Skip to main content

Semgrep Code overview

Semgrep Code is a static application security testing (SAST) tool that detects security vulnerabilities in your first-party code.

You can use Semgrep Code to scan local repositories or integrate it into your CI/CD pipeline to automate the continuous scanning of your code.

Rules

Semgrep Code uses rules, which encapsulate pattern matching logic and data flow analysis, to scan your code for security issues, style violations, bugs, and more. Semgrep generates and reports findings to you whenever it finds code that matches the patterns defined by rules.

In addition to rules available in the Registry, you can write custom rules to determine what Semgrep Code detects in your repositories. Whether you use pre-existing rules or write custom rules, knowing which rules Semgrep Code runs can help you understand how it detects security issues.

Semgrep Code is transparent; you can configure the rules it runs and inspect its syntax to understand how the finding was detected. You can also customize the content of a rule to improve the true positive rate of a rule or have Semgrep send a relevant message to developers.

Findings

Semgrep AppSec Platform displays Semgrep Code's findings. Additionally, the platform allows you to:

  • Triage findings
  • Send alerts and notifications or create tickets to track findings identified by Semgrep Code
  • Customize how Semgrep Code scans your repositories
  • Manage your users and facilitate team collaboration in remediating security issues

OSS versus Semgrep Code analysis

By default, Semgrep Code can analyze interactions beyond a single function but within a single file, a process known as cross-function or interprocedural analysis. This smaller scope of analysis makes it faster and easier to integrate into developer workflows.

Semgrep Community Edition (CE) can only analyze interactions within a single function, known as intraprocedural or single-function analysis. However, this means that Semgrep CE is slightly faster than Semgrep Code.

Semgrep Code also supports cross-file analysis (interfile) analysis. These scans produce fewer false positives and more true positives, but take longer to complete.

Enable Semgrep Code

  1. Sign in to Semgrep AppSec Platform.
  2. Click Settings.
  3. In the Deployment tab, click the Code scans toggle if it is not already enabled.

Subsequent scans now include Code scans.

Run Semgrep Code scans with single-function analysis

In some cases, you may want to scan using Semgrep CE's single-function analysis. To do this, edit your semgrep ci command in your CI provider's configuration file with either the --pro-languages or --oss-only flags:

# Preferred; includes support for all Semgrep Code languages
semgrep ci --pro-languages

# Does not include all Semgrep Code language features
semgrep ci --oss-only

Next steps

Further reading


Not finding what you need in this doc? Ask questions in our Community Slack group, or see Support for other ways to get help.