Extensions
Several third-party tools include Semgrep extensions.
Official IDE extensions
- Microsoft Visual Studio Code:
semgrep-vscode
- IntelliJ Ultimate Idea (and most other IntelliJ products)
semgrep-intellij
- Emacs:
lsp-mode
The LSP Command
All of our official extensions use the Language Server Protocol to communicate
with Semgrep. This allows us to focus on one codebase that can be shared across most modern editor platforms. To implement a custom extension,
one can wrap semgrep lsp
to start the Semgrep Language Server, which will communicate over stdio
. Alternatively, this protocol is a
great way to integrate Semgrep into a project, as it can perform incremental scans, and caches various computations to hugely increase performance.
Please let us know on our community Slack linked below if you do, we'd be more than happy to help in anyway.
Pre-commit
The pre-commit framework can run semgrep
at commit-time. Install pre-commit
and add the following to .pre-commit-config.yaml
repos:
- repo: https://github.com/semgrep/pre-commit
rev: 'v1.97.0'
hooks:
- id: semgrep
# See https://semgrep.dev/explore to select a ruleset and copy its URL
args: ['--config', '<SEMGREP_RULESET_URL>', '--error', '--skip-unknown-extensions']
The pre-commit can also run custom rules and rulesets from Semgrep Code, similar to running semgrep ci
using the following configuration:
repos:
- repo: https://github.com/semgrep/pre-commit
rev: 'v1.97.0'
hooks:
- id: semgrep-ci
Run with Semgrep Pro rules
If you would like to run the pre-commit hook locally while using Semgrep Pro rules:
-
Log in to your Semgrep account. Running this command launches a browser window, but you can also use the link that's returned in the CLI to proceed:
semgrep login
-
In the Semgrep CLI login, click Activate to proceed.
Version management
- asdf: ASDF Semgrep
Semgrep as an engine
Many other tools have functionality powered by Semgrep. Add yours with a pull request!
- DefectDojo
- Dracon
- GitLab SAST
- GuardDog
- libsast
- mobsfscan
- nodejsscan
- ScanMyCode CE (Community Edition)
- SecObserve
Not finding what you need in this doc? Ask questions in our Community Slack group, or see Support for other ways to get help.