Skip to main content

Semgrep JSON and SARIF fields

This reference provides all Semgrep fields for JSON and SARIF output.

For fields that are exclusive to Semgrep AppSec Platform, you must sign in to generate values for those fields.

JSON

Field	Semgrep CE	Semgrep AppSec Platform
`errors`	✅	✅
`interfile_languages_used`	❌	✅
`paths`	✅	✅
`results`	See `results` object
`skipped_rules`	✅	✅
`version`	✅	✅

`results` object

Field	Semgrep CE	Semgrep AppSec Platform
`check_id`	✅	✅
`end`	✅	✅
`extra`	See `extra` object
`skipped_rules`	✅	✅
`start`	✅	✅
`paths`	✅	✅

`extra` object

Field	Semgrep CE	Semgrep AppSec Platform
`engine_kind`	✅	✅
`fingerprint`	❌	✅
`fix`	✅	✅
`is_ignored`	❌	✅
`lines`	❌	✅
`message`	✅	✅
`metadata`	See `metadata` object
`metavars`	❌	✅
`severity`	✅	✅
`validation_state`(for Secrets scans only)	✅	✅

`metadata` object

Field	Semgrep CE	Semgrep AppSec Platform
`category`	✅	✅
`confidence`	✅	✅
`cwe`	✅	✅
`impact`	✅	✅
`license`	✅	✅
`likelihood`	✅	✅
`owasp`	✅	✅
`references`	✅	✅
`semgrep.dev`	❌	✅
`semgrep.policy`	❌	✅
`shortlink`	✅	✅
`source`	✅	✅
`subcategory`	✅	✅
`technology`	✅	✅
`vulnerability_class`	✅	✅

SARIF

Field	Semgrep CE	Semgrep AppSec Platform
`$schema`	✅	✅
`runs`	See `runs` object
`version`	✅	✅

`runs` object

Field	Semgrep CE	Semgrep AppSec Platform
`invocations`	✅	✅
`results`	See `results` object
`rules`	✅	✅
`semanticVersion`	✅	✅

`results` object

Field	Semgrep CE	Semgrep AppSec Platform
`fingerprints`	❌	✅
`locations`	✅	✅
`message`	✅	✅
`properties`	✅	✅
`ruleId`	✅	✅

Not finding what you need in this doc? Ask questions in our Community Slack group, or see Support for other ways to get help.

JSON
SARIF
- runs object
- results object