Skip to main content

Getting started with Semgrep

Detect security issues, vulnerable dependencies, and more by scanning your code with Semgrep. Semgrep performs both SAST (Static application security testing) and SCA (Software composition analysis) scans.

The following guide walks you through:

  • Installing Semgrep in your computer locally.
  • Running a single scan for both SAST and SCA.
  • Sending results to Semgrep Cloud Platform for triage and analysis.
  • Code is not uploaded. Only findings are sent to Semgrep Cloud Platform.

Installing and running Semgrep locally


The Semgrep command-line tool requires Python 3.7 or later.

To install and run Semgrep, use one of the following options:

  1. Install:

    brew install semgrep


    python3 -m pip install semgrep
  2. Confirm installation:

    semgrep --version
  3. Sign up or log in to Semgrep Cloud Platform (SCP):

    semgrep login

    This command automatically opens a new tab or browser window. You can also click the link in the CLI to complete the step.

  4. A modal appears after logging in to SCP. Click Create an organization. Note that you can further integrate organizations (orgs) with GitLab accounts and GitHub accounts, including personal and org accounts, after you complete this procedure.

  5. After creating an organization in the previous step, return to the CLI and run a scan:

    semgrep ci

You have just finished installing and running a Semgrep scan. Use Semgrep Cloud Platform to triage your findings and view vulnerabilities.

  • You can also run semgrep scan --config=auto for offline-only SAST scans. No SCA scan is performed with this command.

Next steps

By completing this guide, you are now familiar with a simple use of Semgrep. Here are some additional resources to follow:

Testing Semgrep on vulnerable repositories

The following community projects are designed to test code scanners and teach security concepts. Try cloning and scanning them with Semgrep.

Expand for sample projects! 🎉

# juice-shop, a vulnerable Node.js + Express app:
git clone
cd juice-shop
semgrep --config=auto

# Or if you don't have Semgrep installed, replace the semgrep command with:
docker run --rm -v "$(pwd)/juice-shop:/src" returntocorp/semgrep semgrep --config p/security-audit /src

# Try railsgoat, a vulnerable Ruby on Rails app:
git clone
cd railsgoat
semgrep --config=auto

# govwa, a vulnerable Go app:
git clone
cd govwa
semgrep --config=auto

# Vulnerable-Flask-App, vulnerable Python + Flask:
git clone
cd Vulnerable-Flask-App
semgrep --config=auto

# WebGoat, a vulnerable Java + Spring app:
git clone
cd WebGoat
semgrep --config=auto

Run Semgrep continuously

Semgrep is at its best when used to continuously scan code. Check out Semgrep in CI to learn how to get results where you already work: GitHub, GitLab, Slack, Jira, and more. To get results even earlier in the development process, such as in a Git pre-commit hook or VS Code, check the available Semgrep extensions.

Check out Semgrep Cloud Platform (SCP) to integrate Semgrep scans into your CI environment with PR or MR comments, monitor progress, host private rules (Team and Enterprise tiers), and much more!

Updating Semgrep

We release new Semgrep versions often! See Updating for more details.

Not finding what you need in this doc? Ask questions in our Community Slack group, or see Support for other ways to get help.