Skip to main content

Semgrep Code overview

Semgrep Code is a static application security testing (SAST) tool that detects security vulnerabilities in your first-party code.

You can use Semgrep Code to scan local repositories or integrate it into your CI/CD pipeline to automate the continuous scanning of your code.

Rules

Semgrep Code uses rules, which encapsulate pattern matching logic and data flow analysis, to scan your code for security issues, style violations, bugs, and more. Semgrep generates and reports findings to you whenever it finds code that matches the patterns defined by rules.

In addition to rules available in the Registry, you can write custom rules to determine what Semgrep Code detects in your repositories. Whether you use pre-existing rules or write custom rules, knowing which rules Semgrep Code runs can help you understand how it detects security issues.

Semgrep Code is transparent; you can configure the rules it runs and inspect its syntax to understand how the finding was detected. You can also customize the content of a rule to improve the true positive rate of a rule or have Semgrep send a relevant message to developers.

Findings

Semgrep AppSec Platform displays Semgrep Code's findings. Additionally, the platform allows you to:

  • Triage findings
  • Send alerts and notifications or create tickets to track findings identified by Semgrep Code
  • Customize how Semgrep Code scans your repositories
  • Manage your users and facilitate team collaboration in remediating security issues

Semgrep CE versus Semgrep Code analysis

By default, Semgrep Code can analyze interactions beyond a single function but within a single file, a process known as cross-function or interprocedural analysis. This smaller scope of analysis makes it faster and easier to integrate into developer workflows.

Semgrep Community Edition (CE) can only analyze interactions within a single function, known as intraprocedural or single-function analysis. However, this means that Semgrep CE is slightly faster than Semgrep Code.

Semgrep Code also supports cross-file analysis (interfile) analysis. These scans produce fewer false positives and more true positives, but take longer to complete.

Enable Semgrep Code

  1. Sign in to Semgrep AppSec Platform.
  2. Click Settings.
  3. In the Deployment tab, click the Code scans toggle if it is not already enabled.

Subsequent scans now include Code scans.

Run Semgrep Code scans with single-function analysis

In some cases, you may want to scan using Semgrep CE's single-function analysis. To do this, edit your semgrep ci command in your CI provider's configuration file with either the --pro-languages or --oss-only flags:

# Preferred; includes support for all Semgrep Code languages
semgrep ci --pro-languages

# Does not include all Semgrep Code language features
semgrep ci --oss-only

Augment Semgrep Code with Semgrep Assistant

Semgrep Assistant provides AI-powered security recommendations to help you review, triage, and remediate your Semgrep findings. More specifically, Assistant can:

  • Provide remediation advice and autofixes, or suggested fixes, for Semgrep Code findings. This information is displayed in Semgrep AppSec Platform.
  • Provide remediation guidance with step-by-step instructions on how to remediate the finding identified by Semgrep Code in every pull request or merge request comment Semgrep pushes.
    • Assistant supports the tailoring of its remediation guidance using Memories.
  • Tag your findings in Semgrep AppSec Platform to help identify high-priority issues.
  • Auto-triage findings and suggest whether a finding can safely be ignored.
  • Filter out potential false positives to help increase developer velocity.
  • Help you write custom rules to find patterns and vulnerabilities specific to your codebase.

Next steps

Further reading

Not finding what you need in this doc? Ask questions in our Community Slack group, or see Support for other ways to get help.