Existing and custom Semgrep rules can be run locally via the CLI or continuously in CI. See Getting started for their respective installation and setup.
Run registry rules
Explore the Semgrep Registry and run rules and rulesets via:
# Run a ruleset with rules for many languages using --config $ semgrep --config=<ruleset-id> path/to/src $ semgrep --config p/r2c-ci path/to/src
Rulesets can be added to Semgrep CI scans using their "Add to Policy" button on Semgrep Community and Semgrep Team.
Run local rules
See Writing rules > Getting started to learn how to write rules.
Local rules can be ephemeral using the
--pattern flag or run from YAML rule files conforming to the Rule syntax schema.
# Check for Python == where the left and right hand sides are the same (often a bug) $ semgrep -e '$X == $X' --lang=py path/to/src # Run local YAML rule files $ semgrep --config path/to/yaml
See Ignoring Findings for details on how to supress rule output.