Semgrep JSON and SARIF fields
This reference provides Semgrep fields for JSON and SARIF output.
For fields that are exclusive to Semgrep AppSec Platform, you must sign in to generate values for those fields.
Semgrep Code
JSON
JSON top-level fields
These tables provide a partial overview of the fields available to Semgrep Community Edition (CE) and Semgrep AppSec Platform. Refer to the sample schema for all the fields.
| Field | Semgrep CE | Semgrep AppSec Platform |
|---|---|---|
errors | ✅ | ✅ |
interfile_languages_used | ❌ | ✅ |
paths | ✅ | ✅ |
results | See results object | |
skipped_rules | ✅ | ✅ |
version | ✅ | ✅ |
results object
| Field | Semgrep CE | Semgrep AppSec Platform |
|---|---|---|
check_id | ✅ | ✅ |
end | ✅ | ✅ |
extra | See extra object | |
skipped_rules | ✅ | ✅ |
start | ✅ | ✅ |
paths | ✅ | ✅ |
extra object
| Field | Semgrep CE | Semgrep AppSec Platform |
|---|---|---|
engine_kind | ✅ | ✅ |
fingerprint | ❌ | ✅ |
fix | ✅ | ✅ |
is_ignored | ❌ | ✅ |
lines* | ❌ | ✅ |
message | ✅ | ✅ |
metadata | See metadata object | |
metavars | ❌ | ✅ |
severity | ✅ | ✅ |
validation_state(for Secrets scans only) | ✅ | ✅ |
*lines refers to the text of the matched lines, not the line numbers themselves. See the results object to view line numbers.
metadata object
| Field | Semgrep CE | Semgrep AppSec Platform |
|---|---|---|
category | ✅ | ✅ |
confidence | ✅ | ✅ |
cwe | ✅ | ✅ |
impact | ✅ | ✅ |
license | ✅ | ✅ |
likelihood | ✅ | ✅ |
owasp | ✅ | ✅ |
references | ✅ | ✅ |
semgrep.dev | ❌ | ✅ |
semgrep.policy | ❌ | ✅ |
shortlink | ✅ | ✅ |
source | ✅ | ✅ |
subcategory | ✅ | ✅ |
technology | ✅ | ✅ |
vulnerability_class | ✅ | ✅ |
JSON example output
The following snippet is a JSON output example with all the fields for Semgrep Code.
{
"check_id": "yaml.github-actions.security.run-shell-injection.run-shell-injection",
"path": "STRING",
"start":
{
"line": 18,
"col": 9,
"offset": 300
},
"end": {
"line": 18,
"col": 82,
"offset": 373
},
"extra": {
"metavars": {
"$SHELL": {
"start": {
"line": 18,
"col": 14,
"offset": 305
},
"end": {
"line": 18,
"col": 82,
"offset": 373
},
"abstract_content": "echo \"was the box ticked? ${BOX_TICKED}! (${{ inputs.box_ticked }})\""
}
},
"message": "Using variable interpolation `${{...}}` with `github` context data in a `run:` step could allow an attacker to inject their own code into the runner. This would allow them to steal secrets and code. `github` context data can have arbitrary user input and should be treated as untrusted. Instead, use an intermediate environment variable with `env:` to store the data and use the environment variable in the `run:` script. Be sure to use double-quotes the environment variable, like this: \"$ENVVAR\".",
"metadata": {
"category": "security",
"cwe": [
"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')"
],
"owasp": [
"A01:2017 - Injection",
"A03:2021 - Injection"
],
"references": [
"https://docs.github.com/en/actions/learn-github-actions/security-hardening-for-github-actions#understanding-the-risk-of-script-injections",
"https://securitylab.github.com/research/github-actions-untrusted-input/"
],
"technology": [
"github-actions"
],
"cwe2022-top25": true,
"cwe2021-top25": true,
"subcategory": [
"vuln"
],
"likelihood": "HIGH",
"impact": "HIGH",
"confidence": "HIGH",
"license": "Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license",
"vulnerability_class": [
"Command Injection"
],
"source": "https://semgrep.dev/r/yaml.github-actions.security.run-shell-injection.run-shell-injection",
"shortlink": "https://sg.run/11zk",
"semgrep.dev": {
"rule": {
"origin": "community",
"r_id": 13162,
"rule_id": "v8UQj2",
"rv_id": 1025108,
"url": "https://semgrep.dev/playground/r/akTViyp/yaml.github-actions.security.run-shell-injection.run-shell-injection",
"version_id": "akTViyp"
}
},
"dev.semgrep.actions": [
"comment"
],
"semgrep.policy": {
"id": 91181987,
"name": "Rule Board - PR Comments column",
"slug": "rule-board-pr-comments"
},
"semgrep.url": "https://semgrep.dev/r/yaml.github-actions.security.run-shell-injection.run-shell-injection"
},
"severity": "ERROR",
"fingerprint": "...",
"lines": " - run: echo \"was the box ticked? ${BOX_TICKED}! (${{ inputs.box_ticked }})\"",
"is_ignored": false,
"validation_state": "NO_VALIDATOR",
"engine_kind": "PRO"
}
}
SARIF
SARIF top-level fields
| Field | Semgrep CE | Semgrep AppSec Platform |
|---|---|---|
$schema | ✅ | ✅ |
runs | See runs object | |
version | ✅ | ✅ |
runs object
| Field | Semgrep CE | Semgrep AppSec Platform |
|---|---|---|
invocations | ✅ | ✅ |
results | See results object | |
rules | ✅ | ✅ |
semanticVersion | ✅ | ✅ |
results object
| Field | Semgrep CE | Semgrep AppSec Platform |
|---|---|---|
fingerprints | ❌ | ✅ |
locations | ✅ | ✅ |
message | ✅ | ✅ |
properties | ✅ | ✅ |
ruleId | ✅ | �✅ |
SARIF example output
The following snippet is a SARIF output example with all the fields for Semgrep Code.
{
"version": "2.1.0",
"runs": [
{
"invocations": [
{
"executionSuccessful": true,
"toolExecutionNotifications": []
}
],
"results": [
{
"fingerprints": {
"matchBasedId/v1": "..."
},
"fixes": [
{
"artifactChanges": [
{
"artifactLocation": {
"uri": "Dockerfile"
},
"replacements": [
{
"deletedRegion": {
"endColumn": 15,
"endLine": 39,
"startColumn": 1,
"startLine": 39
},
"insertedContent": {
"text": "USER non-root\nCMD [\"./main\"]"
}
}
]
}
],
"description": {
"text": "By not specifying a USER, a program in the container may run as 'root'. This is a security hazard. If an attacker can control a process running as root, they may have control over the container. Ensure that the last USER in a Dockerfile is a USER other than 'root'.\n Rule-defined fix: Semgrep rule suggested fix"
}
}
],
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "Dockerfile",
"uriBaseId": "%SRCROOT%"
},
"region": {
"endColumn": 15,
"endLine": 39,
"snippet": {
"text": "CMD [\"./main\"]"
},
"startColumn": 1,
"startLine": 39
}
}
}
],
}
],
"tool": {
"driver": {
"name": "Semgrep OSS",
"rules": [
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "By not specifying a USER, a program in the container may run as 'root'. This is a security hazard. If an attacker can control a process running as root, they may have control over the container. Ensure that the last USER in a Dockerfile is a USER other than 'root'."
},
"help": {
"markdown": "By not specifying a USER, a program in the container may run as 'root'. This is a security hazard. If an attacker can control a process running as root, they may have control over the container. Ensure that the last USER in a Dockerfile is a USER other than 'root'.\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/dockerfile.security.missing-user.missing-user)\n - [https://owasp.org/Top10/A04_2021-Insecure_Design](https://owasp.org/Top10/A04_2021-Insecure_Design)\n",
"text": "By not specifying a USER, a program in the container may run as 'root'. This is a security hazard. If an attacker can control a process running as root, they may have control over the container. Ensure that the last USER in a Dockerfile is a USER other than 'root'."
},
"helpUri": "https://semgrep.dev/r/dockerfile.security.missing-user.missing-user",
"id": "dockerfile.security.missing-user.missing-user",
"name": "dockerfile.security.missing-user.missing-user",
"properties": {
"precision": "very-high",
"tags": [
"CWE-250: Execution with Unnecessary Privileges",
"MEDIUM CONFIDENCE",
"OWASP-A04:2021 - Insecure Design",
"rule-board-pr-comments",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: dockerfile.security.missing-user.missing-user"
}
}
],
"semanticVersion": "1.122.0"
}
}
}
],
"$schema": "https://docs.oasis-open.org/sarif/sarif/v2.1.0/os/schemas/sarif-schema-2.1.0.json"
}
Semgrep Supply Chain
info
You must log in to Semgrep to scan with Semgrep Supply Chain.
JSON
JSON example output
The following snippet is a JSON output example with all the fields for Semgrep Supply Chain.
{
"version": "1.122.0",
"results": [
{
"check_id": "ssc-parity-0ddf890152a281f12fd6d01c3953da8d88ce2e7b",
"path": "go.mod",
"start": {
"line": 6,
"col": 1,
"offset": 0
},
"end": {
"line": 6,
"col": 1,
"offset": 0
},
"extra": {
"metavars": {},
"message": "Affected versions of github.com/gin-gonic/gin are vulnerable to Download of Code Without Integrity Check.",
"metadata": {
"confidence": "LOW",
"category": "security",
"cve": "CVE-2023-29401",
"cwe": [
"CWE-494: Download of Code Without Integrity Check"
],
"ghsa": "GHSA-2c4m-59x9-fr2g",
"owasp": [
"A06:2021 - Vulnerable and Outdated Components",
"A08:2021 - Software and Data Integrity Failures"
],
"publish-date": "2023-05-12T20:19:25Z",
"references": [
"https://github.com/advisories/GHSA-2c4m-59x9-fr2g",
"https://nvd.nist.gov/vuln/detail/CVE-2023-29401"
],
"sca-fix-versions": [
{
"github.com/gin-gonic/gin": "1.9.1"
}
],
"sca-kind": "legacy",
"sca-schema": 20230302,
"sca-severity": "MODERATE",
"sca-vuln-database-identifier": "CVE-2023-29401",
"technology": [
"go"
],
"license": "Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license",
"vulnerability_class": [
"Cryptographic Issues"
],
"semgrep.dev": {
"rule": {
"r_id": 109470,
"rv_id": 953164,
"rule_id": "4bURlK3",
"version_id": "w8TKlRo",
"url": "https://semgrep.dev/orgs/-/supply-chain/advisories?q=ssc-parity-0ddf890152a281f12fd6d01c3953da8d88ce2e7b",
"origin": "custom",
"rule_name": "ssc-parity-0ddf890152a281f12fd6d01c3953da8d88ce2e7b"
},
"src": "unchanged"
},
"source": "https://semgrep.dev/orgs/-/supply-chain/advisories?q=ssc-parity-0ddf890152a281f12fd6d01c3953da8d88ce2e7b",
"semgrep.url": "https://semgrep.dev/orgs/-/supply-chain/advisories?q=ssc-parity-0ddf890152a281f12fd6d01c3953da8d88ce2e7b",
"dev.semgrep.actions": []
},
"severity": "WARNING",
"fingerprint": "...",
"lines": "\tgithub.com/gin-gonic/gin v1.6.3 // indirect",
"is_ignored": false,
"sca_info": {
"reachability_rule": false,
"sca_finding_schema": 20220913,
"dependency_match": {
"dependency_pattern": {
"ecosystem": "gomod",
"package": "github.com/gin-gonic/gin",
"semver_range": ">=1.3.1-0.20190301021747-ccb9e902956d, <1.9.1"
},
"found_dependency": {
"package": "github.com/gin-gonic/gin",
"version": "1.6.3",
"ecosystem": "gomod",
"allowed_hashes": {},
"resolved_url": "github.com/gin-gonic/gin",
"transitivity": "transitive",
"manifest_path": "go.mod",
"lockfile_path": "go.mod",
"line_number": 6
},
"lockfile": "go.mod"
},
"reachable": false
},
"engine_kind": "OSS"
}
}
],
"errors": [],
"paths": {
"scanned": [
"go.mod"
]
},
"interfile_languages_used": [],
"skipped_rules": []
}
SARIF
SARIF example output
The following snippet is a SARIF output example with all the fields for Semgrep Supply Chain.
{
"version": "2.1.0",
"runs": [
{
"invocations": [
{
"executionSuccessful": true,
"toolExecutionNotifications": []
}
],
"results": [
{
"fingerprints": {
"matchBasedId/v1": "..."
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "go.mod",
"uriBaseId": "%SRCROOT%"
},
"region": {
"endColumn": 1,
"endLine": 6,
"snippet": {
"text": "\tgithub.com/gin-gonic/gin v1.6.3 // indirect"
},
"startColumn": 1,
"startLine": 6
}
}
}
],
"message": {
"text": "Affected versions of github.com/gin-gonic/gin are vulnerable to Download of Code Without Integrity Check."
},
"properties": {
"exposure": "undetermined"
},
"ruleId": "ssc-parity-0ddf890152a281f12fd6d01c3953da8d88ce2e7b"
},
],
"tool": {
"driver": {
"name": "Semgrep OSS",
"rules": [
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Affected versions of github.com/gin-gonic/gin are vulnerable to Download of Code Without Integrity Check."
},
"help": {
"markdown": "Affected versions of github.com/gin-gonic/gin are vulnerable to Download of Code Without Integrity Check.\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/orgs/-/supply-chain/advisories?q=ssc-parity-0ddf890152a281f12fd6d01c3953da8d88ce2e7b)\n - [https://github.com/advisories/GHSA-2c4m-59x9-fr2g](https://github.com/advisories/GHSA-2c4m-59x9-fr2g)\n - [https://nvd.nist.gov/vuln/detail/CVE-2023-29401](https://nvd.nist.gov/vuln/detail/CVE-2023-29401)\n",
"text": "Affected versions of github.com/gin-gonic/gin are vulnerable to Download of Code Without Integrity Check."
},
"helpUri": "https://semgrep.dev/orgs/-/supply-chain/advisories?q=ssc-parity-0ddf890152a281f12fd6d01c3953da8d88ce2e7b",
"id": "ssc-parity-0ddf890152a281f12fd6d01c3953da8d88ce2e7b",
"name": "ssc-parity-0ddf890152a281f12fd6d01c3953da8d88ce2e7b",
"properties": {
"precision": "very-high",
"tags": [
"CWE-494: Download of Code Without Integrity Check",
"LOW CONFIDENCE",
"OWASP-A06:2021 - Vulnerable and Outdated Components",
"OWASP-A08:2021 - Software and Data Integrity Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: ssc-parity-0ddf890152a281f12fd6d01c3953da8d88ce2e7b"
}
},
],
"semanticVersion": "1.122.0"
}
}
}
],
"$schema": "https://docs.oasis-open.org/sarif/sarif/v2.1.0/os/schemas/sarif-schema-2.1.0.json"
}
Not finding what you need in this doc? Ask questions in our Community Slack group, or see Support for other ways to get help.