Skip to main content

Getting started

Run Semgrep locally

Start by running Semgrep locally to scan your code. It runs offline on uncompiled code: no code leaves your machine.

Install Semgrep using Homebrew or pip, or run without installation via Docker:

For macOS:

brew install semgrep

For Ubuntu / Windows via WSL / Linux / macOS:

python3 -m pip install semgrep

To try Semgrep without installation run via Docker:

docker run --rm -v "${PWD}:/src" returntocorp/semgrep --config=auto

Confirm installation and run both a simple β€œgrep-like” rule and the auto ruleset:

# Confirm installation by running --help. It should print to your terminal.
$ semgrep --help

# Check for Python == where the left and right sides are the same (often a bug)
$ semgrep -e '$X == $X' --lang=py path/to/src

# Automatically survey languages and frameworks and run recommended Registry rules
$ semgrep --config=auto path/to/src

See CLI Reference for command line options and exit codes.

When the Registry is used for any ruleset (like the auto ruleset above), usage metrics are collected.

Visit Running rules to learn more or try Semgrep on known vulnerable test projects:

Expand for sample projects! πŸŽ‰

These community projects are designed to test code scanners and teach security concepts. Try cloning and scanning them with Semgrep.

# juice-shop, a vulnerable Node.js + Express app
$ git clone https://github.com/bkimminich/juice-shop
$ semgrep --config p/security-audit juice-shop

# railsgoat, a vulnerable Ruby on Rails app
$ git clone https://github.com/OWASP/railsgoat
$ semgrep --config p/security-audit railsgoat

# govwa, a vulnerable Go app
$ git clone https://github.com/0c34/govwa
$ semgrep --config p/security-audit govwa

# vulnerable Python + Flask app
$ git clone https://github.com/we45/Vulnerable-Flask-App
$ semgrep --config p/security-audit Vulnerable-Flask-App

# WebGoat, a vulnerable Java + Spring app
$ git clone https://github.com/WebGoat/WebGoat
$ semgrep --config p/security-audit WebGoat


Write a rule

Once Semgrep is running locally, see the Semgrep Tutorial to quickly learn how to write precise rules.

Semgrep rules can cover a wide range of use cases:

  • Automating code review comments
  • Detecting secure coding violations
  • Detecting API routes, database models, or similar code segments
  • Identifying authentication violations
  • Lightweight vulnerability detection
  • Scanning configuration files
  • And more! Check out more use cases here.

Visit Writing Rules > Getting started for an in-depth guide and reference material.

This rule is used to find and discourage print(...) in production code. You can edit this rule here or visit the Playground to write and deploy your own rule.



A reviewer writes a Semgrep rule and adds it to an organization-wide policy


A reviewer writes a Semgrep rule and adds it to an organization-wide policy.

Run Semgrep continuously

Finally, Semgrep is at its best when used to continuously scan code. Check out Semgrep CI to learn how to get results where you already work: GitHub, GitLab, Slack, Jira, and more. To get results even earlier in the development process, such as in a Git pre-commit hook or VS Code, check the available Semgrep extensions.

For teams running Semgrep on multiple projects, see Semgrep App. Its free and paid tiers let users:

  1. Centrally define code standards
  2. Monitor the impact of standards
  3. Host private rules
  4. Push notifications to 3rd-party services

Upgrading

We release new Semgrep versions often! See upgrading for more details.