Skip to main content

Getting started with Semgrep OSS Engine

The Semgrep OSS Engine is the foundation of Semgrep. Detect bugs, style violations, security issues, and more by scanning your code locally using community-contributed rules as well as your own custom rules.

Installing and running Semgrep locally

Install and run Semgrep CLI to scan your code locally using Semgrep OSS Engine. Semgrep CLI runs offline on uncompiled code. No code leaves your computer.


Semgrep CLI installation requires Python 3.7 or later.

  1. Install Semgrep CLI. Use one of the following options depending on your system and preference:

    brew install semgrep


    python3 -m pip install semgrep
  1. Confirm installation by the following command:
    semgrep --version
  2. Run recommended Semgrep Registry rules:
    semgrep --config=auto PATH/TO/SRC
    Substitute the optional placeholder PATH/TO/SRC with the path to your source code.

By default, when Semgrep Registry is used, Semgrep collects usage metrics.

Next steps

By completing this guide, you are now familiar with a simple use of Semgrep. Here are some additional resources to follow:

Testing Semgrep on vulnerable repositories

The following community projects are designed to test code scanners and teach security concepts. Try cloning and scanning them with Semgrep.

Expand for sample projects! 🎉

# juice-shop, a vulnerable Node.js + Express app:
git clone
cd juice-shop
semgrep --config=auto

# Or if you don't have Semgrep installed, replace the semgrep command with:
docker run --rm -v "$(pwd)/juice-shop:/src" returntocorp/semgrep semgrep --config p/security-audit /src

# Try railsgoat, a vulnerable Ruby on Rails app:
git clone
cd railsgoat
semgrep --config=auto

# govwa, a vulnerable Go app:
git clone
cd govwa
semgrep --config=auto

# Vulnerable-Flask-App, vulnerable Python + Flask:
git clone
cd Vulnerable-Flask-App
semgrep --config=auto

# WebGoat, a vulnerable Java + Spring app:
git clone
cd WebGoat
semgrep --config=auto

Run Semgrep continuously

Semgrep is at its best when used to continuously scan code. Check out Semgrep in CI to learn how to get results where you already work: GitHub, GitLab, Slack, Jira, and more. To get results even earlier in the development process, such as in a Git pre-commit hook or VS Code, check the available Semgrep extensions.

Check out Semgrep Cloud Platform (SCP) to integrate Semgrep scans into your CI environment with PR or MR comments, monitor progress, host private rules (Team and Enterprise tiers), and much more!

Logging into Semgrep Cloud Platform

Logging into SCP from your CLI enables you to:

  • Send findings from your local scans to SCP for findings triage.
  • Quickly configure local scans to run either rules from your Rule board or a different set of rules and rulesets.
  • For Team or Enterprise users: scan code using Pro rules from the CLI.

To log in to SCP:

  1. Create an account by clicking the link: Sign in to Semgrep Cloud Platform.
  2. In your command line, enter semgrep login.
  3. Click the link provided in your terminal and follow the instructions.

Updating Semgrep

We release new Semgrep versions often! See Updating for more details.

Find what you needed in this doc? Join the Semgrep Community Slack group to ask the maintainers and the community if you need help.