semgrep-scan
Lightweight static analysis for many languages. Find bug variants with patterns that look like source code.
Name:semgrep-scan
Category:Static Code Analysis
Publisher:trickest-mhmdiaa
Created:11/4/2024
Container:
quay.io/trickest/semgrep-scan:v1.93.0-patch-3
Output Type:
License:Unknown
Source:View Source
Parameters
--pro
Inter-file analysis and Pro languages (currently Apex, C#, and Elixir. Requires Semgrep Pro Engine. See https://semgrep.dev/products/pro-engine/ for more.--vim
Output results in vim single-line format.--jobs
Number of subprocesses to use to run checks in parallel. Defaults to the number of cores detected on the system (1 if using --pro).--json
Output results in Semgrep's JSON format.--lang
Parse pattern and all files in specified language. Must be used with -e/--pattern.--test
Run test suite.--text
Output results in text format.--time
Include a timing summary with the results. If output format is json, provides times for each pair (rule, target). This feature is meant for internal use and may be changed or removed without warning. At the current moment, --trace is better supported.--debug
All of --verbose, but with additional debugging information.--emacs
Output results in Emacs single-line format.--error
Exit 1 if there are findings. Useful for CI and scripts.--quiet
Only output findings.--sarif
Output results in SARIF format.--trace
Record traces from Semgrep scans to help debugging. This feature is meant for internal use and may be changed or removed without warning.--config
YAML configuration file, directory of YAML files ending in .yml|.yaml, URL of a configuration file, or Semgrep registry entry name. Use --config auto to automatically obtain rules tailored to this project; your project URL will be used to log in to the Semgrep registry. To run multiple rule files simultaneously, use --config before every YAML, URL, or Semgrep registry entry name. For example `semgrep --config p/python --config myrules/myrule.yaml` See https://semgrep.dev/docs/writing-rules/rule-syntax for information on configuration file format.--dryrun
If --dryrun, does not write autofixes to a file. This will print the changes to the console. This lets you see the changes before you commit to them. Only works with the --autofix flag. Otherwise does nothing.--legacy
Prefer old (legacy) behavior.--remote
Remote will quickly checkout and scan a remote git repository of the format http[s]://<WEBSITE>/.../<REPO>.git. Must be run with --pro Incompatible with --project-root. Note this requires an empty CWD as this command will clone the repository into the CWD. REQUIRES --experimental--strict
Return a nonzero exit code when WARN level errors are encountered. Fails early if invalid configuration files are present. Defaults to --no-strict.--autofix
Apply autofix patches. WARNING: data loss can occur with this flag. Make sure your files are stored in a version control system. Note that this mode is experimental and not guaranteed to function properly.--develop
Living on the edge.--exclude
Skip any file or directory whose path that matches PATTERN. '--exclude=*.py' will ignore the following: 'foo.py', 'src/foo.py', 'foo.py/bar.sh'. '--exclude=tests' will ignore 'tests/foo.py' as well as 'a/b/tests/c/foo.py'. Multiple '--exclude' options may be specified. PATTERN is a glob-style pattern that uses the same syntax as gitignore and semgrepignore, which is documented at https://git-scm.com/docs/gitignore#_pattern_format--include
Specify files or directories that should be scanned by semgrep, excluding other files. This filter is applied after these other filters: '--exclude' options, any filtering done by git (or other SCM), and filtering by '.semgrepignore' files. Multiple '--include' options can be specified. A file path is selected if it matches at least one of the include patterns. PATTERN is a glob-style pattern such as 'foo.*' that must match the path. For example, specifying the language with '-l javascript' might preselect files 'src/foo.jsx' and 'lib/bar.js'. Specifying one of '--include=src', '--include=*.jsx', or '--include=src/foo.*' will restrict the selection to the single file 'src/foo.jsx'. A choice of multiple '--include' patterns can be specified. For example, '--include=foo.* --include=bar.*' will select both 'src/foo.jsx' and 'lib/bar.js'. Glob-style patterns follow the syntax supported by gitignore and semgrepignore, which is documented at https://git-scm.com/docs/gitignore#_pattern_format--metrics
Configures how usage metrics are sent to the Semgrep server. If 'auto', metrics are sent whenever the --config value pulls from the Semgrep server. If 'on', metrics are always sent. If 'off', metrics are disabled altogether and not sent. If absent, the SEMGREP_SEND_METRICS environment variable value will be used. If no environment variable, defaults to 'auto'.--no-time
negates --time--pattern
Code search pattern. See https://semgrep.dev/docs/writing-rules/pattern-syntax for information on pattern features.--profile
<undocumented>--secrets
Run Semgrep Secrets product, including support for secret validation. Requires access to Secrets, contact support@semgrep.com for more information.--timeout
Maximum time to spend running a rule on a single file in seconds. If set to 0 will not have time limit. Defaults to 5.0 s.--verbose
Show more details about what rules are running, which files failed to parse, etc.--dump-ast
If --dump-ast, shows AST of the input file or passed expression and then exit (can use --json).--no-error
negates --error--no-trace
negates --trace--oss-only
Run using only the OSS engine, even if the Semgrep Pro toggle is on. This may still run Pro rules, but only using the OSS features.--severity
Report findings only from rules matching the supplied severity level. By default all applicable rules are run. Can add multiple times. Each should be one of INFO, WARNING, or ERROR.--validate
Validate configuration file(s). This will check YAML files for errors and run 'p/semgrep-rule-lints' on the YAML files. No search is performed.--junit-xml
Output results in JUnit XML format.--no-dryrun
negates --dryrun--no-strict
negates --strict--diff-depth
The depth of the Pro (interfile) differential scan, the number of steps (both in the caller and callee sides) from the targets in the call graph tracked by the deep preprocessor. Only applied in differential scan mode. Default to 2.--max-memory
Maximum system memory in MiB to use during the interfile pre-processing phase, or when running a rule on a single file. If set to 0, will not have memory limit. Defaults to 0. For CI scans that use the Pro Engine, defaults to 5000 MiB.--no-autofix
negates -a/--autofix--config
YAML configuration file, directory of YAML files ending in .yml|.yaml, URL of a configuration file, or Semgrep registry entry name. Use --config auto to automatically obtain rules tailored to this project; your project URL will be used to log in to the Semgrep registry. To run multiple rule files simultaneously, use --config before every YAML, URL, or Semgrep registry entry name. For example `semgrep --config p/python --config myrules/myrule.yaml` See https://semgrep.dev/docs/writing-rules/rule-syntax for information on configuration file format.--force-color
Always include ANSI color in the output, even if not writing to a TTY; defaults to using the TTY status--gitlab-sast
Output results in GitLab SAST format.--replacement
An autofix expression that will be applied to any matches found with --pattern. Only valid with a command-line specified pattern.--enable-nosem
Enables 'nosem'. Findings will not be reported on lines containing a 'nosem' comment at the end. Enabled by default.--exclude-rule
Skip any rule with the given id. Can add multiple times.--experimental
Enable experimental features.--project-root
The project root for gitignore and semgrepignore purposes is detected automatically from the presence of a .git/ directory in the current directory or one of its parents. If not found, the current directory is used as the project root. This option forces a specific directory to be the project root. This is useful for testing or for restoring compatibility with older semgrep implementations that only looked for a .semgrepignore file in the current directory. REQUIRES --experimental--config
YAML configuration file, directory of YAML files ending in .yml|.yaml, URL of a configuration file, or Semgrep registry entry name. Use --config auto to automatically obtain rules tailored to this project; your project URL will be used to log in to the Semgrep registry. To run multiple rule files simultaneously, use --config before every YAML, URL, or Semgrep registry entry name. For example `semgrep --config p/python --config myrules/myrule.yaml` See https://semgrep.dev/docs/writing-rules/rule-syntax for information on configuration file format.--disable-nosem
negates --enable-nosem--no-git-ignore
negates --use-git-ignore--optimizations
Turn on/off optimizations. Default = 'all'. Use 'none' to turn all optimizations off.--pro-intrafile
Intra-file inter-procedural taint analysis. Implies --pro-languages. Requires Semgrep Pro Engine. See https://semgrep.dev/products/pro-engine/ for more.--pro-languages
Enable Pro languages (currently Apex, C#, and Elixir). Requires Semgrep Pro Engine. See https://semgrep.dev/products/pro-engine/ for more.
Source code folder--gitlab-secrets
Output results in GitLab Secrets format.--no-force-color
negates --force-color--trace-endpoint
Endpoint to send OpenTelemetry traces to, if `--trace` is present. The value may be `semgrep-prod` (default), `semgrep-dev`, `semgrep-local`, or any valid URL. This feature is meant for internal use and may be changed or removed wihtout warning.--use-git-ignore
Skip files ignored by git. Scanning starts from the root folder specified on the Semgrep command line. Normally, if the scanning root is within a git repository, only the tracked files and the new files would be scanned. Git submodules and git- ignored files would normally be skipped. --no-git-ignore will disable git-aware filtering. Setting this flag does nothing if the scanning root is not in a git repository.--baseline-commit
Only show results that are not found in this commit hash. Aborts run if not currently in a git directory, there are unstaged changes, or given baseline hash doesn't exist.--dataflow-traces
Explain how non-local values reach the location of a finding (only affects text and SARIF output).--max-target-bytes
Maximum size for a file to be scanned by Semgrep, e.g '1.5MB'. Any input program larger than this will be ignored. A zero or negative value disables this filter. Defaults to 1000000 bytes--rewrite-rule-ids
Rewrite rule ids when they appear in nested sub-directories (Rule 'foo' in test/rules.yaml will be renamed 'test.foo').--test-ignore-todo
If --test-ignore-todo, ignores rules marked as '#todoruleid:' in test files.--interfile-timeout
Maximum time to spend on interfile analysis. If set to 0 will not have time limit. Defaults to 0 s for all CLI scans. For CI scans, it defaults to 3 hours.--timeout-threshold
Maximum number of rules that can time out on a file before the file is skipped. If set to 0 will not have limit. Defaults to 3.--files-with-matches
Output only the names of files containing matches. REQUIRES --experimental--historical-secrets
Scans git history using Secrets rules.--incremental-output
Output results incrementally. REQUIRES --experimental--max-chars-per-line
Maximum number of characters to show per line.--pro-path-sensitive
Path sensitivity. Implies --pro-intrafile. Requires Semgrep Pro Engine. See https://semgrep.dev/products/pro-engine/ for more.--use-osemgrep-sarif
Output results using osemgrep.--no-rewrite-rule-ids
negates --rewrite-rule-ids--no-test-ignore-todo
negates --test-ignore-todo--enable-version-check
Checks Semgrep servers to see if the latest version is run; disabling this may reduce exit time after returning results.--max-log-list-entries
Maximum number of entries that will be shown in the log (e.g., list of rule ids, list of skipped files). A zero or negative value disables this filter. Defaults to 100--disable-version-check
negates --enable-version-check--matching-explanations
Add debugging information in the JSON output to trace how different parts of a rule are matched (a.k.a., Inspect Rule in the Semgrep playground)--max-lines-per-finding
Maximum number of lines of code that will be shown for each match before trimming (set to 0 for unlimited).--no-secrets-validation
Disables secret validation.--exclude-minified-files
Skip minified files. These are files that are > 7% whitespace, or who have a large number of bytes per line. By defualt minified files are scanned--scan-unknown-extensions
If true, target files specified directly on the command line will bypass normal language detection. They will be analyzed according to the value of --lang if applicable, or otherwise with the analyzers/languages specified in the Semgrep rule(s) regardless of file extension or file type. This setting doesn't apply to target files discovered by scanning folders. Defaults to false.--skip-unknown-extensions
negates --scan-unknown-extensions--show-supported-languages
Print a list of languages that are currently supported by Semgrep.--no-exclude-minified-files
negates --exclude-minified-files--allow-untrusted-validators
Allows running rules with validators from origins other than semgrep.dev. Avoid running rules from origins you don't trust.--enable-experimental-requirements
Experimental: support wider set of requirements lockfiles.--allow-dynamic-dependency-resolution
Experimental: allow resolving dependencies dynamically by communicating with package managers during the scan.