Does Semgrep scan compressed files or other non-code files?
Semgrep is a pre-build security tool optimized to search for code and text patterns. It does not scan the files within a compressed archive, nor does it scan binaries (built files).
How can I scan the files inside a compressed archive file?
To scan code or text files that are stored in a compressed archive file with Semgrep, uncompress the files before performing the scan. When the scan is complete, delete the temporary files that were created.
For local scans, this can be done manually. For scans in CI, add appropriate actions to the CI config.
When implementing this method, it's optimal to place the compressed files in a consistent location, so that Semgrep can detect that any findings within the temporary files are the same across scans.
What are the limitations of this approach?
When possible, Semgrep AppSec Platform generates hyperlinks to a finding's location within a repository and file. If the file is not persistent in the repository, and is scanned at a temporary path, then the hyperlink will lead to that temporary path and will not work properly. This may make it more difficult for developers to identify where and how to fix issues identified in the temporary files.
Currently, it is not possible to uncompress files before running a scan in Semgrep Managed Scans.
Not finding what you need in this doc? Ask questions in our Community Slack group, or see Support for other ways to get help.