Skip to main content

Reporting false negatives with shouldafound

Directly report code which Semgrep did not match as you expected with the shouldafound option. The shouldafound enables you to report false negatives (vulnerabilities which were not detected) without leaving your command-line interface (CLI).

Shouldafound is useful in contexts such as:

  • A bug report uncovers an SQL injection vulnerability that needs to be caught by Semgrep.
  • You found issues manually during a code review, but you want Semgrep to find these issues automatically next time.
  • A security consultant reviews customer code and adds anonymized versions of their finding so Semgrep can help them find that issue automatically in the future.

This example guides you through steps to report false negatives with Semgrep CLI:

  1. See the following example file file.go:

    package main​

    import "fmt"

    func main() {
  2. In your command-line, run the following command:

    semgrep shouldafound --email "" \
    -m "Semgrep missed vulnerable code here" \
    --start 5 --end 7 path/to/my/file.go

    Specify lines of code to report as false negatives using --start and --end options. The example above reports all lines between 5 and 7.

    This sends the following information to

    "email": "",
    "lines": "func main() {\n fmt.Println(\"foo\")\n}\n",
    "message": "Semgrep missed vulnerable code here",
    "path": "path/to/my/file.go"
  3. Press y to send this information to r2c:

    OK to send? [y/N]: y

    Note: Anonymize the data you send to us, as shouldafound creates Semgrep Playground links which are public to anyone with access to the URL.

If you send the code, you receive the following notice in your command-line:

Sent feedback. Thanks for your contribution!
You can view and extend the generated rule template here:

Find what you needed in this doc? Join the Semgrep Community Slack group to ask the maintainers and the community if you need help.