Semgrep Code overview
Semgrep Code is a static application security testing (SAST) tool that detects security vulnerabilities in your first-party code.
You can use Semgrep Code to scan local repositories or integrate it into your CI/CD pipeline to automate the continuous scanning of your code.
Rules
Semgrep Code uses rules, which encapsulate pattern matching logic and data flow analysis, to scan your code for security issues, style violations, bugs, and more. Semgrep generates and reports findings to you whenever it finds code that matches the patterns defined by rules.
In addition to rules available in the Registry, you can write custom rules to determine what Semgrep Code detects in your repositories. Whether you use pre-existing rules or write custom rules, knowing which rules Semgrep Code runs can help you understand how it detects security issues.
Semgrep Code is transparent; you can configure the rules it runs and inspect its syntax to understand how the finding was detected. You can also customize the content of a rule to improve the true positive rate of a rule or have Semgrep send a relevant message to developers.
Findings
Semgrep AppSec Platform displays Semgrep Code's findings. Additionally, the platform allows you to:
- Triage findings
- Send alerts and notifications or create tickets to track findings identified by Semgrep Code
- Customize how Semgrep Code scans your repositories
- Manage your users and facilitate team collaboration in remediating security issues
OSS versus Semgrep Code analysis
By default, Semgrep Code can analyze interactions beyond a single function but within a single file, a process known as cross-function or interprocedural analysis. This smaller scope of analysis makes it faster and easier to integrate into developer workflows.
Semgrep OSS can only analyze interactions within a single function, known as intraprocedural or single-function analysis. However, this means that Semgrep OSS is slightly faster than Semgrep Code.
Semgrep Code also supports cross-file analysis (interfile) analysis. These scans produce fewer false positives and more true positives, but take longer to complete.
Enable Semgrep Code
- Sign in to Semgrep AppSec Platform.
- Click Settings.
- In the Deployment tab, click the Code scans toggle if it is not already enabled.
Subsequent scans now include Code scans.
Run Semgrep Code scans with single-function analysis
In some cases, you may want to scan using Semgrep OSS's single-function analysis. To do this, edit your semgrep ci command in your CI provider's configuration file with either the --pro-languages or --oss-only flags:
# Preferred; includes support for all Semgrep Code languages
semgrep ci --pro-languages
# Does not include all Semgrep Code language features
semgrep ci --oss-only
Next steps
- View your findings.
- Customize how Semgrep Code scans your repository by modifying the default rules set or writing your own rules.
- Enable autofix so that Semgrep can push code suggestions to GitHub or GitLab to help your developers resolve findings.
- Enable cross-file scanning.
Further reading
- Read the Trail of Bits Automated Testing Handbook to learn about configuring and optimizing security tools, including Semgrep.
Not finding what you need in this doc? Ask questions in our Community Slack group, or see Support for other ways to get help.