• Developer education
• Extensions

Run IDE scans

Semgrep supports the following IDE extensions:

• Microsoft Visual Studio Code: semgrep-vscode
• IntelliJ Ultimate Idea and many other IntelliJ products: semgrep-intellij
• Emacs: lsp-mode

Quickstart

Select your IDE in the following tabs and follow the instructions to set up your first Semgrep IDE scan.

Visual Studio Code (VS Code)

For Microsoft VS Code users:

1. Install the Semgrep extension. If you're unfamiliar with installing VS Code extensions, see the Extension Marketplace's article Install an Extension.
2. Use Ctrl+⇧Shift+P or ⌘Command+⇧Shift+P (macOS) to launch the Command Palette, and run the following to sign in to Semgrep AppSec Platform:

   Semgrep: Sign in
   You can use the extension without signing in, but doing so enables better results since you benefit from Semgrep Code and its Pro rules.
3. Launch the Command Palette using Ctrl+⇧Shift+P or ⌘Command+⇧Shift+P (macOS), and scan your files by running:

   Semgrep: Scan all files in workspace
4. To see detailed vulnerability information, hover over the code underlined in yellow. You can also see the findings identified by Semgrep using ⇧Shift+Ctrl+M or ⌘Command+⇧Shift+M (macOS) and opening the Problems tab.

IntelliJ

For JetBrains IntelliJ users:

1. Install the Semgrep extension:

   • Visit Semgrep's page on the JetBrains Marketplace.
   • In IntelliJ: Settings/Preferences > Plugins > Marketplace > Search for semgrep-intellij > Install. You may need to restart IntelliJ for the Semgrep extension to be installed.

2. Sign in: Press Ctrl+⇧Shift+A (Windows) or ⌘Command+⇧Shift+A (macOS) and sign in to Semgrep AppSec Platform by selecting the following command:

   Sign in with Semgrep

3. Test the extension by pressing Ctrl+⇧Shift+A (Windows) or ⌘Command+⇧Shift+A (macOS) and run the following command:

   Scan workspace with Semgrep

4. See Semgrep findings: Hold the pointer over the code that has the red underline.

Feature maturity

Semgrep's IntelliJ extensions are in public beta. Currently, the IntelliJ extension only supports Semgrep Community Edition (CE) - it doesn't support Semgrep Supply Chain, Secrets, Pro rules, or Pro Engine. Please join the Semgrep community Slack workspace and let the Semgrep team know if you encounter any issues.

Scan scope and limitations

IDE scans use Semgrep Community Edition (CE) for its speed. Scans are thus limited to single-file analysis. You may encounter a higher rate of false positives.

---

Not finding what you need in this doc? Ask questions in our Community Slack group, or see Support for other ways to get help.