semgrep

Scan with rules

$ semgrep --config auto

$ semgrep --config auto [src/]

$ semgrep --config p/[security-audit]

$ semgrep --config [rules.yaml] [src/]

$ semgrep --json --config auto

$ semgrep --config auto --lang [python]

semgrep [options] [targets...]

semgrep is a fast, lightweight static analysis tool for finding bugs, detecting security vulnerabilities, and enforcing code standards across 30+ programming languages. Unlike traditional grep, it understands code structure and uses pattern-matching with syntax that resembles the target language, making rules intuitive to write and read.
Rules can be sourced from the Semgrep registry using --config auto for recommended checks, from curated rule packs like p/security-audit for specific categories, or from local YAML files for custom project rules. The --autofix option can automatically apply suggested fixes for certain findings.
Output formats include human-readable text, JSON for tooling integration, and SARIF for compatibility with code scanning platforms like GitHub Advanced Security. The tool integrates naturally into CI/CD pipelines for continuous code quality enforcement.

--config config

Rules configuration.

Target language.

JSON output.

SARIF output.

Apply automatic fixes.

Exclude paths.

Include paths.

Output to file.

Minimum severity.

Verbose output.

Rule quality varies. False positives require tuning. Custom rules need learning. Large codebases may be slow.

semgrep was developed by r2c (now Semgrep Inc.) and released around 2019. It built on academic research to create a practical, language-aware grep for code analysis.

grep(1), ast-grep(1), eslint(1), pylint(1)