Semgrep integration guide for partners
We're excited that you're integrating Semgrep into your tooling! Our goal with Semgrep is to bring world-class security tools to developers based on our conviction that software will run the most exciting parts of the future. It's not something that we can do alone; we want to build a community around sharing programmatic knowledge about how to build secure software.
Requirements for integrators
- Do not resell rules from the registry, unless you acquire an explicit license from Semgrep, Inc. Semgrep rules are released under the Commons Clause License, which prohibits redistribution in a commercial product.
- State that you are using Semgrep; refer to Semgrep as capital S with the trademark: Semgrep™
- Link to semgrep.dev/login to allow users to get an API token to pass to Semgrep so they can access the Pro Engine and rules.
SEMGREP_INTEGRATION_NAMEin your environment to your domain name (for example, "xyz.com"). This helps us reproduce and debug issues with Semgrep in your environment.
- Don't integrate
semgrep scanin a CI setup. Instead use
semgrep ci, which has diff-awareness built-in and is designed to be easy to integrate into dozens of CI environments. It's also much faster.
- Enable metrics (
--metrics=on) by default, which lets the Semgrep team prioritize languages and technologies to improve speed and accuracy.
- Contribute new public rules back to the semgrep-rules repository. This helps us avoid community fragmentation and will automatically pull your rule into the searchable registry on semgrep.dev; plus Semgrep will maintain it for you!