Skip to main content

Getting started with Semgrep CLI

Running Semgrep locallyโ€‹

Start by running Semgrep locally to scan your code. Semgrep runs offline on uncompiled code. No code leaves your computer.

  1. Install Semgrep. Use one of the following options depending on your system and preference:
    • For macOS:
      brew install semgrep
    • For Ubuntu, Windows through Windows Subsystem for Linux (WSL), Linux, macOS:
      python3 -m pip install semgrep
    • To try Semgrep without installation run through Docker:
      docker run --rm -v "${PWD}:/src" returntocorp/semgrep semgrep --config=auto
  2. Confirm installation by printing help manual page to your terminal. To do so, run the following command:
    semgrep --help
  3. Automatically survey languages and frameworks and run recommended Semgrep Registry rules:
    semgrep --config=auto path/to/src
  4. Optional: Check for Python == where the left and right sides are the same (this is often a bug):
    semgrep -e '$X == $X' --lang=py path/to/src
  • --config auto sends your repository's project URL to Semgrep Registry to find rules configured for your repository and as a key for cached rule recommendations.
  • When Semgrep Registry is used, usage metrics are collected by default.

Next stepsโ€‹

Here are some additional resources you may use:

  • See CLI Reference for command line options and exit codes.
  • Visit Running rules to learn more or try Semgrep on known vulnerable test projects:
Expand for sample projects! ๐ŸŽ‰

These community projects are designed to test code scanners and teach security concepts. Try cloning and scanning them with Semgrep.

# juice-shop, a vulnerable Node.js + Express app
git clone
cd juice-shop
semgrep --config=auto

# or if you don't have Semgrep installed, replace the semgrep command with:
docker run --rm -v "$(pwd)/juice-shop:/src" returntocorp/semgrep semgrep --config p/security-audit /src

# railsgoat, a vulnerable Ruby on Rails app
git clone
cd railsgoat
semgrep --config=auto

# govwa, a vulnerable Go app
git clone
cd govwa
semgrep --config=auto

# vulnerable Python + Flask app
git clone
cd Vulnerable-Flask-App
semgrep --config=auto

# WebGoat, a vulnerable Java + Spring app
git clone
cd WebGoat
semgrep --config=auto

Writing a ruleโ€‹

Once Semgrep is running locally, see the Semgrep Tutorial to learn how to write precise rules to check your code.

Semgrep rules can cover a wide range of use cases:

  • Automating code review comments.
  • Detecting secure coding violations.
  • Detecting API routes, database models, or similar code segments.
  • Identifying authentication violations.
  • Lightweight vulnerability detection.
  • Scanning configuration files.
  • And more! Check out more use cases here.

Visit Writing Rules > Getting started for an in-depth guide and reference material.

This rule is used to find and discourage print(...) in production code. You can edit this rule here or visit the Playground to write and deploy your own rule.

A reviewer writes a Semgrep rule and adds it to an organization-wide policy

A reviewer writes a Semgrep rule and adds it to an organization-wide policy.

Run Semgrep continuouslyโ€‹

Semgrep is at its best when used to continuously scan code. Check out Semgrep CI to learn how to get results where you already work: GitHub, GitLab, Slack, Jira, and more. To get results even earlier in the development process, such as in a Git pre-commit hook or VS Code, check the available Semgrep extensions.

For teams running Semgrep on multiple projects, see Semgrep App. Its free and paid tiers let users:

  1. Centrally define code standards.
  2. Monitor the impact of standards.
  3. Host private rules.
  4. Push notifications to 3rd-party services.


We release new Semgrep versions often! See upgrading for more details.