or Python and pip. - Initiate a Semgrep scan, ensuring that you include the `--allow-local-builds` flag: `semgrep ci --allow-local-builds` For existing CI jobs, you may have to edit your configuration file to include this flag. Semgrep builds the project, using the build information included in the `pom.xml` or `build.gradle` file to determine the set of dependencies used by the project. info - Semgrep Managed Scans can't determine the dependencies in a project when there is no manifest file or lockfile, so Supply Chain scans don't return any findings. - By default, Semgrep doesn't surface errors generated during a scan. To view errors in the CLI output, include the `--verbose` when initiating your scan: ``` semgrep ci --allow-local-builds --verbose ``` ## Run a scan using the CLI[​](#run-a-scan-using-the-cli) You can start a stand-alone Semgrep Supply Chain scan by running the following command in the CLI: `semgrep ci --supply-chain` Semgrep prints a list of findings directly to the CLI, including the finding's reachability determination, severity level, a brief description, and suggested remediation. You can also view your results in Semgrep AppSec Platform. It displays all of the information displayed in the CLI, but it also offers you the ability to: - [See additional finding details](/docs/semgrep-supply-chain/findings), such as whether the finding is always reachable or if it's reachable if certain conditions are met, and its transitivity status - Use the [dependency search](/docs/semgrep-supply-chain/dependency-search) feature - Use the [license compliance](/docs/semgrep-supply-chain/license-compliance) feature ## Scan a monorepo's dependencies[​](#scan-a-monorepos-dependencies) Semgrep Supply Chain supports the scanning of monorepos. As outlined in [Project directory structure](#project-directory-structure), findings are grouped by directory based on the [manifest file or lockfile](/docs/semgrep-supply-chain/glossary#manifest-file) present in the monorepo. ## Block pull requests or merge requests[​](#block-pull-requests-or-merge-requests) You can comment on or potentially block pull requests or merge requests by defining a [Supply Chain Policy](/docs/semgrep-supply-chain/policies). Not finding what you need in this doc? Ask questions in our [Community Slack group](https://go.semgrep.dev/slack), or see [Support](/docs/support/) for other ways to get help. Tags:**- [Semgrep Supply Chain](/docs/tags/semgrep-supply-chain)[Edit this page](https://github.com/semgrep/semgrep-docs/edit/main/docs/semgrep-supply-chain/getting-started.md)Last updated on **Dec 10, 2025** --- # Semgrep Supply Chain glossary Source: https://semgrep.dev/docs/semgrep-supply-chain/glossary#transitive-or-indirect-dependency - [](/docs/)- [Scan](/docs/getting-started/quickstart)- References- Glossaries- Supply Chain glossary**On this page- [Semgrep Supply Chain](/docs/tags/semgrep-supply-chain)Semgrep Supply Chain glossary The terms and definitions provided here are specific to Semgrep Supply Chain. ## Advisory[​](#advisory) Announcement of a vulnerability, typically but not always with an associated [Common Vulnerabilities and Exposures (CVE)](https://www.cve.org/) number. All Advisories can be found by Semgrep Supply Chain rules. [Advisories](/docs/semgrep-supply-chain/advisories) can be seen on [**Rules & Policies > Advisories**](https://semgrep.dev/orgs/-/advisories). ## Dependency[​](#dependency) Publicly available code used as a part of your application. Common examples include Flask, React, and Lodash. Each dependency is listed in a registry, such as npm for JavaScript and PyPI for Python. ## Exploitability[​](#exploitability) Exploitability is the practical assessment of a vulnerability's threat, typically proved with a real proof of exploit. Proving exploitability is often the last step of triaging a vulnerability. ## EPSS probability[​](#epss-probability) The [Exploit prediction scoring system (EPSS) probability](https://www.first.org/epss/) represents the likelihood that the vulnerability will be exploited in the wild in the next 30 days. Its values range from 0% to 100%. The higher the score, the greater the probability the vulnerability will be exploited. Semgrep groups probabilities as follows: - High**: 50 - 100% - **Medium**: 10 - <50% - **Low**: <10% ## Lockfile[​](#lockfile) A lockfile describes a dependency tree to ensure that deployments and organizations install the same **dependencies and exact versions** for their codebase. Lockfile information includes versions of the dependency and any transitive (indirect) dependencies. Lockfiles are automatically generated by a package manager such as `pip` or `npm`. Semgrep Supply Chain uses lockfiles as part of its analysis to determine the exact version of a dependency that a codebase is using. ## Rules without reachability analysis[​](#rules-without-reachability-analysis) Some Semgrep Supply Chain rules do not perform reachability analysis. These rules only check a package's version against versions with known vulnerabilities. These rules produce vulnerabilities similar to GitHub Dependabot's results, and have a higher false positive rate than reachability rules. Compare its opposite: [Reachability-rules](#reachability-rules). ## Manifest file[​](#manifest-file) A manifest file describes the dependencies used in your codebase. In a manifest file, a dependency may indicate a range of versions. A package manager reads the manifest file when installing dependencies into a specific implementation of your codebase, then generates a manifest file specifying the exact version of each dependency installed and any transitive dependencies. Semgrep Supply Chain uses manifest files to resolve transitive dependencies for some languages. For more information, see [Supported languages](/docs/supported-languages#semgrep-supply-chain). ## Package manager[​](#package-manager) A software tool that interacts with a package registry to download, upload, or search for dependencies. Package managers typically generate manifest files or lockfiles by analyzing manifest files. ## Package registry[​](#package-registry) A package registry stores dependencies and provides a means to upload or download dependencies. Each programming language has its own separate registry such as npm for JavaScript and PyPI for Python. ## Reachable finding (and reachable vulnerability)[​](#reachable-finding-and-reachable-vulnerability) A reachable finding means that you are using both a vulnerable code pattern (the **usage**) and the vulnerable version of a dependency. Within Semgrep Supply Chain, specific findings (usages) are grouped together by their vulnerability. CI scans with Semgrep Supply Chain rules can block pull requests or merge requests upon detecting any reachable findings. See also [Reachability](#reachability). ## Reachability[​](#reachability) Reachability refers to whether or not a vulnerable code pattern from a dependency is used in the codebase that imports it. In Semgrep Supply Chain, both a dependency's vulnerable version and code pattern must match for a vulnerability to be considered reachable. See [Overview of Semgrep Supply Chain](/docs/semgrep-supply-chain/overview) to learn how Semgrep leverages its code-scanning and rule syntax capabilities to provide high-signal rules that determine a finding's reachability. This assists security engineers in remediation and triage processes. ## Reachability rules[​](#reachability-rules) A type of Semgrep Supply Chain rule that performs reachability analysis. A reachability rule can determine if the vulnerable code pattern from a dependency is used in the codebase that imports it. Compare its opposite: [rules without reachability analysis](#rules-without-reachability-analysis) ## Software bill of materials (SBOM)[​](#software-bill-of-materials-sbom) Software Bill of Materials (also known as 'Cyber Bill of Materials', CBOM) is an artifact produced by many software composition analysis tools. It enumerates the various components of a software artifact such as dependencies, licenses, and security statuses. SBOMs are typically generated for compliance purposes. Regularly, a security engineer or related role signs-off on the SBOM, meaning that they accept the security and legal risk of the associated artifact. Semgrep Supply Chain can export a CycloneDX 1.4 XML/JSON-formatted SBOM. ## Threat[​](#threat) A threat is any malicious event that violates the security of an application or network. A threat can result in disrupted business operations and loss or theft of data. See also [NIST definition of threat](https://csrc.nist.gov/glossary/term/threat). ## Transitive or indirect dependency[​](#transitive-or-indirect-dependency) A transitive or indirect dependency is a dependency of a dependency. If your codebase uses a dependency A, and A is dependent on B, then B is a transitive dependency. An example would be a codebase that uses Cloudinary, which is dependent on Lodash. In this example, Lodash is a transitive dependency of the codebase. For more information, see [Supported languages](/docs/supported-languages#semgrep-supply-chain). ## Transitivity[​](#transitivity) Pertains to a dependency's relationship to your codebase or first-party code. - **Direct**: Your project depends directly on the dependency. - **Transitive**: Your project's dependency depends on a vulnerable dependency. - **Undetermined**: Semgrep had no transitivity information for the dependency as it relates to your project. ## Usage[​](#usage) In Semgrep Supply Chain scans, a **usage **is a specific finding in your codebase where Semgrep has found a vulnerability. A vulnerability may have more than one usage, such as when a library is imported and used in many code files. ## Unreachable finding (and unreachable vulnerability)[​](#unreachable-finding-and-unreachable-vulnerability) An unreachable finding means that the dependency's version contains a known vulnerability, but the vulnerable code is not used within your codebase. Within Semgrep Supply Chain, specific findings (usages) are grouped together by their vulnerability. ## Vulnerability[​](#vulnerability) A vulnerability is an unintentional flaw in a dependency that can be exploited. Vulnerabilities are assigned a CVE by the [MITRE corporation](https://cve.mitre.org/). Semgrep Supply Chain uses GitHub Security Advisory (GHSA) in categorizing the severity of a vulnerability. Not finding what you need in this doc? Ask questions in our [Community Slack group](https://go.semgrep.dev/slack), or see [Support](/docs/support/) for other ways to get help. **Tags:**- [Semgrep Supply Chain](/docs/tags/semgrep-supply-chain)[Edit this page](https://github.com/semgrep/semgrep-docs/edit/main/docs/semgrep-supply-chain/glossary.md)Last updated on **Dec 19, 2025** --- # Overview Source: https://semgrep.dev/docs/semgrep-supply-chain/overview - [](/docs/)- [Scan](/docs/getting-started/quickstart)- Scan and triage- SCA (Supply Chain)- Overview**On this page- [Semgrep Supply Chain](/docs/tags/semgrep-supply-chain)OverviewSemgrep Supply Chain is a software composition analysis (SCA) tool that detects security vulnerabilities in your codebase introduced by open source dependencies. It can also: - Generate a software bill of materials (SBOM) that provides a complete inventory of your open source components - Query for information about your dependencies - Support the enforcement of your business' open source package licensing requirements - Detect malicious dependencies (this feature is currently in invite-only beta; please contact [Semgrep Support](/docs/support) for more information) ## Open source security vulnerabilities[​](#open-source-security-vulnerabilities) Semgrep Supply Chain detects [security vulnerabilities](https://nvd.nist.gov/vuln/full-listing) in your codebase introduced by open source dependencies using high-signal rules, which are instructions Semgrep uses detect patterns in code, to determine the vulnerability's [reachability](/docs/semgrep-supply-chain/glossary#reachability). To do this, Semgrep Supply Chain parses manifest files or lockfiles for a list of dependencies, then scans your codebase using rules that specify the following information: - The dependency versions that contain a vulnerability - The pattern for the vulnerable code that Semgrep compares against your code - The severity of the vulnerability The following diagram shows the relationship between a Semgrep Supply Chain rule, the codebase scanned, and its manifest file or lockfile: * ***Figure**. Relationship between a Supply Chain rule, manifest file or lockfile, CVE record, and codebase.* ### Semgrep Supply Chain rule update frequency[​](#semgrep-supply-chain-rule-update-frequency) Semgrep ingests CVE information and security advisories from the following sources: - [* Reviewed GitHub Security Advisories](https://github.com/advisories?query=type%3Areviewed) - [** Electron release notes](https://releases.electronjs.org/releases/stable) Semgrep processes new information at least once per day to: - Generate rules for new security advisories - Update rules based on changes to existing security advisories ### Types of Semgrep Supply Chain findings[​](#types-of-semgrep-supply-chain-findings) Semgrep Supply Chain generates a **finding** whenever it determines that your codebase uses or imports a package containing a vulnerability. In addition, Semgrep supports **reachability** for [generally available (GA) languages](/docs/supported-languages#language-maturity-summary): - **GA languages**: Semgrep writes rules for all critical and high CVE severity levels for GA languages. That means Semgrep Supply Chain can flag all your critical/high-severity findings as either reachable or unreachable. If there's a code pattern in the codebase that matches the vulnerability definition, the finding is flagged as **reachable**. A finding is **always reachable** if the only way to fix the vulnerability is to upgrade the dependency. Semgrep strongly recommends upgrading the dependencies involved in these findings. - A finding is **conditionally reachable** if the vulnerability can be exploited when specific conditions are met. The finding is reachable if, in addition to the dataflow reachability in code, additional factors, such as the use of a specific operating system, are met. Semgrep cannot determine whether such factors are true, so conditionally reachable findings require manual review. - If Semgrep Supply Chain determines that you don't use the vulnerable library package imported or you don't use the vulnerable piece of code of the library or package imported, the finding is flagged as **unreachable**. - If Semgrep Supply Chain determines that you use a vulnerable version of a dependency, but Semgrep Supply Chain doesn't have a relevant reachability rule, it flags the finding as **no reachability analysis**. - For **[languages where Semgrep Supply Chain doesn't currently offer rules with reachability analysis](/docs/semgrep-supply-chain/glossary#rules-without-reachability-analysis)** languages, Semgrep Supply Chain's performance is comparable to that of [GitHub's Dependabot](https://github.com/dependabot). Semgrep Supply Chain generates these findings by checking the dependency's version listed in your manifest file or lockfile against a list of versions with known vulnerabilities, but it does not run reachability analysis. Because Semgrep Supply Chain doesn't run reachability analysis, it can't determine whether the vulnerability is reachable. Such vulnerabilities are, therefore, flagged as **no reachability analysis**. Specific dependency and code match findings are called **usages**. Semgrep AppSec Platform groups all usages together by vulnerability. For each vulnerability, the UI also displays a CVE number corresponding to the [CVE program record](https://www.cve.org/About/Overview). ### Transitive dependencies and reachability analysis[​](#transitive-dependencies-and-reachability-analysis) A [transitive dependency](/docs/semgrep-supply-chain/glossary#transitive-or-indirect-dependency), also known as an indirect dependency, is a dependency of a dependency. Semgrep Supply Chain scans transitive dependencies for [all supported languages](/docs/supported-languages#semgrep-supply-chain), looking for security vulnerabilities, but it does *not* perform reachability analysis. This means that Semgrep Supply Chain doesn't check the source code of your project's dependencies to determine if their dependencies produce a reachable finding in your code. However, some dependencies are vulnerable simply through their inclusion in a codebase; in such cases, Semgrep Supply Chain generates reachable findings involving these dependencies, even if they're transitive, not direct, dependencies. Some package ecosystems allow the use of a transitive dependency as if it were a direct dependency. Though this feature is uncommon, Semgrep Supply Chain can scan for such usages and flag vulnerabilities in transitive dependencies as unreachable if not used directly. ## Software bill of materials[​](#software-bill-of-materials) Semgrep Supply Chain can [generate a software bill of materials (SBOM)](/docs/semgrep-supply-chain/sbom), a complete inventory of your third-party or open source components, to assist you with your auditing procedures. ## Dependency search[​](#dependency-search) Semgrep Supply Chain's [dependency search](/docs/semgrep-supply-chain/dependency-search) feature allows you to query for dependencies in your codebase; it can detect direct and transitive dependencies in any repository on which you have run a full scan. The results list the dependency, along with all of the repositories that use the dependency. ## License compliance[​](#license-compliance) The [license compliance](/docs/semgrep-supply-chain/license-compliance) feature ensures that you're only using open source packages whose licensing meets your organization's requirements. ## Malicious dependencies detection[​](#malicious-dependencies-detection) Semgrep can [detect malicious dependencies](/docs/semgrep-supply-chain/malicious-dependencies), which are treated as critical severity findings. If you have set up your [policies](/docs/semgrep-supply-chain/policies) to block critical severity findings, Semgrep prevents developers from merging pull requests or merge requests with malicious dependencies. ## Next steps[​](#next-steps) Semgrep Supply Chain automatically scans repositories that you have added to Semgrep AppSec Platform. Once your first scan is completed: - [View, triage, and remediate](/docs/semgrep-supply-chain/triage-and-remediation) your Supply Chain findings. [Customize Semgrep Supply Chain to ignore files and dependencies](/docs/semgrep-supply-chain/ignoring-dependencies) to support your security and business goals. - [Generate a software bill of materials (SBOM)](/docs/semgrep-supply-chain/sbom). - Query for dependencies in your codebase using [dependency search](/docs/semgrep-supply-chain/dependency-search). - Ensure that you're only [using open source packages whose licensing meets your organization's requirements](/docs/semgrep-supply-chain/license-compliance). Not finding what you need in this doc? Ask questions in our [Community Slack group](https://go.semgrep.dev/slack), or see [Support](/docs/support/) for other ways to get help. Tags:**- [Semgrep Supply Chain](/docs/tags/semgrep-supply-chain)[Edit this page](https://github.com/semgrep/semgrep-docs/edit/main/docs/semgrep-supply-chain/overview.md)Last updated on **Dec 10, 2025** --- # Set up Semgrep Supply Chain with Apache Maven (Java) Source: https://semgrep.dev/docs/semgrep-supply-chain/setup-maven/ - [](/docs/)- [Scan](/docs/getting-started/quickstart)- Set up and deploy scans- Core deployment- Scan repositories with the AppSec Platform- Configuring SCA scans- Apache Maven**On this page- [Deployment](/docs/tags/deployment)- [Semgrep Supply Chain](/docs/tags/semgrep-supply-chain)Set up Semgrep Supply Chain with Apache Maven (Java) infoSemgrep Supply Chain supports the scanning of Java projects built using Maven or Gradle Wrapper **without the need for lockfiles**. Learn more about [scanning your project without generating a Maven dependency tree](/docs/semgrep-supply-chain/getting-started#scan-a-project-without-lockfiles-beta). Semgrep Supply Chain does not read `pom.xml` files to parse Maven projects. Instead it parses a dependency tree generated by Maven (`mvn`). The **general steps** to enable Semgrep Supply Chain to correctly parse Maven projects are as follows: - Generate a file outlining the project's dependency tree by adding the following command to your build pipeline: mvn dependency:tree -DoutputFile=maven_dep_tree.txt For specific steps to add the command into your build pipeline, refer to your CI provider's documentation.- For each `pom.xml` file with dependencies you want to scan, create additional dependency trees in their respective directories. Semgrep Supply Chain can detect and parse them all.- Run the Semgrep workflow, action, or step after the dependency tree or trees have been generated. caution - Ensure that Maven is installed in the build environment that is used to generate the dependency trees. - Ensure that you generate dependency trees before running Semgrep. - This approach works for full scans. It does not work for [diff-aware scans](/docs/deployment/customize-ci-jobs#set-up-diff-aware-scans) because the generated file is not tracked by Git. You can perform the general steps in a local environment for testing. The following screenshot displays the commands running in a local environment: ## Scanning Apache Maven projects with specific CI providers[​](#scanning-apache-maven-projects-with-specific-ci-providers) This section describes steps to set up Apache Maven with specific CI providers. ## GitHub Actions[​](#github-actions) To successfully run a Semgrep Supply Chain scan in GitHub Actions, the GitHub Actions workflow must generate all dependency trees in one job and then run Semgrep after. ### Sample GitHub Actions Maven workflow[​](#sample-github-actions-maven-workflow) - Multiple pom.xml files- Single pom.xml fileIn the following code snippet, dependency trees are shared between the two jobs through a zip file that gathers all the lockfiles and, in the next job, unzips the lockfiles and runs Semgrep as usual. `on: workflow_dispatch: pull_request: {} push: branches: - master paths: - .github/workflows/semgrep.ymlname: Semgrepjobs: buildmavenDepTree: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - name: Set up JDK 11 uses: actions/setup-java@v3 with: java-version: '11' distribution: 'temurin' - name: Build Dependency Tree # The mvn command traverses the repository and generates a dependency tree for each pom.xml file run: mvn dependency:tree -DoutputFile=maven_dep_tree.txt -Dmaven.test.skip=true - name: Create Zip File run: find . -type f -name 'maven_dep_tree.txt' -exec zip -r archive.zip {} + - name: Upload Dependency Zip uses: actions/upload-artifact@v3 with: name: zipfile path: archive.zip semgrep: needs: buildmavenDepTree name: Scan runs-on: ubuntu-latest env: SEMGREP_APP_TOKEN: ${{ secrets.SEMGREP_APP_TOKEN }} container: image: semgrep/semgrep steps: - uses: actions/checkout@v4 - name: Download artifact from the previous job uses: actions/download-artifact@v3 with: name: zipfile - name: Semgrep Scan run: | unzip -o archive.zip semgrep ci`The following code snippet is intended for repositories with a single `pom.xml` file. `on: workflow_dispatch: pull_request: {} push: branches: - main paths: - .github/workflows/semgrep.ymlname: Semgrepjobs: buildmavenDepTree: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - name: Set up JDK 17 uses: actions/setup-java@v3 with: java-version: '17' distribution: 'temurin' - name: Build with Maven run: mvn --batch-mode --update-snapshots package - name: Build Dependency Tree run: mvn dependency:tree -DoutputFile=maven_dep_tree.txt - name: Upload Dependency Tree Artifact uses: actions/upload-artifact@v3 with: name: mavendeptree path: maven_dep_tree.txt semgrep: needs: buildmavenDepTree name: Scan runs-on: ubuntu-latest env: SEMGREP_APP_TOKEN: ${{ secrets.SEMGREP_APP_TOKEN }} container: image: semgrep/semgrep steps: - uses: actions/checkout@v4 - name: Download artifact from previous job uses: actions/download-artifact@v3 with: name: mavendeptree - run: semgrep ci` To **request support for your CI provider**, join the [Semgrep Community Slack](https://go.semgrep.dev/slack) group to ask the maintainers and the community. Not finding what you need in this doc? Ask questions in our [Community Slack group](https://go.semgrep.dev/slack), or see [Support](/docs/support/) for other ways to get help. Tags:**- [Deployment](/docs/tags/deployment)- [Semgrep Supply Chain](/docs/tags/semgrep-supply-chain)[Edit this page](https://github.com/semgrep/semgrep-docs/edit/main/docs/semgrep-supply-chain/setup-maven.md)Last updated on **Apr 3, 2025** --- # Semgrepignore v2 reference Source: https://semgrep.dev/docs/semgrepignore-v2-reference - [](/docs/)- [Write rules](/docs/writing-rules/overview)- References- Semgrepignore v2**On this pageSemgrepignore v2 reference This document covers the Semgrepignore **v2** target filtering system that replaces the legacy **v1** implementation, referred to as "v1". ## The target filtering process[​](#the-target-filtering-process) A `semgrep scan` command takes one or more scan roots as arguments. The default scan root is the current folder, `.`. Scan roots are folders, individual files, or named pipes that should be expanded into a list of regular files to be analyzed. Symbolic links are allowed as scan roots. Expanding a folder consists of listing its contents recursively with the following exceptions: - Symbolic links other than the original scan roots are ignored. - In Git projects, Git submodules are ignored. - Paths excluded via Semgrepignore patterns are ignored. Semgrepignore patterns can be of different sources which are detailed in the upcoming section. The list of files obtained by expanding the scan roots are called **target files**. To obtain target files, Semgrep follows a number of fixed rules and some configurable filters. For each scan root, Semgrep infers a **project root** (v2 only). The project root determines the location of applicable `.semgrepignore` files as well as `.gitignore` files in Git projects. In v1 where is no notion of a project root, the `.semgrepignore` file is unique and looked up in the current folder. Semgrep determines the project root for each scan root by first obtaining the real path (physical path) to the scan root. Then, Semgrep searches up the file hierarchy for a `.git` folder or similar used by one of the popular file version control systems (Git, Mercurial, etc.) indicating a project root. If no project root is found this way, it defaults to the scan root itself if it is a folder or to its containing folder if it is a regular file. cautionAs an experimental debugging aid, Semgrep provides the `--x-ls` option to list the target files. `--x-ls-long` additionally prints excluded files and a brief justification. Beware that these two options are likely to be renamed or change their behavior in the future. Meanwhile, its typical usage is: `semgrep --x-ls`or `semgrep --x-ls --experimental` ## Sources of Semgrepignore patterns[​](#sources-of-semgrepignore-patterns) A Semgrepignore pattern is a glob pattern that is matched by Semgrep against file paths to determine whether these paths should be allowed or disallowed as target files. Semgrep looks up Semgrepignore patterns in the following places: - command-line `--exclude` and `--include` filters; - the `.semgrepignore` file in the current folder (v1 only); - all the `.semgrepignore` files in the project (v2 only); - all the `.gitignore` files in the project (v2 only); - default Semgrepignore patterns. These sources of filters are grouped into precedence levels. Within a precedence level, a path can be deselected and reselected any number of times. After applying all the filters within a precedence level, only the selected paths make it to the next level. There are two precedence levels: - command-line `--exclude` and `--include` filters; - default Semgrepignore patterns, `.gitignore` files, `.semgrepignore` files. For example, consider this `.semgrepignore` file: `*.c!hello.c` In the absence of `--exclude` or `--include` filters, `hello.c` will be first deselected by `*.c` and then reselected by the negated pattern `!hello.c`. However, if we move the `*.c` exclusion pattern to the command line by invoking `semgrep --exclude *.c`, the file `hello.c` is deselected and ignored even if the `.semgrepignore` file contains `!hello.c`. In a Git project under Semgrepignore v2, `.gitignore` and `.semgrepignore` files are consulted in the same order as in the Gitignore specification. In a folder containing both a `.gitignore` and a `.semgrepignore` file, the `.gitignore` file is read before the `.semgrepignore` file. Default Semgrepignore patterns apply in projects that lack a main `.semgrepignore` file. In v1, the main `.semgrepignore` file is expected in the current folder. In v2, it is expected at the project root. These default patterns are: `# Common large pathsnode_modules/build/dist/vendor/.env/.venv/.tox/*.min.js.npm/.yarn/# Common test pathstest/tests/testsuite/*_test.go# Semgrep rules folder.semgrep# Semgrep-action log folder.semgrep_logs/` ## Semgrepignore pattern syntax[​](#semgrepignore-pattern-syntax) In Semgrepignore v2, the pattern syntax conforms to the [Gitignore pattern syntax](https://git-scm.com/docs/gitignore#_pattern_format). They are glob patterns which support `*` and `**` with their usual meanings. For example, pattern `**/tmp/*.js` matches paths `tmp/foo.js` and `src/tmp/bar.js`. Note that the Gitignore specification contains subtleties associated with determining whether a pattern is anchored (relative to the folder containing the pattern) or floating (relative to the folder containing the pattern or any of its subfolders). For example, `/a` and `a/b` are anchored patterns but not `a/`. Please consult the Gitignore documentation for details. As a deviation from the Gitignore syntax, Semgrepignore syntax supports `:include` directives. `:include` followed by an unquoted file path relative to the path of folder of the source `.semgrepignore` file (the current folder in v1) inserts patterns from that file. A common use case is to insert the line `:include .gitignore` at the beginning of a `.semgrepignore` file so as to avoid duplicating the Gitignore patterns. Included files may not contain include directives. ## Legacy Semgrepignore v1[​](#legacy-semgrepignore-v1) In Semgrepignore v1, the following exceptions to the v2 specification apply: - unsupported: pattern negation with `!` - unsupported: character ranges such as `[a-z]` - only one `.semgrepignore` file is supported and it must be in the current folder Not finding what you need in this doc? Ask questions in our [Community Slack group](https://go.semgrep.dev/slack), or see [Support](/docs/support/) for other ways to get help. [Edit this page](https://github.com/semgrep/semgrep-docs/edit/main/docs/semgrepignore-v2-reference.md)Last updated on Aug 28, 2025** --- # Support Source: https://semgrep.dev/docs/support/ - [](/docs/)- [Help](/docs/support)- Support & resources- Support**On this page- [Support](/docs/tags/support)- [Troubleshooting](/docs/tags/troubleshooting)Support This document provides various methods for all users of Semgrep to get help. ## Support for Semgrep customers[​](#support-for-semgrep-customers) All paying customers have access to a variety of support channels, technical documentation, and an active community of Semgrep users to help them make the most out of their Semgrep subscription. ### Support hours[​](#support-hours) Semgrep technical support is available 18 hours a day, five days a week, from 8 AM to 1 AM UTC, Monday to Friday, excluding Semgrep-recognized holidays. ### Contact support[​](#contact-support) All Semgrep customers can contact Semgrep Support through the following methods. tipYou can also join various **beta programs** through these channels. #### Slack[​](#slack) Customers with a private Slack channel with Semgrep can open a support case directly from Slack. #### Web[​](#web) Customers who log in to Semgrep AppSec Platform can open a support case from the [Help section](https://semgrep.dev/orgs/-/support). #### Email[​](#email) You can email the Support team at [support@semgrep.com](mailto:support@semgrep.com). For urgent or high priority issues, use Slack or [Semgrep AppSec Platform's Help section](https://semgrep.dev/orgs/-/support), so that you can set the appropriate priority on your issue. ## Support for all Semgrep users (community support)[​](#support-for-all-semgrep-users-community-support) [Join the Slack community](https://go.semgrep.dev/slack) to chat with the Semgrep maintainers and support engineers. All users, including Semgrep Community Edition (CE) users and Semgrep AppSec Platform users without a paid subscription plan, are welcome to ask for help in the community Slack group. Users interested in seeing a proof of concept can also [request a demo](https://semgrep.dev/contact/demo/) or [email Sales](mailto:sales@semgrep.com). ## Semgrep CE support[​](#semgrep-ce-support) Users of Semgrep CE can log bugs and feature requests in the [semgrep](https://github.com/semgrep/semgrep/issues) repository. They can also ask questions regarding usage, rollouts, and deployments in the [community Slack group](https://go.semgrep.dev/slack). ## Status page[​](#status-page) The [Semgrep status page](https://status.semgrep.dev/) enables users to subscribe to notifications whenever a service incident is created, updated, or resolved. Check the status page to see any current or past service incidents or to review historical uptime. Not finding what you need in this doc? Ask questions in our [Community Slack group](https://go.semgrep.dev/slack), or see [Support](/docs/support/) for other ways to get help. Tags:**- [Support](/docs/tags/support)- [Troubleshooting](/docs/tags/troubleshooting)[Edit this page](https://github.com/semgrep/semgrep-docs/edit/main/docs/support.md)Last updated on **Nov 25, 2025** --- # Supported languages Source: https://semgrep.dev/docs/supported-languages - [](/docs/)- [Scan](/docs/getting-started/quickstart)- Get started- Supported languages**On this page- [Deployment](/docs/tags/deployment)Supported languages This document provides information about supported languages and language maturity definitions for the following products: - **Semgrep Code (SAST)** - a static application security testing (SAST) solution designed to detect complex security vulnerabilities. - **Semgrep Supply Chain (SCA)** - a software composition analysis (SCA) tool that detects security vulnerabilities in your codebase introduced by open source dependencies. Semgrep Code and Semgrep Supply Chain are free for [small teams](https://semgrep.dev/pricing). ## Language maturity summary[​](#language-maturity-summary) The following table lists all **Generally available (GA)** and **Beta** languages for Semgrep Code and Semgrep Supply Chain. Languages are arranged by feature completeness from most to least. **Cross-file (interfile)** analysis for Semgrep Code and **reachability** analysis for Semgrep Supply Chain are the most advanced analyses that Semgrep provides; see [Feature definitions](#feature-definitions) for more details. **Languages****Semgrep Code**Supports 35+ languages**Semgrep Supply Chain**Supports 14 languages[C#](/docs/languages/csharp)**Generally available** • Cross-file dataflow analysis • Supports up to C# 13 • 170+ Pro rules **Generally available** • Reachability analysis • Can detect open source licenses • Can detect malicious dependencies[Go](/docs/languages/go)**Generally available** • Cross-file dataflow analysis • 80+ Pro rules **Generally available** • Reachability analysis • Can detect open source licenses • Can detect malicious dependencies[Java](/docs/languages/java)**Generally available** • Cross-file dataflow analysis • Framework-specific control flow analysis • 190+ Pro rules **Generally available** • Reachability analysis • Can detect open source licenses[JavaScript](/docs/languages/javascript)**Generally available** • Cross-file dataflow analysis • Framework-specific control flow analysis • 250+ Pro rules**Generally available** • Reachability analysis • Can detect open source licenses • Can detect malicious dependencies[Kotlin](/docs/languages/kotlin)**Generally available ** • Cross-file dataflow analysis • 60+ Pro rules**Generally available** • Reachability analysis • Can detect open source licenses[Python](/docs/languages/python)**Generally available** • Cross-file dataflow analysis • Framework-specific control flow analysis • 710+ Pro rules • See [Python-specific support details](/docs/languages/python)**Generally available** • Reachability analysis • Can detect open source licenses • Can detect malicious dependenciesTypescript**Generally available ** • Cross-file dataflow analysis • Framework-specific control flow analysis • 230+ Pro rules**Generally available** • Reachability analysis • Can detect malicious dependencies • Can detect open source licensesC / C++**Generally available** • Cross-file dataflow analysis • 150+ Pro rules N/aJSX**Generally available ** • Cross-function dataflow analysis • 70+ Pro rules**Generally available** • Reachability analysis • Can detect open source licenses[Ruby](/docs/languages/ruby)**Generally available ** • Cross-function dataflow analysis • 40+ Pro rules**Generally available** • Reachability analysis • Can detect open source licenses • Can detect malicious dependencies[Scala](/docs/languages/scala)**Generally available ** • Cross-function dataflow analysis • Community rules**Generally available** • Reachability analysis • Can detect open source licenses[Swift](/docs/languages/swift)**Generally available ** • Cross-function dataflow analysis • 60+ Pro rules**Generally available** • Reachability analysis • Can detect open source licensesRust**Generally available ** • Cross-function dataflow analysis • 40+ Pro rules**Beta** • Can detect open source licenses • Can detect malicious dependenciesPHP**Generally available ** • Cross-function dataflow analysis • 50+ Pro rules**Generally available** • Reachability analysis • Can detect open source licensesTerraform**Generally available** • Cross-function dataflow analysis • Community rulesN/aGeneric**Generally available **N/aJSON**Generally available **N/aElixir**Beta****Beta**APEX**Beta**--Dart**Experimental****Beta** Click to view experimental languages for Semgrep Code. - Bash - Cairo - Circom - Clojure - Dockerfile - Hack - HTML - Jsonnet - Julia - Lisp - Lua - Move on Aptos - Move on Sui - OCaml - R - Scheme - Solidity - YAML - XML ### Language maturity levels[​](#language-maturity-levels) #### Semgrep Code[​](#semgrep-code) Semgrep Code languages can be classified into four maturity levels: - Generally available (GA) - Beta - Experimental - Community supported* *Community supported languages meet the parse rate and syntax requirements of **Experimental** languages. Users can still access community rules or write their own rules. Click to view table of definitions.**Feature****GA****Beta****Experimental****Community supported**SupportHighest quality support by the Semgrep team. Reported issues are resolved promptly.Supported by the Semgrep team. Reported issues are fixed after GA languages.There are limitations to this language's functionality. Reported issues are tracked and prioritized with best effort.These languages are supported by the Semgrep community. While Semgrep may develop rules or engine updates for these languages, they are not prioritized.Parse Rate99%+95%+90%+Number of Pro rules10+5+0+. Query the [Registry](https://semgrep.dev/r) to see if any rules exist for your language.Semgrep syntaxRegex, equivalence, deep expression operators, types and typing. All features supported in Beta.Complete metavariable support, metavariable equality. All features supported in Experimental.Syntax, ellipsis operator, basic metavariable functionality. #### Semgrep Supply Chain[​](#semgrep-supply-chain) Semgrep Supply Chain has two language maturity levels: - Generally available - Beta Click to view table of definitions.**Feature****Generally available****Beta**Number of reachability rulesAs defined by [CVE coverage](#cve-coverage).All critical severity CVEs from [supported sources](#supported-sources) starting 2022 onwards, for packages used by customers with an active, paid subscription.Semgrep, Inc. rule-writing supportQuickly support CVE coverage with reachability analysis for all critical and high vulnerabilities based on the latest [security advisories](https://nvd.nist.gov/vuln).Coverage for CVEs but without reachability analysis.Semgrep Community Edition (CE) [language support](/supported-languages#semgrep-oss-language-support)Semgrep CE support is GA.Semgrep CE support is at least Beta. ### Feature definitions[​](#feature-definitions) Cross-file dataflow analysisCross-file analysis (also known as **interfile analysis**) takes into account how information flows between files. In particular, cross-file analysis includes **cross-file taint analysis**, which tracks unsanitized variables flowing from a source to a sink through arbitrarily many files. Other analyses performed across files include constant propagation and type inference. Cross-file analysis is usually used in contrast to intrafile, or per-file analysis, where each file is analyzed as a standalone block of code. Languages with cross-file support also include cross-function support. Cross-function dataflow analysisCross-function analysis means that interactions between functions are taken into account. This improves taint analysis, which tracks unsanitized variables flowing from a source to a sink through arbitrarily many functions. Reachability analysisReachability refers to whether or not a vulnerable code pattern from a dependency is used in the codebase that imports it. In Semgrep Supply Chain, both a dependency's vulnerable version and code pattern must match for a vulnerability to be considered reachable. See [Overview of Semgrep Supply Chain](/docs/semgrep-supply-chain/overview) to learn how Semgrep leverages its code-scanning and rule syntax capabilities to provide high-signal rules that determine a finding's reachability. This assists security engineers in remediation and triage processes. tipSee [Language maturity levels](#language-maturity-levels) to learn which features define GA or beta language support. ## Semgrep Supply Chain feature support[​](#semgrep-supply-chain-feature-support) Semgrep Supply Chain is a software composition analysis (SCA) tool that detects security vulnerabilities in your codebase introduced by open source dependencies. It can also: - Generate a software bill of materials (SBOM) that provides a complete inventory of your open source components - Query for information about your dependencies - Support the enforcement of your business' open source package licensing requirements - Detect malicious dependencies (this feature is currently in invite-only beta; please contact [Semgrep Support](/docs/support) for more information) For projects with lockfiles, Semgrep parses lockfiles for dependencies, then scans your codebase for reachable findings based on the lockfiles. For a lockfile to be scanned by Semgrep Supply Chain, it must have one of the supported lockfile names. For some languages, a lockfile or manifest file is parsed to determine [transitivity](/docs/semgrep-supply-chain/glossary#transitive-or-indirect-dependency). See [Transitive dependencies and reachability analysis](/docs/semgrep-supply-chain/overview#transitive-dependencies-and-reachability-analysis) for more information. Additionally, Semgrep offers beta support for the scanning of projects written in the following languages **without lockfiles**: - C# - Java - Kotlin - Python - Ruby ### Package manager support[​](#package-manager-support) The following table lists all Semgrep-supported package managers for each language. Languages with **reachability** support are listed first. LanguageSupported package managersManifest file or lockfileC#NuGet`packages.lock.json`GoGo modules (`go mod`)`go.mod`JavaGradle`gradle.lockfile`MavenMaven-generated dependency tree (See [Setting up SSC scans for Apache Maven](/docs/semgrep-supply-chain/setup-maven/) for instructions.)JavaScript or TypeScriptnpm`package-lock.json`Yarn`yarn.lock`pnpm`pnpm-lock.yaml`KotlinGradle`gradle.lockfile`MavenMaven-generated dependency tree (See [Setting up SSC scans for Apache Maven](/docs/semgrep-supply-chain/setup-maven/) for instructions.)PythonpipAny of the following: - `*requirement*.txt` or `*requirement*.pip`- Any manifest file in a requirements folder, such as `**/requirements/*.txt` or `**/requirements/*.pip` The file must be generated automatically and have values set to exact versions (pinned dependencies).pip-toolsPipenv`Pipfile.lock`Poetry`poetry.lock`uv`uv.lock`RubyRubyGems`Gemfile.lock`ScalaMavenMaven-generated dependency tree (See [Setting up SSC scans for Apache Maven](/docs/semgrep-supply-chain/setup-maven/) for instructions.)SwiftSwiftPM`Package.swift` file and Swift-generated `Package.resolved` file. (See [Swift documentation ](https://www.swift.org/documentation/package-manager/) for instructions.)RustCargo*`cargo.lock`DartPub`pubspec.lock`ElixirHex`mix.lock`PHPComposer`composer.lock` ******Supply Chain does not analyze the transitivity of packages for these language and manifest file or lockfile combinations. All dependencies are listed as **No Reachability Analysis.*** ### Feature support[​](#feature-support) The following table lists all Supply Chain features for each language. Languages with **reachability** support are listed first. LanguageReachability(see [CVE coverage](#cve-coverage))[Scan without lockfiles (beta)](/docs/semgrep-supply-chain/getting-started#scan-a-project-without-lockfiles-beta)License detectionMalicious dependencydetectionC#✅✅✅✅Go✅--✅✅Java✅✅✅--JavaScript or TypeScript✅--✅✅Kotlin✅✅✅--Python✅✅✅ For PyPi only✅Ruby✅--✅✅Scala✅--✅--Swift✅--✅†--PHP✅--✅--RustNo reachability analysis. However, Semgrep can compare a package's version against a list of versions with known vulnerabilities.--✅✅Dart------Elixir------ ***†**License detection for new packages is asynchronous and processed after the initial scan. Policies aren't applied on first detection, but are enforced in subsequent scans.* #### CVE coverage[​](#cve-coverage) For customers with an active paid subscription, Semgrep’s reachability analysis covers all **critical and high severity** CVEs from [supported sources](#supported-sources) starting in 2017 across all supported languages. ##### Supported sources[​](#supported-sources) - [** Reviewed GitHub Security Advisories](https://github.com/advisories?query=type%3Areviewed) - [** Electron release notes](https://releases.electronjs.org/releases/stable) ### Feature and product maturity levels[​](#feature-and-product-maturity-levels) The detailed specifications previously provided apply only to language support. Language maturity levels differ from feature and product maturity levels. ## More information[​](#more-information) Visit the cheat sheet generation script and associated semgrep-core test files to learn more about each feature: - [Generation script](https://github.com/semgrep/semgrep/blob/develop/scripts/generate_cheatsheet.py) - [`semgrep-core` test files](https://github.com/semgrep/semgrep/tree/develop/tests) Not finding what you need in this doc? Ask questions in our [Community Slack group](https://go.semgrep.dev/slack), or see [Support](/docs/support/) for other ways to get help. Tags:**- [Deployment](/docs/tags/deployment)[Edit this page](https://github.com/semgrep/semgrep-docs/edit/main/docs/supported-languages.md)Last updated on **Jan 7, 2026** --- # Documentation Source: https://semgrep.dev/docs/tags/deployment [## Add Semgrep to CI/CD](/docs/deployment/add-semgrep-to-ci)Set up your CI pipeline with Semgrep AppSec Platform for centralized rule and findings management. --- # Documentation Source: https://semgrep.dev/docs/tags/guides-for-developers [## Overview](/docs/for-developers/overview)An overview of Semgrep for developers. Learn the basics of Semgrep and how it integrates into your coding workflows and environment. --- # Documentation Source: https://semgrep.dev/docs/tags/rule-writing [## Advanced techniques for taint analysis](/docs/writing-rules/data-flow/taint-mode/advanced)Learn advanced techniques for taint mode, which allows you to write rules to catch complex injection bugs. --- # Documentation Source: https://semgrep.dev/docs/tags/support [## Claim a license](/docs/deployment/claim-a-license)Learn how to claim a Semgrep license. --- # Documentation Source: https://semgrep.dev/docs/tags/troubleshooting [## SAML SSO Error: Signature validation failed](/docs/kb/semgrep-appsec-platform/saml-bad-signature)If SAML signature validation fails, check your certificate upload and information. --- # Semgrep trophy case Source: https://semgrep.dev/docs/trophy-case - [](/docs/)- [Support & resources](/docs/trophy-case)- Semgrep trophy case- [Rule writing](/docs/tags/rule-writing)Semgrep trophy case This is a list of vulnerabilities found and security fixes made with Semgrep. Add yours [with a pull request](https://github.com/semgrep/semgrep-docs/blob/main/docs/trophy-case.md)! CVEs**CVE****Semgrep rule****Affected software****Description**[CVE-2025-59034](https://nvd.nist.gov/vuln/detail/CVE-2025-59034)Indico v3.3.7Insecure direct object reference used to retrieve profile details of other users, circumventing access check.[CVE-2025-29783](https://nvd.nist.gov/vuln/detail/CVE-2025-29783)[python.lang.security.deserialization.pickle.avoid-pickle](https://semgrep.dev/r?q=python.lang.security.deserialization.pickle.avoid-pickle)vLLM v0.8.2Unsafe deserialization allowed execution of remote code on distributed hosts using Mooncake.[CVE-2019-5479](https://nvd.nist.gov/vuln/detail/CVE-2019-5479)[javascript.lang.security.detect-non-literal-require](https://semgrep.dev/r?q=javascript.lang.security.detect-non-literal-require)larbitbase-api < v0.5.5An unintended require vulnerability in <v0.5.5 larvitbase-api may allow an attacker to load arbitrary non-production code (JavaScript file).[CVE-2020-8128](https://nvd.nist.gov/vuln/detail/CVE-2020-8128)[javascript.lang.security.detect-non-literal-require](https://semgrep.dev/r?q=javascript.lang.security.detect-non-literal-require)jsreport < 2.5.0An unintended require and server-side request forgery vulnerabilities in jsreport version 2.5.0 and earlier allow attackers to execute arbitrary code.[CVE-2020-8129](https://nvd.nist.gov/vuln/detail/CVE-2020-8129)[javascript.lang.security.detect-non-literal-require](https://semgrep.dev/r?q=javascript.lang.security.detect-non-literal-require)script-manager < 0.8.6An unintended require vulnerability in script-manager npm package version 0.8.6 and earlier may allow attackers to execute arbitrary code.[CVE-2020-7739](https://nvd.nist.gov/vuln/detail/CVE-2020-7739)[javascript.phantom.security.audit.phantom-injection](https://semgrep.dev/r?q=javascript.phantom.security.audit.phantom-injection)phantomjs-seoThis affects all versions of package phantomjs-seo. It is possible for an attacker to craft a URL that will be passed to a PhantomJS instance allowing for an SSRF attack.[CVE-2020-7740](https://nvd.nist.gov/vuln/detail/CVE-2020-7740)[javascript.wkhtmltopdf.security.audit.wkhtmltopdf-injection](https://semgrep.dev/r?q=javascript.wkhtmltopdf.security.audit.wkhtmltopdf-injection)node-pdf-generatorThis affects all versions of package node-pdf-generator. Due to lack of user input validation and sanitization done to the content given to node-pdf-generator, it is possible for an attacker to craft a URL that will be passed to an external server allowing an SSRF attack.[CVE-2020-7749](https://nvd.nist.gov/vuln/detail/CVE-2020-7749)[javascript.puppeteer.security.audit.puppeteer-setcontent-injection](https://semgrep.dev/r?q=javascript.puppeteer.security.audit.puppeteer-setcontent-injection)osm-static-mapsThis affects all versions of package osm-static-maps. User input given to the package is passed directly to a template without escaping (`{{{ ... }}}`). As such, it is possible for an attacker to inject arbitrary HTML/JS code and depending on the context. It will be outputted as an HTML on the page which gives opportunity for XSS or rendered on the server (puppeteer) which also gives opportunity for SSRF and Local File Read. Open Source Contributions**Affected software****Semgrep rule****Description**[Open EdX](https://github.com/edx/edx-platform/commit/3f1220276d72cada2d4aa5f812768a3dff6e711a#diff-4e1bff4f8c5f8ff3ffb5aad2c61aa9433876ba2462c62f22488f2382457a84ae)[python.requests.security.disabled-cert-validation](https://semgrep.dev/r?q=python.requests.security.disabled-cert-validation)SSL certification is disabled in order to accept self-signed certificates.[RPyC](https://github.com/tomerfiliba-org/rpyc/pull/376)[python.lang.correctness.common-mistakes.default-mutable-dict](https://semgrep.dev/r?q=python.lang.correctness.common-mistakes.default-mutable-dict)In python, the default values of function parameters are instantiated at function definition time. All calls to that function that use the default value all point to the same global object. Because of this, two instances of Server (initialized without passing in a protocol_config option) actually share the same protocol_config. So modifying one server's config affects the other ones.[CMake](https://gitlab.kitware.com/cmake/cmake/-/merge_requests/4432)[python.lang.correctness.common-mistakes.default-mutable-dict](https://semgrep.dev/r?q=python.lang.correctness.common-mistakes.default-mutable-dict)`ConvertMSBuildXMLToJSON`: Fix python mutable default data structure[lte-template-flask](https://github.com/ucfopen/lti-template-flask/pull/13)[python.flask.security.unescaped-template-extension](https://semgrep.dev/r?q=python.flask.security.unescaped-template-extension)Passing the host parameter to your jinja template in `views.py:63`. `lis_person_name_full` comes from `request.form.get('lis_person_name_full')`. This line may be susceptible to XSS attacks. I went ahead and html-escaped the `lis_person_name_full` variable in `launch.htm.j2` file using the `{{ value|e }}` pattern in Jinja. ([https://jinja.palletsprojects.com/en/2.10.x/templates/#working-with-manual-escaping](https://jinja.palletsprojects.com/en/2.10.x/templates/#working-with-manual-escaping)). Note that if your template file extensions ended with `.html`, `.htm`, `.xml`, or `.xhtml`, they would have been automatically html escaped.[netskrafl.is](https://github.com/mideind/Netskrafl/pull/76)[python.flask.security.xss.audit.template-unescaped-with-safe](https://semgrep.dev/r?q=python.flask.security.xss.audit.template-unescaped-with-safe)The `| safe` filter from `from_url` in the `userprefs.html` template causes XSS.[pdfcpu](https://github.com/pdfcpu/pdfcpu/pull/200)[go.lang.correctness.useless-eqeq.eqeq-is-bad](https://semgrep.dev/r?q=go.lang.correctness.useless-eqeq.eqeq-is-bad)It looks like this test case in `pkg/pdfcpu/image_test.go` was intending to compare `bb1` with `bb2`, but it was comparing `bb1` twice.Not finding what you need in this doc? Ask questions in our [Community Slack group](https://go.semgrep.dev/slack), or see [Support](/docs/support/) for other ways to get help. **Tags:**- [Rule writing](/docs/tags/rule-writing)[Edit this page](https://github.com/semgrep/semgrep-docs/edit/main/docs/trophy-case.md)Last updated on **Nov 25, 2025** --- # Troubleshooting rules Source: https://semgrep.dev/docs/troubleshooting/rules - [](/docs/)- [Write rules](/docs/writing-rules/overview)- Write rules for Semgrep Code- Troubleshooting rules**On this page- [Troubleshooting](/docs/tags/troubleshooting)- [Rule writing](/docs/tags/rule-writing)Troubleshooting rules This page intends to help rule authors fix common mistakes when writing Semgrep rules. If you have a problem while running a rule you didn't write yourself, please [open a GitHub issue in the Semgrep Registry](https://github.com/semgrep/semgrep-rules/issues/new/choose) repository. ## If your pattern can’t be parsed[​](#if-your-pattern-cant-be-parsed) This error means your pattern does not look like complete source code in the selected language. "Complete source code" means that the Semgrep pattern must look like a valid, complete expression or statement on its own. To illustrate with an example, Python isn't able to parse `if 4 < 5` as a line of code, because it's missing the code block on the right hand side. `>>> if 4 < 5 File "<stdin>", line 1 if 4 < 5 ^SyntaxError: invalid syntax>>>` To get Python to parse this, you need to add a colon and a code block: `>>> if 4 < 5: print("it works!")...it works!>>>` The same way Python's parser cannot parse partial statements or expressions, Semgrep cannot either. The Semgrep pattern `if $X < 5` is invalid, and needs to be changed to a complete statement with a wildcard: `if $X < 5: ...` While this is the most common reason for pattern parse errors, other things to verify include: - Making sure the correct language is indicated in the rule. - Making sure that any metavariables you use are in all uppercase and does not start with a number. Valid metavariable names include `$X`, `$NAME`, and `$_VAR_2`. Invalid metavariable names include `$name`, `$1stvar` and `$VAR-WITH-DASHES`. ## If your rule doesn't match where it should[​](#if-your-rule-doesnt-match-where-it-should) In general, it helps to test the patterns within your rule in isolation. If you scan for the patterns individually and they each find what you expect, the issue is with the Boolean logic within your rule. Review the [rule syntax](/docs/writing-rules/rule-syntax) to make sure the operators are meant to behave like you expect. If you managed to find a pattern that behaves incorrectly, continue debugging with the section below. ## If your pattern doesn't match where it should[​](#if-your-pattern-doesnt-match-where-it-should) If you isolated the issue to one specific pattern, here are some common issues to look out for: - When referencing something imported from a module, you need to fully qualify the import path. To match `import google.metrics; metrics.send(foo)` in Python, your pattern needs to be `google.metrics.send(...)` instead of `metrics.send(...)`. - If your pattern uses a metavariable, make sure it's all uppercase and does not start with a number. Valid metavariable names include `$X`, `$NAME`, and `$_VAR_2`. Invalid metavariable names include `$name`, `$1stvar` and `$VAR-WITH-DASHES`. ## If a regex pattern doesn't match where it should[​](#if-a-regex-pattern-doesnt-match-where-it-should) - When using `metavariable-regex`, the regex matches against all characters of the found metavariable. This means that if the metavariable matches a `"foo"` string in your code, the `metavariable-regex` pattern runs against a five character string with the quote characters at either end. - Note that using the pipe (`|`) character appends a newline to your regex! If you are writing `pattern-regex: |` and then a newline with the regex, you almost certainly want the `|-` operator as in `pattern-regex: |-` to remove that trailing newline. Not finding what you need in this doc? Ask questions in our [Community Slack group](https://go.semgrep.dev/slack), or see [Support](/docs/support/) for other ways to get help. Tags:**- [Troubleshooting](/docs/tags/troubleshooting)- [Rule writing](/docs/tags/rule-writing)[Edit this page](https://github.com/semgrep/semgrep-docs/edit/main/docs/troubleshooting/rules.md)Last updated on **Oct 15, 2025** --- # Usage and billing Source: https://semgrep.dev/docs/usage-and-billing - [](/docs/)- [Support & resources](/docs/trophy-case)- Usage and billing**On this page- [Support](/docs/tags/support)- [Semgrep AppSec Platform](/docs/tags/semgrep-app-sec-platform)Usage and billing Learn about usage computation and other aspects of your Semgrep licenses. note - This document is for **Semgrep AppSec Platform** users; Semgrep Community Edition (CE) does not have any usage limit. Compare [** Semgrep AppSec Platform and Semgrep CE](/docs/semgrep-pro-vs-oss). ## Usage[​](#usage) Several Semgrep AppSec Platform products are free under the **Team** tier for **10 monthly contributors**. These products include: - Semgrep Code - Semgrep Supply Chain A **contributor** is someone who has made at least **one** commit to a Semgrep-scanned **private** repository within the last 30 days, starting from the **date of license purchase** if a license was purchased, or the date of account creation, for accounts using Semgrep within usage limits. Any type of Semgrep AppSec Platform scan counts towards the contributor total. This includes: - Scanning with Semgrep Code or Supply Chain. - Full scans on a repository or partial scans on a pull request or merge request. ### Multiple Semgrep organization accounts[​](#multiple-semgrep-organization-accounts) If your company creates multiple Semgrep organizations, the ten-contributor limit applies across **all** of your organizations. For example, if your company creates three Semgrep organizations, each with the following number of contributors: - Organization 1 has 8 contributors - Organization 2 has 9 contributors - Organization 3 has 10 contributors Your company has 27 contributors across three organizations, and you are over the 10-contributor limit. You must purchase licenses for 27 contributors. Small teams and startupsIf you are a small team, such as an **11-person team**, you may be eligible for Semgrep's startup pricing, which provides a discounted rate. Fill out the [** Startup pricing](https://semgrep.dev/contact/contact-us-startups) form to apply. ### Usage computation[​](#usage-computation) Contributors are calculated using `git log` over the **past 30 days** (a rolling interval), not the beginning of each month. The start date is either: - The date of your license purchase. - The date of account creation, if you and your team are within usage limits. **Bots** and similar automations are excluded from this count. ### Exceeding the free usage limit[​](#exceeding-the-free-usage-limit) Semgrep scans stop when the usage limit is exceeded. Resume scanning through: - A one-time 30-day free trial that starts automatically when the usage limit is exceeded for the first time. - Purchasing additional licenses. - Waiting for the next billing cycle. If the first scan exceeds the usage limit, Semgrep still completes the first scan and a one-time 30-day free trial automatically starts. After the trial concludes, if scans are attempted on private repositories that exceed the usage limit, scans will not run until additional licenses are purchased. ### Usage limit on public projects[​](#usage-limit-on-public-projects) Public projects have no limits on contributors. ### Semgrep CLI commands subject to usage limits[​](#semgrep-cli-commands-subject-to-usage-limits) - The `semgrep scan` command is subject to the usage limit only if the scan is by a logged-in contributor. - Semgrep computes contributor counts for any logged-in scan command such as `semgrep ci` and `semgrep scan`. ## Determine your plan needs[​](#determine-your-plan-needs) Within your team or organization, assess the number of **contributors**. Contributors are members of your organization that make commits. That determines the number of **licenses** needed for the plan purchase. For example, if a project has 4 unique contributors who create commits during the billing period while Semgrep is scanning their repositories, only 4 licenses are required even if the organization has a total of 10 members. Contributors are counted only once even if they commit to many projects within the same organization, so no additional licenses are required. infoSemgrep provides a special pricing program for small teams and startups. Fill out the [** Startup pricing](https://semgrep.dev/contact/contact-us-startups) form to apply. All members of the organization, regardless of contributor (license) status, have access to paid features for the chosen tier. This means that project managers and other non-programming roles can still view the Semgrep AppSec Platform dashboard. ### Single-product purchases[​](#single-product-purchases) You can choose to purchase a single product. Products can also be turned off from the [Settings page](https://semgrep.dev/orgs/-/settings). ### Number of licenses per product[​](#number-of-licenses-per-product) You must purchase an **equal number of licenses** for each product you intend to use. For example, you cannot purchase 4 licenses of Semgrep Supply Chain and 9 licenses of Semgrep Code. ## Reconciliation of licenses and usage[​](#reconciliation-of-licenses-and-usage) If your organization exceeds the number of purchased licenses for the period defined in your contract, your organization will be charged based on the number of licenses that exceeded the purchased amount. The additional charge starts the month after the use of licenses exceeds the contracted amount. Check in with your Semgrep Account Executive every **60 days** if you need more licenses than initially purchased. ### Example of license reconciliation[​](#example-of-license-reconciliation) On January 21, you purchased annual licenses for 50 developers of Semgrep Supply Chain’s Team tier ($40 per developer per month). The 21 of the month is the start date of the annual contract. In the following month, on February 28, the number of used developer licenses exceeded the original purchased quantity by 20 users. This requires a contract adjustment. Contract adjustment: - Since the organization’s use exceeded the amount of purchased licenses on February 28, the future date of March 21 is selected to align with the remaining months in the contract. There are 10 months remaining in the contract. - The additional amount charged, the add-on cost, is $8,000 ($40 per developer per month x 10 months x 20 users). - Resulting add-on cost: **$8,000** ## Upgrade your plan[​](#upgrade-your-plan) To upgrade to the **Team tier** using a credit card: - Navigate to **Settings** > **Usage & billing**. - Choose the product you want to upgrade. You can upgrade Semgrep Code, Semgrep Supply Chain, or both. Click **Upgrade**. - Review the details of your order, and ensure that the number of licenses you're purchasing is accurate. - Provide your payment details, and click **Subscribe**. To purchase licenses for Semgrep Secrets, or to upgrade to the **Enterprise tier**, please contact [Semgrep Sales](mailto:sales@semgrep.com). ### Billing[​](#billing) Team tier users who pay through a credit card are charged monthly. Enterprise tier users are charged at an agreed-upon billing cycle. For any concerns such as custom payment methods and billing cycles, send an email to the Semgrep sales team at [billing@semgrep.com](mailto:billing@semgrep.com). ## Modify or cancel your plan[​](#modify-or-cancel-your-plan) To modify or cancel your plan, send an email to [billing@semgrep.com](mailto:billing@semgrep.com). ## Pay for your plan[​](#pay-for-your-plan) Pay through the following methods: Pay using your credit card.The payment will be processed through Stripe. If you need to change the credit card on file, please reach out to [billing@semgrep.com](mailto:billing@semgrep.com), and Semgrep will contact you for your updated credit card information.Pay through a purchase order or invoice.Send an email to [billing@semgrep.com](mailto:billing@semgrep.com). ## See also[​](#see-also) - [Supported languages](/docs/supported-languages) - [List of vulnerabilities found and fixed with Semgrep](/docs/trophy-case) - [Frequently asked questions](/docs/faq/overview) ## Additional resources[​](#additional-resources) - [Slack on scaling static analysis with Semgrep](https://semgrep.dev/blog/2021/slack-presents-semgrep-at-def-con-appsec-village/) Not finding what you need in this doc? Ask questions in our [Community Slack group](https://go.semgrep.dev/slack), or see [Support](/docs/support/) for other ways to get help. Tags:**- [Support](/docs/tags/support)- [Semgrep AppSec Platform](/docs/tags/semgrep-app-sec-platform)[Edit this page](https://github.com/semgrep/semgrep-docs/edit/main/docs/usage-and-billing.mdx)Last updated on **Nov 25, 2025** --- # Autofix Source: https://semgrep.dev/docs/writing-rules/autofix - [](/docs/)- [Write rules](/docs/writing-rules/overview)- Write rules for Semgrep Code- Advanced rule-writing techniques- Autofix**On this page- [Rule writing](/docs/tags/rule-writing)Autofix Autofix is a Semgrep feature where rules contain suggested fixes to resolve findings. Semgrep's rule format supports a `fix:` key that supports the replacement of metavariables and regex matches with potential fixes. This allows for value capture and rewriting. With rules that make use of autofix, you can resolve findings as part of your code review workflow. Semgrep suggests these fixes through pull request or merge request comments. You can apply the autofix directly to the file using the `--autofix` flag. To test the autofix before applying it, use both the `--autofix` and `--dryrun` flags. tipRule-based autofix is deterministic and separate from the [Semgrep Assistant autofix feature](/docs/semgrep-assistant/overview#autofix). The Assistant autofix feature uses AI to generate a suggested code fix. ## Example autofix snippet[​](#example-autofix-snippet) Sample autofix (view in [Playground](https://semgrep.dev/s/R6g)): `rules:- id: use-sys-exit languages: - python message: | Use `sys.exit` over the python shell `exit` built-in. `exit` is a helper for the interactive shell and is not available on all Python implementations. https://stackoverflow.com/a/6501134 pattern: exit($X) fix: sys.exit($X) severity: MEDIUM` ## Create autofix rules[​](#create-autofix-rules) See how to create an autofix rule in the **Transforming code with Semgrep autofixes** video: ## Autofix with regular expression replacement[​](#autofix-with-regular-expression-replacement) A variant of the `fix` key is `fix-regex`, which applies regular expression replacements (similar to `sed`) to matches found by Semgrep. `fix-regex` has two required fields: - `regex` specifies the regular expression to replace within the match found by Semgrep - `replacement` specifies what to replace the regular expression with. `fix-regex` also takes an optional `count` field, which specifies how many occurrences of `regex` to replace with `replacement`, from left-to-right and top-to-bottom. By default, `fix-regex` will replace all occurrences of `regex`. If `regex` does not match anything, no replacements are made. The replacement behavior is identical to the `re.sub` function in Python. See these [Python docs](https://docs.python.org/3/library/re.html#re.sub) for more information. An example rule with `fix-regex` is shown below. `regex` uses a capture group to greedily capture everything up to the final parenthesis in the match found by Semgrep. `replacement` replaces this with everything in the capture group (`\1`), a comma, `timeout=30`, and a closing parenthesis. Effectively, this adds `timeout=30` to the end of every match. `rules:- id: python.requests.best-practice.use-timeout.use-timeout patterns: - pattern-not: requests.$W(..., timeout=$N, ...) - pattern-not: requests.$W(..., **$KWARGS) - pattern-either: - pattern: requests.request(...) - pattern: requests.get(...) - pattern: requests.post(...) - pattern: requests.put(...) - pattern: requests.delete(...) - pattern: requests.head(...) - pattern: requests.patch(...) fix-regex: regex: '(.*)\)' replacement: '\1, timeout=30)' message: | 'requests' calls default to waiting until the connection is closed. This means a 'requests' call without a timeout will hang the program if a response is never received. Consider setting a timeout for all 'requests'. languages: [python] severity: MEDIUM` ## Remove a code detected by a rule[​](#remove-a-code-detected-by-a-rule) Improve your code quality by cleaning up stale code automatically. Remove code that an autofix rule detected by adding the `fix` key with an empty string `""`. For example: ` - id: python-typing pattern: from typing import $X fix: "" languages: [ python ] message: found one severity: ERROR` When you apply the autofix in this rule, the detected code is removed. Not finding what you need in this doc? Ask questions in our [Community Slack group](https://go.semgrep.dev/slack), or see [Support](/docs/support/) for other ways to get help. Tags:**- [Rule writing](/docs/tags/rule-writing)[Edit this page](https://github.com/semgrep/semgrep-docs/edit/main/docs/writing-rules/autofix.md)Last updated on **Dec 10, 2025** --- # Static analysis and rule-writing glossary Source: https://semgrep.dev/docs/writing-rules/glossary - [](/docs/)- [Write rules](/docs/writing-rules/overview)- Write rules for Semgrep Code- Glossary**On this page- [Rule writing](/docs/tags/rule-writing)Static analysis and rule-writing glossary The definitions provided here are specific to Semgrep. ## Constant propagation[​](#constant-propagation) Constant propagation is a type of analysis where values known to be constant are substituted in later uses, allowing the value to be used to detect matches. Semgrep can perform constant propagation across files, unless you are running Semgrep Community Edition (CE), which can only propagate within a file. Constant propagation is applied to all rules unless [it is disabled](/docs/writing-rules/data-flow/constant-propagation#disable-constant-propagation). For example, given the following pattern: `...patterns:- pattern: console.log(2)` And the following code snippet: `const x = 2;console.log(x);` The pattern operator `pattern: print(2)` tells Semgrep to match line 2 because it propagates the value `2` from the assignment in line 1 to the `console.log()` function in line. Constant propagation is one of the many analyses that differentiate Semgrep from grep. ## Cross-file analysis[​](#cross-file-analysis) Cross-file analysis (also known as **interfile analysis**) takes into account how information flows between files. In particular, cross-file analysis includes **cross-file taint analysis**, which tracks unsanitized variables flowing from a source to a sink through arbitrarily many files. Other analyses performed across files include constant propagation and type inference. Cross-file analysis is usually used in contrast to intrafile, or per-file analysis, where each file is analyzed as a standalone block of code. Within Semgrep, cross-file **and** cross-function analysis is simply referred to as cross-file analysis. Semgrep CE is limited to per-file analysis. ## Cross-function analysis[​](#cross-function-analysis) Cross-function analysis means that interactions between functions are taken into account. This improves taint analysis, which tracks unsanitized variables flowing from a source to a sink through arbitrarily many functions. Within Semgrep documentation, cross-function analysis implies intrafile or per-file analysis. Each file is still analyzed as a standalone block, but within the file it takes into account how information flows between functions. Also known as **interprocedural** analysis. ## Error matrix[​](#error-matrix) An error matrix is a 2x2 table that visualizes the findings of a Semgrep rule in relation to the vulnerable lines of code it does or doesn't detect. It has two axes: - Positive and negative - True or false These yield the following combinations: True positiveThe rule detected a piece of code it was intended to find.False positiveThe rule detected a piece of code it was not intended to find.True negativeThe rule correctly skipped over a piece of code it wasn't meant to find.False negativeThe rule failed to detect a piece of code it should have found. Not to be confused with **risk matrices**. ## Finding[​](#finding) A finding is the core result of Semgrep's analysis. Findings are generated when a Semgrep rule matches a piece of code. Findings can be security issues, bugs, or code that doesn't follow coding conventions. ## Fully qualified name[​](#fully-qualified-name) A **fully qualified name** refers to a name which uniquely identifies a class, method, type, or module. Languages such as C# and Ruby use `::` to distinguish between fully qualified names and regular names. Not to be confused with **tokens**. ## l-value (left-, or location-value)[​](#l-value-left--or-location-value) An expression that denotes an object in memory; a memory location, something that you can use in the left-hand side (LHS) of an assignment. For example, `x` and `array[2]` are l-values, but `2+2` is not. ## Metavariable[​](#metavariable) A metavariable is an abstraction that lets you match something even when you don't know exactly what it is you want to match. It is similar to capture groups in regular expressions. All metavariables begin with a `$` and can only contain uppercase characters, digits, and underscores. ## Propagator[​](#propagator) A propagator is any code that alters a piece of data as the data moves across the program. This includes functions, reassignments, and so on. When you write rules that perform taint analysis, propagators are pieces of code that you specify through the `pattern-propagator` key as code that always passes tainted data. This is especially relevant when Semgrep performs intraprocedural taint analysis, as there is no way for Semgrep to infer which function calls propagate taint. Thus, explicitly listing propagators is the only way for Semgrep to know if tainted data could be passed within your function. ## Rule (Semgrep rule)[​](#rule-semgrep-rule) A rule is a specification of the patterns that Semgrep must match to the code to generate a finding. Rules are written in YAML. Without a rule, the engine has no instructions on how to match code. Rules can be run on either Semgrep or its OSS Engine. Only proprietary Semgrep can perform [interfile analysis](#cross-file-analysis). There are two types of rules: **search** and **taint**. Search rulesRules default to this type. Search rules detect matches based on the patterns described by a rule. There are several semantic analyses that search rules perform, such as: - Interpreting syntactically different code as semantically equivalent- Constant propagation- Matching a fully qualified name to its reference in the code, even when not fully qualified- Type inference, particularly when using typed metavariablesTaint rulesTaint rules make use of Semgrep's taint analysis in addition to default search functionalities. Taint rules are able to specify sources, sinks, and propagators of data as well as sanitizers of that data. For more information, see [Taint analysis documentation](/writing-rules/data-flow/taint-mode/overview). ## Sanitizers[​](#sanitizers) A sanitizer is any piece of code, such as a function or [a cast](https://learn.microsoft.com/en-us/dotnet/csharp/programming-guide/types/casting-and-type-conversions#explicit-conversions), that can clean untrusted or tainted data. Data from untrusted sources, such as user inputs, may be tainted with unsafe characters. Sanitizers ensure that unsafe characters are removed or stripped from the input. An example of a sanitizer is the [** `DOMPurify.sanitize(dirty);`](https://github.com/cure53/DOMPurify) function from the DOMPurify package in JavaScript. ## Per-file analysis[​](#per-file-analysis) Also known as intrafile analysis. In per-file analysis, information can only be traced or tracked within a single file. It cannot be traced if it flows to another file. Per-file analysis can include cross-function analysis, aka tracing the flow of information between functions. When discussing the capabilities of pro analysis, per-file analysis implies cross-function analysis. ## Per-function analysis[​](#per-function-analysis) Also known as intraprocedural analysis. In per-function analysis, information can only be traced or tracked within a single function. ## Sink[​](#sink) In taint analysis, a sink is any vulnerable function that is called with potentially tainted or unsafe data. ## Source[​](#source) In taint analysis, a source is any piece of code that assigns or sets tainted data, typically user input. ## Taint analysis[​](#taint-analysis) Taint analysis tracks and traces the flow of untrusted or unsafe data. Data coming from sources such as user inputs could be unsafe and used as an attack vector if these inputs are not sanitized. Taint analysis provides a means of tracing that data as it moves through the program from untrusted sources to vulnerable functions. Not finding what you need in this doc? Ask questions in our [Community Slack group](https://go.semgrep.dev/slack), or see [Support](/docs/support/) for other ways to get help. Tags:**- [Rule writing](/docs/tags/rule-writing)[Edit this page](https://github.com/semgrep/semgrep-docs/edit/main/docs/writing-rules/glossary.md)Last updated on **Oct 23, 2025** --- # Write rules Source: https://semgrep.dev/docs/writing-rules/overview - [](/docs/)- [Write rules](/docs/writing-rules/overview)- Write rules for Semgrep Code- Overview**On this page- [Rule writing](/docs/tags/rule-writing)Write rules Semgrep uses rules, which encapsulate pattern matching logic and data flow analysis, to scan your code for security issues, style violations, bugs, and more. In addition to rules available to you in the Semgrep Registry, you can write custom rules to determine what Semgrep detects in your repositories. You can write rules that: - Automate code review comments. - Identify secure coding violations. - Scan configuration files. See more use cases in [Rule ideas](/docs/writing-rules/rule-ideas). ## Get started[​](#get-started) For an introduction to writing Semgrep rules, use the interactive, example-based [Semgrep rule tutorial](https://semgrep.dev/learn). You can write rules in your terminal and run them with the Semgrep command line tool, or you can write and test using the [Semgrep Editor](https://semgrep.dev/editor). For example, the following sample rule detects the use of `is` when comparing Python strings. `is` checks reference equality, not value equality, and can exhibit nondeterministic behavior. ## Next steps[​](#next-steps) The following articles guide you through rule-writing basics and act as references: - [Pattern syntax](/docs/writing-rules/pattern-syntax) describes what Semgrep patterns can do in detail and provides sample use cases. - [Rule syntax](/docs/writing-rules/rule-syntax) describes Semgrep YAML rule files, which can have multiple patterns, detailed output messages, and autofixes. The syntax allows the composition of individual patterns with Boolean operators. - [Contributing rules](/docs/contributing/contributing-to-semgrep-rules-repository) gives you an overview of how you can contribute to Semgrep Registry rules. This document also provides information about tests and metadata fields that you can use for your rules. Need rule ideas? See [Rule ideas](/docs/writing-rules/rule-ideas) for everyday use cases and prompts to help you start writing rules from scratch. Not finding what you need in this doc? Ask questions in our [Community Slack group](https://go.semgrep.dev/slack), or see [Support](/docs/support/) for other ways to get help. Tags:**- [Rule writing](/docs/tags/rule-writing)[Edit this page](https://github.com/semgrep/semgrep-docs/edit/main/docs/writing-rules/overview.md)Last updated on **Oct 15, 2025** --- # Private rules Source: https://semgrep.dev/docs/writing-rules/private-rules - [](/docs/)- [Write rules](/docs/writing-rules/overview)- Write rules for Semgrep Code- Private rules**On this page- [Rule writing](/docs/tags/rule-writing)Private rules Users with Semgrep Code's [Team or Enterprise tier](https://semgrep.dev/pricing) can publish rules to the [Semgrep Registry](https://semgrep.dev/explore) as private rules that are not visible to those outside their organization. Maintaining the rules' privacy allows you the benefits of using the Semgrep Registry while keeping sensitive code or information internal. ## Creating private rules[​](#creating-private-rules) You can create private rules the same way you create other custom rules. The subsequent sections can help you create and save your private rules. ### Create private rules through Semgrep AppSec Platform[​](#create-private-rules-through-semgrep-appsec-platform) To create and publish private rules through the Semgrep AppSec Platform: - Go to [Semgrep Editor](https://semgrep.dev/orgs/-/editor). - Click ** **Create New Rule**. - Choose one of the following options to create your rule: Click the ** **plus** icon, select **New rule**, provide the YAML file for your rule, and then click ** **Save**. - In the ** **Library** panel, select a rule from a category in **Semgrep Registry**. Click ** **Fork**, modify the rule or test code, and then click ** **Save**. - Click ** **Share**. - Click ** **Private**. Your private rule has been created and added to the Registry. It is visible only to logged in users of your organization, and its private status is reflected by the **Share** button displaying a ** icon. Private rules are stored in the folder with the same name as your Semgrep AppSec Platform organization. ### Create private rules through the Semgrep command-line interface[​](#create-private-rules-through-the-semgrep-command-line-interface) To create private rules through the [Semgrep CLI](/docs/getting-started/quickstart), : - Log in to Semgrep. Running this command launches a browser window, but you can also use the link that's returned in the CLI to proceed: `semgrep login` - In the **Semgrep CLI login**, click **Activate** to proceed. - Create your rule. For more information, see [Contributing rules](/docs/contributing/contributing-to-semgrep-rules-repository). - Publish your rule from the command line using `semgrep publish` command followed by the path to your private rules: `semgrep publish myrules/` If the rules are in the directory you publish from, you can use `semgrep publish .` to refer to the current directory. You must provide the directory specification. If the directory contains test cases for the rules, Semgrep uploads them as well (see [testing Semgrep rules](/docs/writing-rules/testing-rules)). You can change the visibility of the rules. For instance, to publish the rules as unlisted (which does not require authentication but results in the rules hidden from users of the public registry): `semgrep publish --visibility=unlisted myrules/` For more details, run `semgrep publish --help`. ## View and use private rules[​](#view-and-use-private-rules) View your rules in [Semgrep Editor](https://semgrep.dev/orgs/-/editor) under the folder corresponding to your organization name. You can also find it in the [Semgrep Registry](https://semgrep.dev/explore) by searching for `[organization-id].[rule-id]`. For example: `r2c.test-rule-id`. To use the rule with subsequent scans, add the rule in the [Registry](https://semgrep.dev/explore) to an existing policy. ## Automatically publish rules[​](#automatically-publish-rules) This section provides examples of how to automatically publish your private rules so they are accessible within your private organization. Publishing your private rules in this manner does not make them public. In the following examples, the private rules are stored in `private_rule_dir`, which is a subdirectory of the repository root. If your rules are in the root of your repository, you can replace the command with `semgrep publish --visibility=org_private .` to refer to the repository root. You must provide the directory specification. The following sample of the GitHub Actions workflow publishes rules from a private Git repository after a merge to the `main`, `master`, or `develop` branches. - Ensure that `SEMGREP_APP_TOKEN` is defined in your GitHub project or organization's secrets. - Create the following file at `.github/workflows/semgrep-publish.yml`: `name: semgrep-publishon: push: branches: - main - master - developjobs: publish: name: publish-private-semgrep-rules runs-on: ubuntu-latest container: image: semgrep/semgrep steps: - uses: actions/checkout@v4 - name: publish private semgrep rules run: semgrep publish --visibility=org_private ./private_rule_dir env: SEMGREP_APP_TOKEN: ${{ secrets.SEMGREP_APP_TOKEN }}` Alternatively, if you use GitLab, you can use the subsequent sample after ensuring that `SEMGREP_APP_TOKEN` is defined in your GitLab project's CI/CD variables: `semgrep-publish: image: semgrep/semgrep script: semgrep publish --visibility=org_private ./private_rule_dirrules: - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCHvariables: SEMGREP_APP_TOKEN: $SEMGREP_APP_TOKEN` ## Delete private rules[​](#delete-private-rules) To remove a private rule, follow these steps: - In the [Semgrep Editor](https://semgrep.dev/orgs/-/editor), find the private rule to delete under the ** **Library** tab. Private rules are usually stored in the folder with the same name as your Semgrep AppSec Platform organization. - Click the rule you want to delete, and then click the ** three vertical dots. - Click ** **Delete**. Deleting a rule is permanent. If the rule was previously added to the **Policies** page, it is removed upon deletion. ## Appendix[​](#appendix) ### Visibility of private rules[​](#visibility-of-private-rules) Private rules are only visible to logged-in members of your organization. ### Publish a rule with the same rule ID[​](#publish-a-rule-with-the-same-rule-id) Rules have unique IDs. If you publish a rule with the same ID as an existing rule, the new rule overwrites the previous one. Not finding what you need in this doc? Ask questions in our [Community Slack group](https://go.semgrep.dev/slack), or see [Support](/docs/support/) for other ways to get help. Tags:**- [Rule writing](/docs/tags/rule-writing)[Edit this page](https://github.com/semgrep/semgrep-docs/edit/main/docs/writing-rules/private-rules.md)Last updated on **Oct 15, 2025** --- # Rule structure syntax examples Source: https://semgrep.dev/docs/writing-rules/rule-ideas - [](/docs/)- [Write rules](/docs/writing-rules/overview)- Write rules for Semgrep Code- Rule structure syntax- Rule structure syntax examples**On this page- [Rule writing](/docs/tags/rule-writing)Rule structure syntax examples Not sure what to write a rule for? Below are some common questions, ideas, and topics to spur your imagination. Happy hacking! 💡 ## Automate code review comments[​](#automate-code-review-comments) *Time to write this rule: **5 minutes*** You can use Semgrep and its GitHub integration to [automate PR comments](/docs/semgrep-appsec-platform/notifications) that you frequently make in code reviews. Writing a custom rule for the code pattern you want to target is usually straightforward. If you want to understand the Semgrep syntax, see the [documentation](/docs/writing-rules/pattern-syntax) or try the [tutorial](https://semgrep.dev/learn). A reviewer writes a Semgrep rule and adds it to an organization-wide policy. ## Ban dangerous APIs[​](#ban-dangerous-apis) *Time to write this rule: **5 minutes*** Semgrep can detect dangerous APIs in code. If integrated into CI/CD pipelines, you can use Semgrep to block merges or flag for review when someone adds such dangerous APIs to the code. For example, a rule that detects React's `dangerouslySetInnerHTML` looks like this. ## Exempt special cases of dangerous APIs[​](#exempt-special-cases-of-dangerous-apis) *Time to write this rule: **5 minutes*** If you have a legitimate use case for a dangerous API, you can exempt a specific use of the API using a `nosemgrep` comment. The rule below checks for React's `dangerouslySetInnerHTML`, but the code is annotated with a `nosemgrep` comment. Semgrep will not detect this line. This allows Semgrep to continuously check for future uses of `dangerouslySetInnerHTML` while allowing for this specific use. ## Detect tainted data flowing into a dangerous sink[​](#detect-tainted-data-flowing-into-a-dangerous-sink) *Time to write this rule: **5 minutes*** Semgrep's [dataflow engine with support for taint tracking](/docs/writing-rules/data-flow/data-flow-overview) can be used to detect when data flows from a user-provided value into a security-sensitive function. This rule detects when a user of the ExpressJS framework passes user data into the `run()` method of a sandbox. ## Detect security violations[​](#detect-security-violations) *Time to write this rule: **5 minutes*** Use Semgrep to flag specific uses of APIs too, not just their presence in code. We jokingly call these the "security off" buttons and make extensive use of Semgrep to detect them. This rule detects when HTML auto-escaping is explicitly disabled for a Django template. ## Scan configuration files using JSON, YAML, or generic pattern matching[​](#scan-configuration-files-using-json-yaml-or-generic-pattern-matching) *Time to write this rule: **10 minutes*** Semgrep [natively supports JSON and YAML](/docs/supported-languages) and can be used to write rules for configuration files. This rule checks for skipped TLS verification in Kubernetes clusters. The [Generic pattern matching](/docs/writing-rules/generic-pattern-matching) mode is for languages and file formats that Semgrep does not natively support. For example, you can write rules for Dockerfiles using the generic mode. The Dockerfile rule below checks for invalid port numbers. ## Enforce authentication patterns[​](#enforce-authentication-patterns) *Time to write this rule: **15 minutes*** If a project has a "correct" way of doing authentication, Semgrep can be used to enforce this so that authentication mishaps do not happen. In the example below, this Flask app requires an authentication decorator on all routes. The rule detects routes that are missing authentication decorators. If deployed in CI/CD pipelines, Semgrep can block undecorated routes or flag a security member for further investigation. ## Systematize project-specific coding patterns[​](#systematize-project-specific-coding-patterns) *Time to write this rule: **10 minutes*** Automate institutional knowledge using Semgrep. This has several benefits, including teaching new members about coding patterns in an automatic way and keeping a project up-to-date with coding patterns. If you keep coding guidelines in a document, converting these into Semgrep rules is a great way to free developers from having to remember all the guidelines. In this example, a legacy API requires calling `verify_transaction(t)` before calling `make_transaction(t)`. The Semgrep rule below detects when these methods are not called correctly. ## Extract information with metavariables[​](#extract-information-with-metavariables) *Time to write this rule: **15 minutes*** Semgrep metavariables can be used as output in the `message` key. This can be used to extract and collate information about a codebase. Click through to [this example](https://semgrep.dev/s/ORpk), which extracts Java Spring routes. This can be used to quickly see all the exposed routes of an application. ## Detect deprecated APIs[​](#detect-deprecated-apis) *Time to write this rule: **5 minutes*** Semgrep can detect deprecated APIs just as easily as dangerous APIs. Identifying deprecated API calls can help an application migrate to current or future versions. This rule example detects a function that is deprecated as of Django 4.0. ## Promote secure alternatives[​](#promote-secure-alternatives) *Time to write this rule: **5 minutes*** Some libraries or APIs have safe alternatives, such as [Google's `re2`](https://github.com/google/re2), an implementation of the standard `re` interface that ships with Python that is resistant to regular expression denial-of-service. This rule detects the use of `re` and recommends `re2` as a safe alternative with the same interface. ## Prompts for writing custom rules[​](#prompts-for-writing-custom-rules) Try answering these questions to uncover important rules for your project. - From recent post-mortems: what code issues contributed to it? - [XYZ] is a (security, performance, other) library that everyone should use, but they don’t consistently. - When you review code, what changes do you frequently ask for? - What vulnerability classes from bug bounty submissions recur (or appear in different places of the codebase)? - Are there engineering or performance patterns? Consistent exception handlers? - What issues were caused by misconfigurations in Infrastructure-as-Code files (JSON)? - What are some “invariants” that should hold about your code - things that should always or never be true (for example, every admin route checks if the user is an admin)? - What methods/APIs are deprecated and you’re trying to move away from? Not finding what you need in this doc? Ask questions in our [Community Slack group](https://go.semgrep.dev/slack), or see [Support](/docs/support/) for other ways to get help. Tags:**- [Rule writing](/docs/tags/rule-writing)[Edit this page](https://github.com/semgrep/semgrep-docs/edit/main/docs/writing-rules/rule-ideas.md)Last updated on **Oct 15, 2025** --- # Test rules Source: https://semgrep.dev/docs/writing-rules/testing-rules - [](/docs/)- [Write rules](/docs/writing-rules/overview)- Write rules for Semgrep Code- Test rules**On this page- [Rule writing](/docs/tags/rule-writing)Test rules Semgrep provides a testing mechanism for your rules. You can write code and provide annotations to let Semgrep know where you are or aren't expecting findings. Semgrep provides the following annotations: - `ruleid: <rule-id>` for protecting against false negatives - `ok: <rule-id>` for protecting against false positives - `todoruleid: <rule-id>` for future "positive" rule improvements - `todook: <rule-id>` for future "negative" rule improvements When writing tests, remember that: - The `--test` flag tells Semgrep to run tests in the specified directory. - Annotations are specified as a comment immediately preceeding the offending line. - Semgrep looks for tests based on the rule filename and the languages specified in the rule. In other words, `path/to/rule.yaml` searches for `path/to/rule.py`, `path/to/rule.js`, and similar, based on the languages specified in the rule. infoThe `.test.yaml` file extension can also be used for test files. This is necessary when testing YAML language rules. ## Test rules with autofix[​](#test-rules-with-autofix) Semgrep's testing mechanism also provides a way to test the behavior of any `fix` values defined in the rules. To define a test for autofix behavior: - Create a new **autofix test file** with the `.fixed` suffix before the file type extension. For example, name the autofix test file of a rule with test code in `path/to/rule.py` as `path/to/rule.fixed.py`. - Within the autofix test file, enter the expected result of applied autofix rule to the test code. - Run `semgrep --test` to verify that your autofix test file is correctly detected. When you use `semgrep --test`, Semgrep applies the autofix rule to the original test code (`path/to/rule.py`), then verifies whether this matches the expected outcome defined in the autofix test file (`path/to/rule.fixed.py)`. If there is a mismatch, the line diffs are printed. info**Hint**: Creating an autofix test for a rule with autofix can take less than a minute with the following flow of commands: `cp rule.py rule.fixed.pysemgrep --config rule.yaml rule.fixed.py --autofix`These commands apply the autofix of the rule to the test code. After Semgrep delivers a fix, inspect whether the outcome of this fix is as expected (for example, using `vimdiff rule.py rule.fixed.py`). ## Example[​](#example) Consider the following rule: `rules:- id: insecure-eval-use patterns: - pattern: eval($VAR) - pattern-not: eval("...") fix: secure_eval($VAR) message: Calling 'eval' with user input languages: [python] severity: MEDIUM` If the filename with the preceeding rule is `rules/detect-eval.yaml`, you can create `rules/detect-eval.py`: `from lib import get_user_input, safe_get_user_input, secure_evaluser_input = get_user_input()# ruleid: insecure-eval-useeval(user_input)# ok: insecure-eval-useeval('print("Hardcoded eval")')totally_safe_eval = eval# todoruleid: insecure-eval-usetotally_safe_eval(user_input)# todook: insecure-eval-useeval(safe_get_user_input())` Run the tests with the following: `semgrep --test rules/` This produces the following output: `1/1: ✓ All tests passedNo tests for fixes found.` Semgrep tests automatically avoid failing on lines marked with `# todoruleid` or `# todook`. ## Store rules and test targets in different directories[​](#store-rules-and-test-targets-in-different-directories) Creating different directories for rules and tests helps you manage a growing library of custom rules. To store rules and test targets in different directories, use the `--config` option. For example, in the directory with the following structure: `$ tree teststests├── rules│   └── python│   └── insecure-eval-use.yaml└── targets └── python └── insecure-eval-use.py4 directories, 2 files` Use of the following command `semgrep --test --config tests/rules/ tests/targets/` Produces the same output as in the previous example. The subdirectory structure of these two directories must be the same for Semgrep to correctly find the associated files. To test the autofix behavior, add the autofix test file `rules/detect-eval.fixed.py` to represent the expected outcome of applying the fix to the test code: `from lib import get_user_input, safe_get_user_input, secure_evaluser_input = get_user_input()# ruleid: insecure-eval-usesecure_eval(user_input)# ok: insecure-eval-useeval('print("Hardcoded eval")')totally_safe_eval = eval# todoruleid: insecure-eval-usetotally_safe_eval(user_input)# todook: insecure-eval-usesecure_eval(safe_get_user_input())` So that the directory structure is printed as the following: `$ tree teststests├── rules│   └── python│   └── insecure-eval-use.yaml└── targets └── python └── insecure-eval-use.py └── insecure-eval-use.fixed.py4 directories, 2 files` Use of the following command: `semgrep --test --config tests/rules/ tests/targets/` Results in the following outcome: `1/1: ✓ All tests passed1/1: ✓ All fix tests passed` If the fix does not behave as expected, the output prints a line diff. For example, if you replace `secure_eval` with `safe_eval`, you can see that lines 5 and 15 do not render as expected. `1/1: ✓ All tests passed0/1: 1 fix tests did not pass:-------------------------------------------------------------------------------- ✖ targets/python/detect-eval.fixed.py <> autofix applied to targets/python/detect-eval.py --- +++ @@ -5 +5 @@ -safe_eval(user_input) +secure_eval(user_input) @@ -15 +15 @@ -safe_eval(safe_get_user_input()) +secure_eval(safe_get_user_input())` ## Validating rules[​](#validating-rules) You can run `semgrep --validate --config [filename]` to verify the rule's configuration. This command runs a combination of Semgrep rules and OCaml checks against your rules to search for issues such as duplicate patterns and missing fields. All rules submitted to the Semgrep Registry are validated. The semgrep rules are pulled from `p/semgrep-rule-lints`. This feature is still experimental and under active development. Your feedback is welcomed! ## Enabling autofix in Semgrep Code[​](#enabling-autofix-in-semgrep-code) To enable autofix for all projects in your Semgrep AppSec Platform organization, follow these steps: - In Semgrep AppSec Platform, go to **[Settings > General > Code](https://semgrep.dev/orgs/-/settings/general/code)**. - Click the **Autofix** ** toggle to enable this feature. Not finding what you need in this doc? Ask questions in our [Community Slack group](https://go.semgrep.dev/slack), or see [Support](/docs/support/) for other ways to get help. Tags:**- [Rule writing](/docs/tags/rule-writing)[Edit this page](https://github.com/semgrep/semgrep-docs/edit/main/docs/writing-rules/testing-rules.md)Last updated on **Oct 21, 2025**