Getting started with Semgrep CLI
Running Semgrep locallyโ
Start by running Semgrep locally to scan your code. Semgrep runs offline on uncompiled code. No code leaves your computer.
Prerequisite: Semgrep requires Python 3.7 or later.
- Install Semgrep. Use one of the following options depending on your system and preference:
- For macOS:
brew install semgrep - For Ubuntu, Windows through Windows Subsystem for Linux (WSL), Linux, macOS:
python3 -m pip install semgrep - To try out Semgrep without installation you may run it through Docker:
docker run --rm -v "${PWD}:/src" returntocorp/semgrep semgrep --config=auto
- For macOS:
- Confirm installation by printing help manual page to your terminal. To do so, run the following command:
semgrep --help - Run recommended Semgrep Registry rules:
Substitute the optional placeholdersemgrep --config=auto [PATH/TO/SRC][PATH/TO/SRC]with the path to your source code.
By default, when Semgrep Registry is used, Semgrep collects usage metrics.
Next stepsโ
By completing this guide, you are now familiar with a simple use of Semgrep. Here are some additional resources to follow:
- See Running rules to try out and understand more about Semgrep rules.
- Explore the Semgrep Rules Registry to add rules to your project or writing a rule.
- See CLI Reference for command line options and exit codes.
Testing Semgrep on vulnerable repositoriesโ
The following community projects are designed to test code scanners and teach security concepts. Try cloning and scanning them with Semgrep.
Expand for sample projects! ๐
# juice-shop, a vulnerable Node.js + Express app:
git clone https://github.com/bkimminich/juice-shop
cd juice-shop
semgrep --config=auto
# Or if you don't have Semgrep installed, replace the semgrep command with:
docker run --rm -v "$(pwd)/juice-shop:/src" returntocorp/semgrep semgrep --config p/security-audit /src
# Try railsgoat, a vulnerable Ruby on Rails app:
git clone https://github.com/OWASP/railsgoat
cd railsgoat
semgrep --config=auto
# govwa, a vulnerable Go app:
git clone https://github.com/0c34/govwa
cd govwa
semgrep --config=auto
# Vulnerable-Flask-App, vulnerable Python + Flask:
git clone https://github.com/we45/Vulnerable-Flask-App
cd Vulnerable-Flask-App
semgrep --config=auto
# WebGoat, a vulnerable Java + Spring app:
git clone https://github.com/WebGoat/WebGoat
cd WebGoat
semgrep --config=auto
Run Semgrep continuouslyโ
Semgrep is at its best when used to continuously scan code. Check out Semgrep in CI to learn how to get results where you already work: GitHub, GitLab, Slack, Jira, and more. To get results even earlier in the development process, such as in a Git pre-commit hook or VS Code, check the available Semgrep extensions.
Check out Semgrep App to integrate CI with PR or MR comments, monitor progress, host private rules (paid tier), and much more!
Upgradingโ
We release new Semgrep versions often! See upgrading for more details.