Skip to main content

Packages in the Semgrep docker image

Packages

In addition to the semgrep binary, the semgrep/semgrep:latest docker image contains the following packages:

  • bash
  • jq
  • curl
  • Python 3.11 (3.11-alpine base image)

The Python 3.11 docker includes additional packages (for example, ncurses) that can change without notice. To review them, see the following links:

caution
  • Do not rely on the presence of packages from the Python 3.11 docker image in your CI workflows. They are not guaranteed to be included in the future and are not managed by Semgrep.
  • jq and curl may be removed in future Semgrep releases. You can install them directly in the docker image. For example:
  job:
container: returntocorp/semgrep:develop
runs-on: ubuntu-latest-16-core
steps:
- uses: actions/checkout@v3
- name: Install dependencies
run: apk add bash jq curl
- run: semgrep scan --json ... | jq ...

Previous incidents

  • Semgrep v.1.66.0 removed bash, jq, and curl to reduce the attack surface of the Semgrep docker image. They were subsequently re-added for future Semgrep releases.