Semgrep IntelliJ extension
Semgrep swiftly scans code and package dependencies for known issues, software vulnerabilities, and detected secrets. Run Semgrep in your developer environment with the IntelliJ extension to catch code issues as you type. By default, the Semgrep IntelliJ extension scans code whenever you change or open files.
The Semgrep IntelliJ extension communicates with Semgrep command-line interface (CLI) to run scans. Install Semgrep CLI before you can use the extension. To install Semgrep CLI:
# For macOS
$ brew install semgrep
# For Ubuntu/WSL/Linux/macOS
$ python3 -m pip install semgrep
Quick start
-
Install the Semgrep extension:
- Visit Semgrep's page on the JetBrains Marketplace.
- In IntelliJ: Settings/Preferences > Plugins > Marketplace > Search for
semgrep-intellij
> Install. You may need to restart IntelliJ for the Semgrep extension to be installed.
-
Sign in: Press Ctrl+⇧Shift+A (Windows) or ⌘Command+⇧Shift+A (macOS) and sign in to Semgrep AppSec Platform by selecting the following command:
Sign in with Semgrep
-
Test the extension by pressing Ctrl+⇧Shift+A (Windows) or ⌘Command+⇧Shift+A (macOS) and run the following command:
Scan workspace with Semgrep
-
See Semgrep findings: Hold the pointer over the code that has the red underline.
Semgrep's IntelliJ extensions are in public beta. Currently, the IntelliJ extension only supports Semgrep Community Edition (CE) - it doesn't support Semgrep Supply Chain, Secrets, Pro rules, or Pro Engine. Please join the Semgrep community Slack workspace and let the Semgrep team know if you encounter any issues.
Supported Jet Brains products
Semgrep's IDE extension is available in many Jet Brains products:
- AppCode
- Aqua
- CLion
- DataSpell
- DataGrip
- GoLand
- IntelliJ IDEA Ultimate
- PhpStorm
- PyCharm Professional
- Rider
- RubyMine
- RustRover
- WebStorm
IntelliJ extension does not support:
- IntelliJ IDEA Community Edition.
Semgrep does not offer an IDE integration with IntelliJ Community Edition because this version lacks support for the Language Server Protocol (LSP), which is essential for enabling Semgrep’s code scanning features. IntelliJ Ultimate, which includes LSP support, is required to use Semgrep's IDE integration.
Commands
Run Semgrep extension commands through the IntelliJ Command Palette. You can access the Command Palette by pressing Ctrl+⇧Shift+A (Windows) or ⌘Command+⇧Shift+A (macOS) on your keyboard.
Sign in with Semgrep
: Sign up or log in to the Semgrep AppSec Platform (this command opens a new window in your browser). Alternatively, you can log in through your command-line interface by runningsemgrep login
.Sign out of Semgrep
: Log out of Semgrep AppSec Platform. If you are logged out, you lose access to Semgrep Supply Chain and Semgrep Secrets. Alternatively, you can sign out through your command-line interface by runningsemgrep logout
.Scan workspace with Semgrep
: Scan files that have been changed since the last commit in your current workspace.Scan workspace with Semgrep (Including Unmodified Files)
: Scan all files in the current workspace.
You can also click the Semgrep icon in the IntelliJ toolbar to quickly access all available commands.
Features
Automatic scanning
When you open a file, Semgrep scans it right away.
Rule Quick Links
Hover over a match and click the link.
Support
If you need our support, join the Semgrep community Slack workspace and tell us about any problems you encountered.
Limitations
IDE scans use Semgrep CE for speed. Scans are thus limited to single-file analysis. You can still perform cross-file (interfile) scans on your machine through the CLI:
semgrep ci --pro
Not finding what you need in this doc? Ask questions in our Community Slack group, or see Support for other ways to get help.