Extensions

Several third-party tools include Semgrep extensions.

Editor

Official extensions

• Microsoft Visual Studio Code: semgrep-vscode
• IntelliJ Ultimate Idea (and most other IntelliJ products) semgrep-intellij
• Emacs: lsp-mode

Community-contributed extensions

• Vim: semgrep.vim

The LSP Command

All of our official extensions use the Language Server Protocol to communicate with Semgrep. This allows us to focus on one codebase that can be shared across most modern editor platforms. To implement a custom extension, one can wrap semgrep lsp to start the Semgrep Language Server, which will communicate over stdio. Alternatively, this protocol is a great way to integrate Semgrep into a project, as it can perform incremental scans, and caches various computations to hugely increase performance. Please let us know on our community Slack linked below if you do, we'd be more than happy to help in anyway.

Pre-commit

The pre-commit framework can run semgrep at commit-time. Install pre-commit and add the following to .pre-commit-config.yaml

repos:
- repo: https://github.com/returntocorp/semgrep
  rev: 'v1.41.0'
  hooks:
    - id: semgrep
      # See https://semgrep.dev/explore to select a ruleset and copy its URL
      args: ['--config', '<SEMGREP_RULESET_URL>', '--error', '--skip-unknown-extensions']

The pre-commit can also run custom rules and rulesets from Semgrep Code, similar to running semgrep ci using the following configuration:

repos:
- repo: https://github.com/returntocorp/semgrep
  rev: 'v1.41.0'
  hooks:
    - id:  semgrep-ci

Version management

• asdf: ASDF Semgrep

Semgrep as an engine

Many other tools have functionality powered by Semgrep. Add yours with a pull request!

• DefectDojo
• Dracon
• GitLab SAST
• GuardDog
• libsast
• mobsfscan
• nodejsscan
• ScanMyCode CE (Community Edition)
• SecObserve

---

Find what you needed in this doc? Join the Semgrep Community Slack group to ask the maintainers and the community if you need help, or check out other ways to get help.