Name:semgrep-scan
Category:Static Code Analysis
Publisher:trickest-mhmdiaa
Created:11/4/2024
Container:quay.io/trickest/semgrep-scan:v1.93.0-patch-3
Output Type:
License:Unknown

Parameters

pro
boolean
--proInter-file analysis and Pro languages (currently Apex, C#, and Elixir. Requires Semgrep Pro Engine. See https://semgrep.dev/products/pro-engine/ for more.
vim
boolean
--vimOutput results in vim single-line format.
jobs
string
--jobsNumber of subprocesses to use to run checks in parallel. Defaults to the number of cores detected on the system (1 if using --pro).
json
boolean
--jsonOutput results in Semgrep's JSON format.
lang
string
--langParse pattern and all files in specified language. Must be used with -e/--pattern.
test
boolean
--testRun test suite.
text
boolean
--textOutput results in text format.
time
boolean
--timeInclude a timing summary with the results. If output format is json, provides times for each pair (rule, target). This feature is meant for internal use and may be changed or removed without warning. At the current moment, --trace is better supported.
debug
boolean
--debugAll of --verbose, but with additional debugging information.
emacs
boolean
--emacsOutput results in Emacs single-line format.
error
boolean
--errorExit 1 if there are findings. Useful for CI and scripts.
quiet
boolean
--quietOnly output findings.
sarif
boolean
--sarifOutput results in SARIF format.
trace
boolean
--traceRecord traces from Semgrep scans to help debugging. This feature is meant for internal use and may be changed or removed without warning.
config
string
--configYAML configuration file, directory of YAML files ending in .yml|.yaml, URL of a configuration file, or Semgrep registry entry name. Use --config auto to automatically obtain rules tailored to this project; your project URL will be used to log in to the Semgrep registry. To run multiple rule files simultaneously, use --config before every YAML, URL, or Semgrep registry entry name. For example `semgrep --config p/python --config myrules/myrule.yaml` See https://semgrep.dev/docs/writing-rules/rule-syntax for information on configuration file format.
dryrun
boolean
--dryrunIf --dryrun, does not write autofixes to a file. This will print the changes to the console. This lets you see the changes before you commit to them. Only works with the --autofix flag. Otherwise does nothing.
legacy
boolean
--legacyPrefer old (legacy) behavior.
remote
string
--remoteRemote will quickly checkout and scan a remote git repository of the format http[s]://<WEBSITE>/.../<REPO>.git. Must be run with --pro Incompatible with --project-root. Note this requires an empty CWD as this command will clone the repository into the CWD. REQUIRES --experimental
strict
boolean
--strictReturn a nonzero exit code when WARN level errors are encountered. Fails early if invalid configuration files are present. Defaults to --no-strict.
autofix
boolean
--autofixApply autofix patches. WARNING: data loss can occur with this flag. Make sure your files are stored in a version control system. Note that this mode is experimental and not guaranteed to function properly.
develop
boolean
--developLiving on the edge.
exclude
string
--excludeSkip any file or directory whose path that matches PATTERN. '--exclude=*.py' will ignore the following: 'foo.py', 'src/foo.py', 'foo.py/bar.sh'. '--exclude=tests' will ignore 'tests/foo.py' as well as 'a/b/tests/c/foo.py'. Multiple '--exclude' options may be specified. PATTERN is a glob-style pattern that uses the same syntax as gitignore and semgrepignore, which is documented at https://git-scm.com/docs/gitignore#_pattern_format
include
string
--includeSpecify files or directories that should be scanned by semgrep, excluding other files. This filter is applied after these other filters: '--exclude' options, any filtering done by git (or other SCM), and filtering by '.semgrepignore' files. Multiple '--include' options can be specified. A file path is selected if it matches at least one of the include patterns. PATTERN is a glob-style pattern such as 'foo.*' that must match the path. For example, specifying the language with '-l javascript' might preselect files 'src/foo.jsx' and 'lib/bar.js'. Specifying one of '--include=src', '--include=*.jsx', or '--include=src/foo.*' will restrict the selection to the single file 'src/foo.jsx'. A choice of multiple '--include' patterns can be specified. For example, '--include=foo.* --include=bar.*' will select both 'src/foo.jsx' and 'lib/bar.js'. Glob-style patterns follow the syntax supported by gitignore and semgrepignore, which is documented at https://git-scm.com/docs/gitignore#_pattern_format
metrics
string
--metricsConfigures how usage metrics are sent to the Semgrep server. If 'auto', metrics are sent whenever the --config value pulls from the Semgrep server. If 'on', metrics are always sent. If 'off', metrics are disabled altogether and not sent. If absent, the SEMGREP_SEND_METRICS environment variable value will be used. If no environment variable, defaults to 'auto'.
no-time
boolean
--no-timenegates --time
pattern
string
--patternCode search pattern. See https://semgrep.dev/docs/writing-rules/pattern-syntax for information on pattern features.
profile
boolean
--profile<undocumented>
secrets
boolean
--secretsRun Semgrep Secrets product, including support for secret validation. Requires access to Secrets, contact support@semgrep.com for more information.
timeout
string
--timeoutMaximum time to spend running a rule on a single file in seconds. If set to 0 will not have time limit. Defaults to 5.0 s.
verbose
boolean
--verboseShow more details about what rules are running, which files failed to parse, etc.
dump-ast
boolean
--dump-astIf --dump-ast, shows AST of the input file or passed expression and then exit (can use --json).
no-error
boolean
--no-errornegates --error
no-trace
boolean
--no-tracenegates --trace
oss-only
boolean
--oss-onlyRun using only the OSS engine, even if the Semgrep Pro toggle is on. This may still run Pro rules, but only using the OSS features.
severity
string
--severityReport findings only from rules matching the supplied severity level. By default all applicable rules are run. Can add multiple times. Each should be one of INFO, WARNING, or ERROR.
validate
boolean
--validateValidate configuration file(s). This will check YAML files for errors and run 'p/semgrep-rule-lints' on the YAML files. No search is performed.
junit-xml
boolean
--junit-xmlOutput results in JUnit XML format.
no-dryrun
boolean
--no-dryrunnegates --dryrun
no-strict
boolean
--no-strictnegates --strict
diff-depth
string
--diff-depthThe depth of the Pro (interfile) differential scan, the number of steps (both in the caller and callee sides) from the targets in the call graph tracked by the deep preprocessor. Only applied in differential scan mode. Default to 2.
max-memory
string
--max-memoryMaximum system memory in MiB to use during the interfile pre-processing phase, or when running a rule on a single file. If set to 0, will not have memory limit. Defaults to 0. For CI scans that use the Pro Engine, defaults to 5000 MiB.
no-autofix
boolean
--no-autofixnegates -a/--autofix
config-file
file
--configYAML configuration file, directory of YAML files ending in .yml|.yaml, URL of a configuration file, or Semgrep registry entry name. Use --config auto to automatically obtain rules tailored to this project; your project URL will be used to log in to the Semgrep registry. To run multiple rule files simultaneously, use --config before every YAML, URL, or Semgrep registry entry name. For example `semgrep --config p/python --config myrules/myrule.yaml` See https://semgrep.dev/docs/writing-rules/rule-syntax for information on configuration file format.
force-color
boolean
--force-colorAlways include ANSI color in the output, even if not writing to a TTY; defaults to using the TTY status
gitlab-sast
boolean
--gitlab-sastOutput results in GitLab SAST format.
replacement
string
--replacementAn autofix expression that will be applied to any matches found with --pattern. Only valid with a command-line specified pattern.
enable-nosem
boolean
--enable-nosemEnables 'nosem'. Findings will not be reported on lines containing a 'nosem' comment at the end. Enabled by default.
exclude-rule
string
--exclude-ruleSkip any rule with the given id. Can add multiple times.
experimental
boolean
--experimentalEnable experimental features.
project-root
string
--project-rootThe project root for gitignore and semgrepignore purposes is detected automatically from the presence of a .git/ directory in the current directory or one of its parents. If not found, the current directory is used as the project root. This option forces a specific directory to be the project root. This is useful for testing or for restoring compatibility with older semgrep implementations that only looked for a .semgrepignore file in the current directory. REQUIRES --experimental
config-folder
folder
--configYAML configuration file, directory of YAML files ending in .yml|.yaml, URL of a configuration file, or Semgrep registry entry name. Use --config auto to automatically obtain rules tailored to this project; your project URL will be used to log in to the Semgrep registry. To run multiple rule files simultaneously, use --config before every YAML, URL, or Semgrep registry entry name. For example `semgrep --config p/python --config myrules/myrule.yaml` See https://semgrep.dev/docs/writing-rules/rule-syntax for information on configuration file format.
disable-nosem
boolean
--disable-nosemnegates --enable-nosem
no-git-ignore
boolean
--no-git-ignorenegates --use-git-ignore
optimizations
string
--optimizationsTurn on/off optimizations. Default = 'all'. Use 'none' to turn all optimizations off.
pro-intrafile
boolean
--pro-intrafileIntra-file inter-procedural taint analysis. Implies --pro-languages. Requires Semgrep Pro Engine. See https://semgrep.dev/products/pro-engine/ for more.
pro-languages
boolean
--pro-languagesEnable Pro languages (currently Apex, C#, and Elixir). Requires Semgrep Pro Engine. See https://semgrep.dev/products/pro-engine/ for more.
target-folder
folder
required
Source code folder
gitlab-secrets
boolean
--gitlab-secretsOutput results in GitLab Secrets format.
no-force-color
boolean
--no-force-colornegates --force-color
trace-endpoint
string
--trace-endpointEndpoint to send OpenTelemetry traces to, if `--trace` is present. The value may be `semgrep-prod` (default), `semgrep-dev`, `semgrep-local`, or any valid URL. This feature is meant for internal use and may be changed or removed wihtout warning.
use-git-ignore
boolean
--use-git-ignoreSkip files ignored by git. Scanning starts from the root folder specified on the Semgrep command line. Normally, if the scanning root is within a git repository, only the tracked files and the new files would be scanned. Git submodules and git- ignored files would normally be skipped. --no-git-ignore will disable git-aware filtering. Setting this flag does nothing if the scanning root is not in a git repository.
baseline-commit
string
--baseline-commitOnly show results that are not found in this commit hash. Aborts run if not currently in a git directory, there are unstaged changes, or given baseline hash doesn't exist.
dataflow-traces
boolean
--dataflow-tracesExplain how non-local values reach the location of a finding (only affects text and SARIF output).
max-target-bytes
string
--max-target-bytesMaximum size for a file to be scanned by Semgrep, e.g '1.5MB'. Any input program larger than this will be ignored. A zero or negative value disables this filter. Defaults to 1000000 bytes
rewrite-rule-ids
boolean
--rewrite-rule-idsRewrite rule ids when they appear in nested sub-directories (Rule 'foo' in test/rules.yaml will be renamed 'test.foo').
test-ignore-todo
boolean
--test-ignore-todoIf --test-ignore-todo, ignores rules marked as '#todoruleid:' in test files.
interfile-timeout
string
--interfile-timeoutMaximum time to spend on interfile analysis. If set to 0 will not have time limit. Defaults to 0 s for all CLI scans. For CI scans, it defaults to 3 hours.
timeout-threshold
string
--timeout-thresholdMaximum number of rules that can time out on a file before the file is skipped. If set to 0 will not have limit. Defaults to 3.
files-with-matches
boolean
--files-with-matchesOutput only the names of files containing matches. REQUIRES --experimental
historical-secrets
boolean
--historical-secretsScans git history using Secrets rules.
incremental-output
boolean
--incremental-outputOutput results incrementally. REQUIRES --experimental
max-chars-per-line
string
--max-chars-per-lineMaximum number of characters to show per line.
pro-path-sensitive
boolean
--pro-path-sensitivePath sensitivity. Implies --pro-intrafile. Requires Semgrep Pro Engine. See https://semgrep.dev/products/pro-engine/ for more.
use-osemgrep-sarif
boolean
--use-osemgrep-sarifOutput results using osemgrep.
no-rewrite-rule-ids
boolean
--no-rewrite-rule-idsnegates --rewrite-rule-ids
no-test-ignore-todo
boolean
--no-test-ignore-todonegates --test-ignore-todo
enable-version-check
boolean
--enable-version-checkChecks Semgrep servers to see if the latest version is run; disabling this may reduce exit time after returning results.
max-log-list-entries
string
--max-log-list-entriesMaximum number of entries that will be shown in the log (e.g., list of rule ids, list of skipped files). A zero or negative value disables this filter. Defaults to 100
disable-version-check
boolean
--disable-version-checknegates --enable-version-check
matching-explanations
boolean
--matching-explanationsAdd debugging information in the JSON output to trace how different parts of a rule are matched (a.k.a., Inspect Rule in the Semgrep playground)
max-lines-per-finding
string
--max-lines-per-findingMaximum number of lines of code that will be shown for each match before trimming (set to 0 for unlimited).
no-secrets-validation
boolean
--no-secrets-validationDisables secret validation.
exclude-minified-files
boolean
--exclude-minified-filesSkip minified files. These are files that are > 7% whitespace, or who have a large number of bytes per line. By defualt minified files are scanned
scan-unknown-extensions
boolean
--scan-unknown-extensionsIf true, target files specified directly on the command line will bypass normal language detection. They will be analyzed according to the value of --lang if applicable, or otherwise with the analyzers/languages specified in the Semgrep rule(s) regardless of file extension or file type. This setting doesn't apply to target files discovered by scanning folders. Defaults to false.
skip-unknown-extensions
boolean
--skip-unknown-extensionsnegates --scan-unknown-extensions
show-supported-languages
boolean
--show-supported-languagesPrint a list of languages that are currently supported by Semgrep.
no-exclude-minified-files
boolean
--no-exclude-minified-filesnegates --exclude-minified-files
allow-untrusted-validators
boolean
--allow-untrusted-validatorsAllows running rules with validators from origins other than semgrep.dev. Avoid running rules from origins you don't trust.
enable-experimental-requirements
boolean
--enable-experimental-requirementsExperimental: support wider set of requirements lockfiles.
allow-dynamic-dependency-resolution
boolean
--allow-dynamic-dependency-resolutionExperimental: allow resolving dependencies dynamically by communicating with package managers during the scan.