semgrep-scan
Lightweight static analysis for many languages. Find bug variants with patterns that look like source code.
Details
Category: Static Code Analysis
Publisher: trickest-mhmdiaa
Created Date: 11/4/2024
Container: quay.io/trickest/semgrep-scan:v1.93.0-patch-3
Source URL: https://github.com/semgrep/semgrep
Parameters
pro
boolean
Command:
--pro
- Inter-file analysis and Pro languages (currently Apex, C#, and Elixir. Requires Semgrep Pro Engine. See https://semgrep.dev/products/pro-engine/ for more.vim
boolean
Command:
--vim
- Output results in vim single-line format.jobs
string
Command:
--jobs
- Number of subprocesses to use to run checks in parallel. Defaults to the number of cores detected on the system (1 if using --pro).json
boolean
Command:
--json
- Output results in Semgrep's JSON format.lang
string
Command:
--lang
- Parse pattern and all files in specified language. Must be used with -e/--pattern.test
boolean
Command:
--test
- Run test suite.text
boolean
Command:
--text
- Output results in text format.time
boolean
Command:
--time
- Include a timing summary with the results. If output format is json, provides times for each pair (rule, target). This feature is meant for internal use and may be changed or removed without warning. At the current moment, --trace is better supported.debug
boolean
Command:
--debug
- All of --verbose, but with additional debugging information.emacs
boolean
Command:
--emacs
- Output results in Emacs single-line format.error
boolean
Command:
--error
- Exit 1 if there are findings. Useful for CI and scripts.quiet
boolean
Command:
--quiet
- Only output findings.sarif
boolean
Command:
--sarif
- Output results in SARIF format.trace
boolean
Command:
--trace
- Record traces from Semgrep scans to help debugging. This feature is meant for internal use and may be changed or removed without warning.config
string
Command:
--config
- YAML configuration file, directory of YAML files ending in .yml|.yaml, URL of a configuration file, or Semgrep registry entry name. Use --config auto to automatically obtain rules tailored to this project; your project URL will be used to log in to the Semgrep registry. To run multiple rule files simultaneously, use --config before every YAML, URL, or Semgrep registry entry name. For example `semgrep --config p/python --config myrules/myrule.yaml` See https://semgrep.dev/docs/writing-rules/rule-syntax for information on configuration file format.dryrun
boolean
Command:
--dryrun
- If --dryrun, does not write autofixes to a file. This will print the changes to the console. This lets you see the changes before you commit to them. Only works with the --autofix flag. Otherwise does nothing.legacy
boolean
Command:
--legacy
- Prefer old (legacy) behavior.remote
string
Command:
--remote
- Remote will quickly checkout and scan a remote git repository of the format http[s]://<WEBSITE>/.../<REPO>.git. Must be run with --pro Incompatible with --project-root. Note this requires an empty CWD as this command will clone the repository into the CWD. REQUIRES --experimentalstrict
boolean
Command:
--strict
- Return a nonzero exit code when WARN level errors are encountered. Fails early if invalid configuration files are present. Defaults to --no-strict.autofix
boolean
Command:
--autofix
- Apply autofix patches. WARNING: data loss can occur with this flag. Make sure your files are stored in a version control system. Note that this mode is experimental and not guaranteed to function properly.develop
boolean
Command:
--develop
- Living on the edge.exclude
string
Command:
--exclude
- Skip any file or directory whose path that matches PATTERN. '--exclude=*.py' will ignore the following: 'foo.py', 'src/foo.py', 'foo.py/bar.sh'. '--exclude=tests' will ignore 'tests/foo.py' as well as 'a/b/tests/c/foo.py'. Multiple '--exclude' options may be specified. PATTERN is a glob-style pattern that uses the same syntax as gitignore and semgrepignore, which is documented at https://git-scm.com/docs/gitignore#_pattern_formatinclude
string
Command:
--include
- Specify files or directories that should be scanned by semgrep, excluding other files. This filter is applied after these other filters: '--exclude' options, any filtering done by git (or other SCM), and filtering by '.semgrepignore' files. Multiple '--include' options can be specified. A file path is selected if it matches at least one of the include patterns. PATTERN is a glob-style pattern such as 'foo.*' that must match the path. For example, specifying the language with '-l javascript' might preselect files 'src/foo.jsx' and 'lib/bar.js'. Specifying one of '--include=src', '--include=*.jsx', or '--include=src/foo.*' will restrict the selection to the single file 'src/foo.jsx'. A choice of multiple '--include' patterns can be specified. For example, '--include=foo.* --include=bar.*' will select both 'src/foo.jsx' and 'lib/bar.js'. Glob-style patterns follow the syntax supported by gitignore and semgrepignore, which is documented at https://git-scm.com/docs/gitignore#_pattern_formatmetrics
string
Command:
--metrics
- Configures how usage metrics are sent to the Semgrep server. If 'auto', metrics are sent whenever the --config value pulls from the Semgrep server. If 'on', metrics are always sent. If 'off', metrics are disabled altogether and not sent. If absent, the SEMGREP_SEND_METRICS environment variable value will be used. If no environment variable, defaults to 'auto'.no-time
boolean
Command:
--no-time
- negates --timepattern
string
Command:
--pattern
- Code search pattern. See https://semgrep.dev/docs/writing-rules/pattern-syntax for information on pattern features.profile
boolean
Command:
--profile
- <undocumented>secrets
boolean
Command:
--secrets
- Run Semgrep Secrets product, including support for secret validation. Requires access to Secrets, contact support@semgrep.com for more information.timeout
string
Command:
--timeout
- Maximum time to spend running a rule on a single file in seconds. If set to 0 will not have time limit. Defaults to 5.0 s.verbose
boolean
Command:
--verbose
- Show more details about what rules are running, which files failed to parse, etc.dump-ast
boolean
Command:
--dump-ast
- If --dump-ast, shows AST of the input file or passed expression and then exit (can use --json).no-error
boolean
Command:
--no-error
- negates --errorno-trace
boolean
Command:
--no-trace
- negates --traceoss-only
boolean
Command:
--oss-only
- Run using only the OSS engine, even if the Semgrep Pro toggle is on. This may still run Pro rules, but only using the OSS features.severity
string
Command:
--severity
- Report findings only from rules matching the supplied severity level. By default all applicable rules are run. Can add multiple times. Each should be one of INFO, WARNING, or ERROR.validate
boolean
Command:
--validate
- Validate configuration file(s). This will check YAML files for errors and run 'p/semgrep-rule-lints' on the YAML files. No search is performed.junit-xml
boolean
Command:
--junit-xml
- Output results in JUnit XML format.no-dryrun
boolean
Command:
--no-dryrun
- negates --dryrunno-strict
boolean
Command:
--no-strict
- negates --strictdiff-depth
string
Command:
--diff-depth
- The depth of the Pro (interfile) differential scan, the number of steps (both in the caller and callee sides) from the targets in the call graph tracked by the deep preprocessor. Only applied in differential scan mode. Default to 2.max-memory
string
Command:
--max-memory
- Maximum system memory in MiB to use during the interfile pre-processing phase, or when running a rule on a single file. If set to 0, will not have memory limit. Defaults to 0. For CI scans that use the Pro Engine, defaults to 5000 MiB.no-autofix
boolean
Command:
--no-autofix
- negates -a/--autofixconfig-file
file
Command:
--config
- YAML configuration file, directory of YAML files ending in .yml|.yaml, URL of a configuration file, or Semgrep registry entry name. Use --config auto to automatically obtain rules tailored to this project; your project URL will be used to log in to the Semgrep registry. To run multiple rule files simultaneously, use --config before every YAML, URL, or Semgrep registry entry name. For example `semgrep --config p/python --config myrules/myrule.yaml` See https://semgrep.dev/docs/writing-rules/rule-syntax for information on configuration file format.force-color
boolean
Command:
--force-color
- Always include ANSI color in the output, even if not writing to a TTY; defaults to using the TTY statusgitlab-sast
boolean
Command:
--gitlab-sast
- Output results in GitLab SAST format.replacement
string
Command:
--replacement
- An autofix expression that will be applied to any matches found with --pattern. Only valid with a command-line specified pattern.enable-nosem
boolean
Command:
--enable-nosem
- Enables 'nosem'. Findings will not be reported on lines containing a 'nosem' comment at the end. Enabled by default.exclude-rule
string
Command:
--exclude-rule
- Skip any rule with the given id. Can add multiple times.experimental
boolean
Command:
--experimental
- Enable experimental features.project-root
string
Command:
--project-root
- The project root for gitignore and semgrepignore purposes is detected automatically from the presence of a .git/ directory in the current directory or one of its parents. If not found, the current directory is used as the project root. This option forces a specific directory to be the project root. This is useful for testing or for restoring compatibility with older semgrep implementations that only looked for a .semgrepignore file in the current directory. REQUIRES --experimentalconfig-folder
folder
Command:
--config
- YAML configuration file, directory of YAML files ending in .yml|.yaml, URL of a configuration file, or Semgrep registry entry name. Use --config auto to automatically obtain rules tailored to this project; your project URL will be used to log in to the Semgrep registry. To run multiple rule files simultaneously, use --config before every YAML, URL, or Semgrep registry entry name. For example `semgrep --config p/python --config myrules/myrule.yaml` See https://semgrep.dev/docs/writing-rules/rule-syntax for information on configuration file format.disable-nosem
boolean
Command:
--disable-nosem
- negates --enable-nosemno-git-ignore
boolean
Command:
--no-git-ignore
- negates --use-git-ignoreoptimizations
string
Command:
--optimizations
- Turn on/off optimizations. Default = 'all'. Use 'none' to turn all optimizations off.pro-intrafile
boolean
Command:
--pro-intrafile
- Intra-file inter-procedural taint analysis. Implies --pro-languages. Requires Semgrep Pro Engine. See https://semgrep.dev/products/pro-engine/ for more.pro-languages
boolean
Command:
--pro-languages
- Enable Pro languages (currently Apex, C#, and Elixir). Requires Semgrep Pro Engine. See https://semgrep.dev/products/pro-engine/ for more.target-folder
folder
requiredCommand:
- Source code foldergitlab-secrets
boolean
Command:
--gitlab-secrets
- Output results in GitLab Secrets format.no-force-color
boolean
Command:
--no-force-color
- negates --force-colortrace-endpoint
string
Command:
--trace-endpoint
- Endpoint to send OpenTelemetry traces to, if `--trace` is present. The value may be `semgrep-prod` (default), `semgrep-dev`, `semgrep-local`, or any valid URL. This feature is meant for internal use and may be changed or removed wihtout warning.use-git-ignore
boolean
Command:
--use-git-ignore
- Skip files ignored by git. Scanning starts from the root folder specified on the Semgrep command line. Normally, if the scanning root is within a git repository, only the tracked files and the new files would be scanned. Git submodules and git- ignored files would normally be skipped. --no-git-ignore will disable git-aware filtering. Setting this flag does nothing if the scanning root is not in a git repository.baseline-commit
string
Command:
--baseline-commit
- Only show results that are not found in this commit hash. Aborts run if not currently in a git directory, there are unstaged changes, or given baseline hash doesn't exist.dataflow-traces
boolean
Command:
--dataflow-traces
- Explain how non-local values reach the location of a finding (only affects text and SARIF output).max-target-bytes
string
Command:
--max-target-bytes
- Maximum size for a file to be scanned by Semgrep, e.g '1.5MB'. Any input program larger than this will be ignored. A zero or negative value disables this filter. Defaults to 1000000 bytesrewrite-rule-ids
boolean
Command:
--rewrite-rule-ids
- Rewrite rule ids when they appear in nested sub-directories (Rule 'foo' in test/rules.yaml will be renamed 'test.foo').test-ignore-todo
boolean
Command:
--test-ignore-todo
- If --test-ignore-todo, ignores rules marked as '#todoruleid:' in test files.interfile-timeout
string
Command:
--interfile-timeout
- Maximum time to spend on interfile analysis. If set to 0 will not have time limit. Defaults to 0 s for all CLI scans. For CI scans, it defaults to 3 hours.timeout-threshold
string
Command:
--timeout-threshold
- Maximum number of rules that can time out on a file before the file is skipped. If set to 0 will not have limit. Defaults to 3.files-with-matches
boolean
Command:
--files-with-matches
- Output only the names of files containing matches. REQUIRES --experimentalhistorical-secrets
boolean
Command:
--historical-secrets
- Scans git history using Secrets rules.incremental-output
boolean
Command:
--incremental-output
- Output results incrementally. REQUIRES --experimentalmax-chars-per-line
string
Command:
--max-chars-per-line
- Maximum number of characters to show per line.pro-path-sensitive
boolean
Command:
--pro-path-sensitive
- Path sensitivity. Implies --pro-intrafile. Requires Semgrep Pro Engine. See https://semgrep.dev/products/pro-engine/ for more.use-osemgrep-sarif
boolean
Command:
--use-osemgrep-sarif
- Output results using osemgrep.no-rewrite-rule-ids
boolean
Command:
--no-rewrite-rule-ids
- negates --rewrite-rule-idsno-test-ignore-todo
boolean
Command:
--no-test-ignore-todo
- negates --test-ignore-todoenable-version-check
boolean
Command:
--enable-version-check
- Checks Semgrep servers to see if the latest version is run; disabling this may reduce exit time after returning results.max-log-list-entries
string
Command:
--max-log-list-entries
- Maximum number of entries that will be shown in the log (e.g., list of rule ids, list of skipped files). A zero or negative value disables this filter. Defaults to 100disable-version-check
boolean
Command:
--disable-version-check
- negates --enable-version-checkmatching-explanations
boolean
Command:
--matching-explanations
- Add debugging information in the JSON output to trace how different parts of a rule are matched (a.k.a., Inspect Rule in the Semgrep playground)max-lines-per-finding
string
Command:
--max-lines-per-finding
- Maximum number of lines of code that will be shown for each match before trimming (set to 0 for unlimited).no-secrets-validation
boolean
Command:
--no-secrets-validation
- Disables secret validation.exclude-minified-files
boolean
Command:
--exclude-minified-files
- Skip minified files. These are files that are > 7% whitespace, or who have a large number of bytes per line. By defualt minified files are scannedscan-unknown-extensions
boolean
Command:
--scan-unknown-extensions
- If true, target files specified directly on the command line will bypass normal language detection. They will be analyzed according to the value of --lang if applicable, or otherwise with the analyzers/languages specified in the Semgrep rule(s) regardless of file extension or file type. This setting doesn't apply to target files discovered by scanning folders. Defaults to false.skip-unknown-extensions
boolean
Command:
--skip-unknown-extensions
- negates --scan-unknown-extensionsshow-supported-languages
boolean
Command:
--show-supported-languages
- Print a list of languages that are currently supported by Semgrep.no-exclude-minified-files
boolean
Command:
--no-exclude-minified-files
- negates --exclude-minified-filesallow-untrusted-validators
boolean
Command:
--allow-untrusted-validators
- Allows running rules with validators from origins other than semgrep.dev. Avoid running rules from origins you don't trust.enable-experimental-requirements
boolean
Command:
--enable-experimental-requirements
- Experimental: support wider set of requirements lockfiles.allow-dynamic-dependency-resolution
boolean
Command:
--allow-dynamic-dependency-resolution
- Experimental: allow resolving dependencies dynamically by communicating with package managers during the scan.