Skip to main content

Semgrep IntelliJ extension

Semgrep swiftly scans code and package dependencies for known issues, software vulnerabilities, and detected secrets. Run Semgrep in your developer environment with the IntelliJ extension to catch code issues as you type. By default, the Semgrep IntelliJ extension scans code whenever you change or open files.

Prerequisites

The Semgrep IntelliJ extension communicates with Semgrep command-line interface (CLI) to run scans. Install Semgrep CLI before you can use the extension. To install Semgrep CLI:

# For macOS
$ brew install semgrep

# For Ubuntu/WSL/Linux/macOS
$ python3 -m pip install semgrep

Quick start

  1. Install the Semgrep extension:

    • Visit Semgrep's page on the JetBrains Marketplace.
    • In IntelliJ: Settings/Preferences > Plugins > Marketplace > Search for semgrep-intellij > Install. You may need to restart IntelliJ for the Semgrep extension to be installed.
  2. Sign in: Press Ctrl+⇧Shift+A (Windows) or ⌘Command+⇧Shift+A (macOS) and sign in to Semgrep AppSec Platform by selecting the following command:

    Sign in with Semgrep
  3. Test the extension by pressing Ctrl+⇧Shift+A (Windows) or ⌘Command+⇧Shift+A (macOS) and run the following command:

    Scan workspace with Semgrep
  4. See Semgrep findings: Hold the pointer over the code that has the red underline.

Feature maturity

Semgrep's IntelliJ extensions are in public beta. Currently, the IntelliJ extension only supports Semgrep Community Edition (CE) - it doesn't support Semgrep Supply Chain, Secrets, Pro rules, or Pro Engine. Please join the Semgrep community Slack workspace and let the Semgrep team know if you encounter any issues.

Supported Jet Brains products

Semgrep's IDE extension is available in many Jet Brains products:

  • AppCode
  • Aqua
  • CLion
  • DataSpell
  • DataGrip
  • GoLand
  • IntelliJ IDEA Ultimate
  • PhpStorm
  • PyCharm Professional
  • Rider
  • RubyMine
  • RustRover
  • WebStorm
caution

IntelliJ extension does not support:

  • IntelliJ IDEA Community Edition.

Semgrep does not offer an IDE integration with IntelliJ Community Edition because this version lacks support for the Language Server Protocol (LSP), which is essential for enabling Semgrep’s code scanning features. IntelliJ Ultimate, which includes LSP support, is required to use Semgrep's IDE integration.

Commands

Run Semgrep extension commands through the IntelliJ Command Palette. You can access the Command Palette by pressing Ctrl+⇧Shift+A (Windows) or ⌘Command+⇧Shift+A (macOS) on your keyboard.

  • Sign in with Semgrep: Sign up or log in to the Semgrep AppSec Platform (this command opens a new window in your browser). Alternatively, you can log in through your command-line interface by running semgrep login.
  • Sign out of Semgrep: Log out of Semgrep AppSec Platform. If you are logged out, you lose access to Semgrep Supply Chain and Semgrep Secrets. Alternatively, you can sign out through your command-line interface by running semgrep logout.
  • Scan workspace with Semgrep: Scan files that have been changed since the last commit in your current workspace.
  • Scan workspace with Semgrep (Including Unmodified Files): Scan all files in the current workspace.
tip

You can also click the Semgrep icon in the IntelliJ toolbar to quickly access all available commands.

Features

Automatic scanning

When you open a file, Semgrep scans it right away.

Hover over a match and click the link.

Support

If you need our support, join the Semgrep community Slack workspace and tell us about any problems you encountered.

Limitations

IDE scans use Semgrep CE for speed. Scans are thus limited to single-file analysis. You can still perform cross-file (interfile) scans on your machine through the CLI:

semgrep ci --pro

Not finding what you need in this doc? Ask questions in our Community Slack group, or see Support for other ways to get help.