Local scans with Semgrep

Learn how to set up Semgrep, scan your project for security issues using Semgrep Code's interfile analysis, and view your findings in the CLI.

Prerequisites

Before proceeding, see Prerequisites to ensure that your machine meets Semgrep's requirements.

Recommended setup

For scans using semgrep ci:

Ensure that you have and are logged in to your Semgrep Account.
Ensure that you've enabled the Cross-file analysis toggle on Semgrep AppSec Platform's Settings page.

Set up Semgrep

Install the Semgrep CLI and confirm the installation:

# macOS users only
brew install semgrep

# macOS, Linux, or Windows Subsystem for Linux (WSL) users
python3 -m pip install semgrep

# confirm
semgrep --version

Homebrew users: ensure that you've added Homebrew to your PATH.
WSL users: Ensure that you have the Windows Subsystem for Linux installed before proceeding.

Log in to your Semgrep account

Log in to your Semgrep account. Running this command launches a browser window, but you can also use the link that's returned in the CLI to proceed:
```
semgrep login
```
In the Semgrep CLI login, click Activate to proceed.

Scan your project

Semgrep provides two commands that you can use to start a scan from the CLI:

semgrep scan - This is the recommended command for scanning local codebases and writing and testing custom rules.
semgrep ci - This is the recommended command if you are scanning git repositories with Semgrep as part of an organization with custom rules and policies. semgrep ci fetches your organization's scan configurations from Semgrep AppSec Platform.

Navigate to the root of your codebase, and run your first scan. The specific command you use depends on how you want to view the results.

To view the results in the CLI:

semgrep ci

To export the results to a plain text file:

semgrep ci --text --text-output=semgrep.txt

To export the results to a SARIF file:

semgrep ci --sarif --sarif-output=semgrep.sarif

To export the results to a JSON file:

semgrep ci --json --json-output=semgrep.json

In addition to the --text, --json, and --sarif flags, which set the primary output formats, and the --output=<value> flag that saves the results to a file or posts to a URL, you can append --<format>-output=<file> to obtain additional output streams:

# prints findings in SARIF format to standard output and writes in JSON format to `findings.json`.
semgrep ci --sarif --json-output=findings.json

# prints findings in text to standard out and writes JSON output to `findings.json`.
semgrep ci --json-output=findings.json

# prints text output to `findings.txt` and writes in SARIF to `findings.sarif`.
semgrep ci --output=findings.txt --sarif-output=findings.sarif

# writes text to `semgrep.txt`, JSON to `semgrep.json`, and SARIF to `semgrep.sarif`.
semgrep ci --text --output=semgrep.txt --json-output=semgrep.json --sarif-output=semgrep.sarif

Accepted values for <format>: text, json, sarif, gitlab-sast, gitlab-secrets, junit-xml, emacs, vim

Scan your project with a specific ruleset

You can scan your codebase using --config auto to run Semgrep with rules that apply to your programming languages and frameworks:

semgrep scan --config auto --pro

info

Semgrep collects pseudonymous metrics when you use rules from the Registry. You can turn this off with --metrics=off.

To scan your codebase with a specific ruleset, either one that you write or one that you obtain from the Semgrep Registry, use the --config flag.

# Scan with the rules defined in rules.yaml
semgrep scan --config rules.yaml

You can include as many configuration flags as necessary.

# Scan with rules defined in two separate config files
semgrep scan --config rules.yaml --config more_rules.yaml

Rules stored under a hidden directory, such as dir/.hidden/myrule.yml, are processed by Semgrep when scanning with the --config flag.

Scan with rules in a directory and all its subdirectories:

semgrep scan --config DIRECTORY_NAME

Scan with all YAML rules detected in the current working directory and all its subdirectories:

semgrep scan --config .

Test custom rules

Semgrep includes functionality to test the custom rules that you write:

semgrep scan --test

Publish custom rules

To share your rules by adding them to the Semgrep Registry:

semgrep publish <path/to/rules>

Scan without sending results to Semgrep

To scan your project using the configuration you've set up in Semgrep AppSec Platform without sending scan results to Semgrep, use:

semgrep ci --dry-run

This can be helpful to verify the results of a specific ruleset or to see how your findings change based on the rulesets you choose for your scans.

Scan using OSS-only analysis (single-function)

To scan your project using exclusively open-source Semgrep, even though you have proprietary cross-file analysis enabled in Semgrep AppSec Platform:

semgrep ci --oss-only

info

See Semgrep Pro versus Semgrep OSS for information on the differences between Semgrep's proprietary and open-source analyses.

Scan using specific Semgrep Products

When you run semgrep ci, you scan your project with any product that is enabled in Semgrep AppSec Platform. To scan your project with just one product, run:

# scan with Semgrep Code
semgrep ci --code

# scan with Semgrep Supply Chain
semgrep ci --supply-chain

# scan with Semgrep Secrets
semgrep ci --secrets

Extend timeout thresholds

Depending on the file sizes in your project, you may need to increase the timeout threshold so that Semgrep doesn't time out before the scan completes. You can control this value using the --timeout flag, which refers to the maximum amount of time Semgrep spends scanning a single file. The default value is 5 seconds. Semgrep attempts to scan each file with this timeout value three times, but you can change this using the --timeout-threshold flag:

# increase timeout to 45 seconds, try only 2 times
semgrep ci --timeout 30 --timeout-threshold 2

Improve performance for large codebases

You can set the number of subprocesses Semgrep uses to run checks in parallel:

semgrep scan -j NUMBER_OF_SUBPROCESSES

By default, the number of jobs Semgrep uses is equivalent to the number of cores detected on the system, but -j = 1 if you're passing in --pro. For additional information, see Parallelization.

Set log levels

Semgrep provides three levels of logging:

Log level	Flag	Description
Default	None	Prints scan progress, findings information, warnings, and errors.
Verbose	`-v` or `--verbose`	Includes everything printed when using the default logging level, adding a list of rules and details such as skipped files.
Debug	`--debug`	Logs the entire scan process at a high level of detail.

Example usage

To set the logging level for a scan, include the flag when scanning your project:

# run a scan and get debug logs
semgrep ci --debug

Exit codes

The CLI commands semgrep ci and semgrep scan finish with exit code 0 as long as the scan completes, regardless of whether there were findings. To finish with exit code 1 when there are findings:

Configure blocking rules
Pass in the --error flag when running semgrep scan.

When you run semgrep ci, you can pass in the --no-suppress-errors if you don't want internal errors suppressed.

Log out

To log out of your Semgrep account:

semgrep logout

Not finding what you need in this doc? Ask questions in our Community Slack group, or see Support for other ways to get help.

Local scans with Semgrep

Prerequisites​

Recommended setup​

Set up Semgrep​

Log in to your Semgrep account​

Scan your project​

Scan your project with a specific ruleset​

Test custom rules​

Publish custom rules​

Scan without sending results to Semgrep​

Scan using OSS-only analysis (single-function)​

Scan using specific Semgrep Products​

Extend timeout thresholds​

Improve performance for large codebases​

Set log levels​

Example usage​

Exit codes​

Log out​