LinuxCommandLibrary

semgrep

TLDR

Scan with rules

$ semgrep --config auto
copy
Scan specific directory
$ semgrep --config auto [src/]
copy
Use specific rule pack
$ semgrep --config p/[security-audit]
copy
Use local rules
$ semgrep --config [rules.yaml] [src/]
copy
Output as JSON
$ semgrep --json --config auto
copy
Scan specific language
$ semgrep --config auto --lang [python]
copy

SYNOPSIS

semgrep [options] [targets...]

DESCRIPTION

semgrep is a fast, static analysis tool for finding bugs, detecting security issues, and enforcing code standards. It uses pattern-matching with a syntax similar to the target language.
The tool supports 30+ languages and has community rules for common security issues and code quality checks.

PARAMETERS

--config config

Rules configuration.
--lang language
Target language.
--json
JSON output.
--sarif
SARIF output.
--autofix
Apply automatic fixes.
--exclude pattern
Exclude paths.
--include pattern
Include paths.
-o file
Output to file.
--severity level
Minimum severity.
--verbose
Verbose output.

CAVEATS

Rule quality varies. False positives require tuning. Custom rules need learning. Large codebases may be slow.

HISTORY

semgrep was developed by r2c (now Semgrep Inc.) and released around 2019. It built on academic research to create a practical, language-aware grep for code analysis.

SEE ALSO

grep(1), ast-grep(1), eslint(1), pylint(1)

Copied to clipboard