semgrep-scan

Command: --pro - Inter-file analysis and Pro languages (currently Apex, C#, and Elixir. Requires Semgrep Pro Engine. See https://semgrep.dev/products/pro-engine/ for more.

Command: --vim - Output results in vim single-line format.

Command: --jobs - Number of subprocesses to use to run checks in parallel. Defaults to the number of cores detected on the system (1 if using --pro).

Command: --json - Output results in Semgrep's JSON format.

Command: --lang - Parse pattern and all files in specified language. Must be used with -e/--pattern.

Command: --test - Run test suite.

Command: --text - Output results in text format.

Command: --time - Include a timing summary with the results. If output format is json, provides times for each pair (rule, target). This feature is meant for internal use and may be changed or removed without warning. At the current moment, --trace is better supported.

Command: --debug - All of --verbose, but with additional debugging information.

Command: --emacs - Output results in Emacs single-line format.

Command: --error - Exit 1 if there are findings. Useful for CI and scripts.

Command: --quiet - Only output findings.

Command: --sarif - Output results in SARIF format.

Command: --trace - Record traces from Semgrep scans to help debugging. This feature is meant for internal use and may be changed or removed without warning.

Command: --config - YAML configuration file, directory of YAML files ending in .yml|.yaml, URL of a configuration file, or Semgrep registry entry name. Use --config auto to automatically obtain rules tailored to this project; your project URL will be used to log in to the Semgrep registry. To run multiple rule files simultaneously, use --config before every YAML, URL, or Semgrep registry entry name. For example `semgrep --config p/python --config myrules/myrule.yaml` See https://semgrep.dev/docs/writing-rules/rule-syntax for information on configuration file format.

Command: --dryrun - If --dryrun, does not write autofixes to a file. This will print the changes to the console. This lets you see the changes before you commit to them. Only works with the --autofix flag. Otherwise does nothing.

Command: --legacy - Prefer old (legacy) behavior.

Command: --remote - Remote will quickly checkout and scan a remote git repository of the format http[s]://<WEBSITE>/.../<REPO>.git. Must be run with --pro Incompatible with --project-root. Note this requires an empty CWD as this command will clone the repository into the CWD. REQUIRES --experimental

Command: --strict - Return a nonzero exit code when WARN level errors are encountered. Fails early if invalid configuration files are present. Defaults to --no-strict.

Command: --autofix - Apply autofix patches. WARNING: data loss can occur with this flag. Make sure your files are stored in a version control system. Note that this mode is experimental and not guaranteed to function properly.

Command: --develop - Living on the edge.

Command: --exclude - Skip any file or directory whose path that matches PATTERN. '--exclude=*.py' will ignore the following: 'foo.py', 'src/foo.py', 'foo.py/bar.sh'. '--exclude=tests' will ignore 'tests/foo.py' as well as 'a/b/tests/c/foo.py'. Multiple '--exclude' options may be specified. PATTERN is a glob-style pattern that uses the same syntax as gitignore and semgrepignore, which is documented at https://git-scm.com/docs/gitignore#_pattern_format

Command: --include - Specify files or directories that should be scanned by semgrep, excluding other files. This filter is applied after these other filters: '--exclude' options, any filtering done by git (or other SCM), and filtering by '.semgrepignore' files. Multiple '--include' options can be specified. A file path is selected if it matches at least one of the include patterns. PATTERN is a glob-style pattern such as 'foo.*' that must match the path. For example, specifying the language with '-l javascript' might preselect files 'src/foo.jsx' and 'lib/bar.js'. Specifying one of '--include=src', '--include=*.jsx', or '--include=src/foo.*' will restrict the selection to the single file 'src/foo.jsx'. A choice of multiple '--include' patterns can be specified. For example, '--include=foo.* --include=bar.*' will select both 'src/foo.jsx' and 'lib/bar.js'. Glob-style patterns follow the syntax supported by gitignore and semgrepignore, which is documented at https://git-scm.com/docs/gitignore#_pattern_format

Command: --metrics - Configures how usage metrics are sent to the Semgrep server. If 'auto', metrics are sent whenever the --config value pulls from the Semgrep server. If 'on', metrics are always sent. If 'off', metrics are disabled altogether and not sent. If absent, the SEMGREP_SEND_METRICS environment variable value will be used. If no environment variable, defaults to 'auto'.

Command: --no-time - negates --time

Command: --pattern - Code search pattern. See https://semgrep.dev/docs/writing-rules/pattern-syntax for information on pattern features.

Command: --profile - <undocumented>

Command: --secrets - Run Semgrep Secrets product, including support for secret validation. Requires access to Secrets, contact support@semgrep.com for more information.

Command: --timeout - Maximum time to spend running a rule on a single file in seconds. If set to 0 will not have time limit. Defaults to 5.0 s.

Command: --verbose - Show more details about what rules are running, which files failed to parse, etc.

Command: --dump-ast - If --dump-ast, shows AST of the input file or passed expression and then exit (can use --json).

Command: --no-error - negates --error

Command: --no-trace - negates --trace

Command: --oss-only - Run using only the OSS engine, even if the Semgrep Pro toggle is on. This may still run Pro rules, but only using the OSS features.

Command: --severity - Report findings only from rules matching the supplied severity level. By default all applicable rules are run. Can add multiple times. Each should be one of INFO, WARNING, or ERROR.

Command: --validate - Validate configuration file(s). This will check YAML files for errors and run 'p/semgrep-rule-lints' on the YAML files. No search is performed.

Command: --junit-xml - Output results in JUnit XML format.

Command: --no-dryrun - negates --dryrun

Command: --no-strict - negates --strict

Command: --diff-depth - The depth of the Pro (interfile) differential scan, the number of steps (both in the caller and callee sides) from the targets in the call graph tracked by the deep preprocessor. Only applied in differential scan mode. Default to 2.

Command: --max-memory - Maximum system memory in MiB to use during the interfile pre-processing phase, or when running a rule on a single file. If set to 0, will not have memory limit. Defaults to 0. For CI scans that use the Pro Engine, defaults to 5000 MiB.

Command: --no-autofix - negates -a/--autofix

Command: --config - YAML configuration file, directory of YAML files ending in .yml|.yaml, URL of a configuration file, or Semgrep registry entry name. Use --config auto to automatically obtain rules tailored to this project; your project URL will be used to log in to the Semgrep registry. To run multiple rule files simultaneously, use --config before every YAML, URL, or Semgrep registry entry name. For example `semgrep --config p/python --config myrules/myrule.yaml` See https://semgrep.dev/docs/writing-rules/rule-syntax for information on configuration file format.

Command: --force-color - Always include ANSI color in the output, even if not writing to a TTY; defaults to using the TTY status

Command: --gitlab-sast - Output results in GitLab SAST format.

Command: --replacement - An autofix expression that will be applied to any matches found with --pattern. Only valid with a command-line specified pattern.

Command: --enable-nosem - Enables 'nosem'. Findings will not be reported on lines containing a 'nosem' comment at the end. Enabled by default.

Command: --exclude-rule - Skip any rule with the given id. Can add multiple times.

Command: --experimental - Enable experimental features.

Command: --project-root - The project root for gitignore and semgrepignore purposes is detected automatically from the presence of a .git/ directory in the current directory or one of its parents. If not found, the current directory is used as the project root. This option forces a specific directory to be the project root. This is useful for testing or for restoring compatibility with older semgrep implementations that only looked for a .semgrepignore file in the current directory. REQUIRES --experimental

Command: --config - YAML configuration file, directory of YAML files ending in .yml|.yaml, URL of a configuration file, or Semgrep registry entry name. Use --config auto to automatically obtain rules tailored to this project; your project URL will be used to log in to the Semgrep registry. To run multiple rule files simultaneously, use --config before every YAML, URL, or Semgrep registry entry name. For example `semgrep --config p/python --config myrules/myrule.yaml` See https://semgrep.dev/docs/writing-rules/rule-syntax for information on configuration file format.

Command: --disable-nosem - negates --enable-nosem

Command: --no-git-ignore - negates --use-git-ignore

Command: --optimizations - Turn on/off optimizations. Default = 'all'. Use 'none' to turn all optimizations off.

Command: --pro-intrafile - Intra-file inter-procedural taint analysis. Implies --pro-languages. Requires Semgrep Pro Engine. See https://semgrep.dev/products/pro-engine/ for more.

Command: --pro-languages - Enable Pro languages (currently Apex, C#, and Elixir). Requires Semgrep Pro Engine. See https://semgrep.dev/products/pro-engine/ for more.

Command: - Source code folder

Command: --gitlab-secrets - Output results in GitLab Secrets format.

Command: --no-force-color - negates --force-color

Command: --trace-endpoint - Endpoint to send OpenTelemetry traces to, if `--trace` is present. The value may be `semgrep-prod` (default), `semgrep-dev`, `semgrep-local`, or any valid URL. This feature is meant for internal use and may be changed or removed wihtout warning.

Command: --use-git-ignore - Skip files ignored by git. Scanning starts from the root folder specified on the Semgrep command line. Normally, if the scanning root is within a git repository, only the tracked files and the new files would be scanned. Git submodules and git- ignored files would normally be skipped. --no-git-ignore will disable git-aware filtering. Setting this flag does nothing if the scanning root is not in a git repository.

Command: --baseline-commit - Only show results that are not found in this commit hash. Aborts run if not currently in a git directory, there are unstaged changes, or given baseline hash doesn't exist.

Command: --dataflow-traces - Explain how non-local values reach the location of a finding (only affects text and SARIF output).

Command: --max-target-bytes - Maximum size for a file to be scanned by Semgrep, e.g '1.5MB'. Any input program larger than this will be ignored. A zero or negative value disables this filter. Defaults to 1000000 bytes

Command: --rewrite-rule-ids - Rewrite rule ids when they appear in nested sub-directories (Rule 'foo' in test/rules.yaml will be renamed 'test.foo').

Command: --test-ignore-todo - If --test-ignore-todo, ignores rules marked as '#todoruleid:' in test files.

Command: --interfile-timeout - Maximum time to spend on interfile analysis. If set to 0 will not have time limit. Defaults to 0 s for all CLI scans. For CI scans, it defaults to 3 hours.

Command: --timeout-threshold - Maximum number of rules that can time out on a file before the file is skipped. If set to 0 will not have limit. Defaults to 3.

Command: --files-with-matches - Output only the names of files containing matches. REQUIRES --experimental

Command: --historical-secrets - Scans git history using Secrets rules.

Command: --incremental-output - Output results incrementally. REQUIRES --experimental

Command: --max-chars-per-line - Maximum number of characters to show per line.

Command: --pro-path-sensitive - Path sensitivity. Implies --pro-intrafile. Requires Semgrep Pro Engine. See https://semgrep.dev/products/pro-engine/ for more.

Command: --use-osemgrep-sarif - Output results using osemgrep.

Command: --no-rewrite-rule-ids - negates --rewrite-rule-ids

Command: --no-test-ignore-todo - negates --test-ignore-todo

Command: --enable-version-check - Checks Semgrep servers to see if the latest version is run; disabling this may reduce exit time after returning results.

Command: --max-log-list-entries - Maximum number of entries that will be shown in the log (e.g., list of rule ids, list of skipped files). A zero or negative value disables this filter. Defaults to 100

Command: --disable-version-check - negates --enable-version-check

Command: --matching-explanations - Add debugging information in the JSON output to trace how different parts of a rule are matched (a.k.a., Inspect Rule in the Semgrep playground)

Command: --max-lines-per-finding - Maximum number of lines of code that will be shown for each match before trimming (set to 0 for unlimited).

Command: --no-secrets-validation - Disables secret validation.

Command: --exclude-minified-files - Skip minified files. These are files that are > 7% whitespace, or who have a large number of bytes per line. By defualt minified files are scanned

Command: --scan-unknown-extensions - If true, target files specified directly on the command line will bypass normal language detection. They will be analyzed according to the value of --lang if applicable, or otherwise with the analyzers/languages specified in the Semgrep rule(s) regardless of file extension or file type. This setting doesn't apply to target files discovered by scanning folders. Defaults to false.

Command: --skip-unknown-extensions - negates --scan-unknown-extensions

Command: --show-supported-languages - Print a list of languages that are currently supported by Semgrep.

Command: --no-exclude-minified-files - negates --exclude-minified-files

Command: --allow-untrusted-validators - Allows running rules with validators from origins other than semgrep.dev. Avoid running rules from origins you don't trust.

Command: --enable-experimental-requirements - Experimental: support wider set of requirements lockfiles.

Command: --allow-dynamic-dependency-resolution - Experimental: allow resolving dependencies dynamically by communicating with package managers during the scan.