• Deployment
• Semgrep AppSec Platform

Packages in the Semgrep docker image

Packages

In addition to the semgrep binary, the semgrep/semgrep:latest docker image contains the following packages:

• bash
• jq
• curl
• Python 3.11 (alpine:3.19 base image)

The Alpine 3.19 docker image includes additional packages that can change without notice. To review them, run docker run alpine:3.19 apk list.

caution

• Do not rely on the presence of packages from the Alpine docker image in your CI workflows. They are not guaranteed to be included in the future and are not managed by Semgrep.
• jq and curl may be removed in future Semgrep releases. You can install them directly in the docker image. For example:

  job:
    container: semgrep/semgrep:latest
    runs-on: ubuntu-latest-16-core
    steps:
      - uses: actions/checkout@v3
      - name: Install dependencies
        run: apk add bash jq curl
      - run: semgrep scan --json ... | jq ...

Previous incidents

• Semgrep v.1.66.0 removed bash, jq, and curl to reduce the attack surface of the Semgrep docker image. They were subsequently re-added for future Semgrep releases.

---

Not finding what you need in this doc? Ask questions in our Community Slack group, or see Support for other ways to get help.