loading
loading
Static Code Analysis
Lightweight static analysis for many languages, with patterns that look like source code.
overview
Semgrep matches bug and vulnerability patterns written in a syntax that mirrors the code itself, so a rule for a dangerous call reads like the snippet it catches instead of a dense regex. It parses each file into a syntax tree and matches structurally, which means one rule holds across formatting and variable names, and it ships curated registry packs for common security issues in dozens of languages.
Rule selection is the main dial. Pass --config with a registry pack like p/python, a local YAML file, a URL, or --config auto to pull rules tailored to the project. Pick an output format next: --sarif for code-scanning dashboards, --json for pipelines, or GitLab SAST and JUnit XML. Add --error so a nonzero exit fails a build when findings appear, and use --exclude or --include to keep the scan on the paths you care about.
In a Trickest workflow the scan runs against a checked-out repository and writes its findings as a file and a folder, so the triage and reporting path that already handles dynamic-scanner output also carries these static results. Because every rule is a pattern, encoding a newly found bug variant as a reusable check takes minutes, not a plugin build.
source github.com/semgrep/semgrep
use cases
Point semgrep-scan at a source-code folder with a security rule pack to flag injection sinks, unsafe deserialization, and other risky patterns across the tree.
Set the error exit behavior so a build fails when Semgrep reports issues, blocking risky code from merging.
Write SARIF or GitLab SAST output so findings load directly into code-scanning dashboards and pull-request annotations.
Supply a pattern and language to search for one specific construct across the codebase, useful for chasing a known bug variant everywhere it appears.
reference
| Name | Type | Flag | Description |
|---|---|---|---|
| target-folder | FOLDER | · | Source-code folder to scan (the positional target). |
| config | STRING | --config | YAML file, directory, URL, or registry pack (e.g. p/python). Use auto to fetch project-tailored rules; repeat to combine. |
| sarif | BOOLEAN | --sarif | Output results in SARIF format for code-scanning dashboards. |
| json | BOOLEAN | --json | Output results in Semgrep's JSON format. |
| severity | STRING | --severity | Report only findings from rules matching INFO, WARNING, or ERROR. |
| exclude | STRING | --exclude | Skip any file or directory whose path matches a gitignore-style glob. |
| jobs | STRING | --jobs | Number of subprocesses running checks in parallel (defaults to core count). |
| error | BOOLEAN | --error | Exit 1 when there are findings. Useful for CI and scripts. |
Showing key inputs. semgrep-scan exposes 89 inputs in total.
| Name | Type | Flag | Description |
|---|---|---|---|
| pro | BOOLEAN | --pro | Inter-file analysis and Pro languages (currently Apex, C#, and Elixir. Requires Semgrep Pro Engine. See https://semgrep.dev/products/pro-engine/ for more. |
| vim | BOOLEAN | --vim | Output results in vim single-line format. |
| jobs | STRING | --jobs | Number of subprocesses to use to run checks in parallel. Defaults to the number of cores detected on the system (1 if using --pro). |
| json | BOOLEAN | --json | Output results in Semgrep's JSON format. |
| lang | STRING | --lang | Parse pattern and all files in specified language. Must be used with -e/--pattern. |
| test | BOOLEAN | --test | Run test suite. |
| text | BOOLEAN | --text | Output results in text format. |
| time | BOOLEAN | --time | Include a timing summary with the results (internal use; --trace is better supported). |
| debug | BOOLEAN | --debug | All of --verbose, but with additional debugging information. |
| emacs | BOOLEAN | --emacs | Output results in Emacs single-line format. |
| error | BOOLEAN | --error | Exit 1 if there are findings. Useful for CI and scripts. |
| quiet | BOOLEAN | --quiet | Only output findings. |
| sarif | BOOLEAN | --sarif | Output results in SARIF format. |
| trace | BOOLEAN | --trace | Record traces from Semgrep scans to help debugging. This feature is meant for internal use and may be changed or removed without warning. |
| config | STRING | --config | YAML file, directory, URL, or registry pack (e.g. p/python). Use auto to fetch project-tailored rules; repeat --config to combine sources. |
| dryrun | BOOLEAN | --dryrun | With --autofix, print the proposed changes to the console instead of writing them to files. |
| legacy | BOOLEAN | --legacy | Prefer old (legacy) behavior. |
| remote | STRING | --remote | Quickly checkout and scan a remote git repository URL. Requires --pro and --experimental. |
| strict | BOOLEAN | --strict | Return a nonzero exit code when WARN level errors are encountered. Fails early if invalid configuration files are present. Defaults to --no-strict. |
| autofix | BOOLEAN | --autofix | Apply autofix patches. Experimental and can cause data loss, so keep files in version control. |
| develop | BOOLEAN | --develop | Living on the edge. |
| exclude | STRING | --exclude | Skip any file or directory whose path matches a gitignore-style glob. May be repeated. |
| include | STRING | --include | Scan only files or directories matching a gitignore-style glob, excluding all others. May be repeated. |
| metrics | STRING | --metrics | Control usage metrics sent to the Semgrep server: auto, on, or off. |
| no-time | BOOLEAN | --no-time | negates --time |
| pattern | STRING | --pattern | Code search pattern. See https://semgrep.dev/docs/writing-rules/pattern-syntax for information on pattern features. |
| profile | BOOLEAN | --profile | <undocumented> |
| secrets | BOOLEAN | --secrets | Run Semgrep Secrets product, including support for secret validation. Requires access to Secrets, contact support@semgrep.com for more information. |
| timeout | STRING | --timeout | Maximum time to spend running a rule on a single file in seconds. If set to 0 will not have time limit. Defaults to 5.0 s. |
| verbose | BOOLEAN | --verbose | Show more details about what rules are running, which files failed to parse, etc. |
| dump-ast | BOOLEAN | --dump-ast | If --dump-ast, shows AST of the input file or passed expression and then exit (can use --json). |
| no-error | BOOLEAN | --no-error | negates --error |
| no-trace | BOOLEAN | --no-trace | negates --trace |
| oss-only | BOOLEAN | --oss-only | Run using only the OSS engine, even if the Semgrep Pro toggle is on. This may still run Pro rules, but only using the OSS features. |
| severity | STRING | --severity | Report only findings from rules matching a severity: INFO, WARNING, or ERROR. May be repeated. |
| validate | BOOLEAN | --validate | Validate configuration file(s). This will check YAML files for errors and run 'p/semgrep-rule-lints' on the YAML files. No search is performed. |
| junit-xml | BOOLEAN | --junit-xml | Output results in JUnit XML format. |
| no-dryrun | BOOLEAN | --no-dryrun | negates --dryrun |
| no-strict | BOOLEAN | --no-strict | negates --strict |
| diff-depth | STRING | --diff-depth | Call-graph depth for a Pro interfile differential scan (default 2). |
| max-memory | STRING | --max-memory | Maximum memory in MiB per file or interfile phase; 0 means no limit (default 0). |
| no-autofix | BOOLEAN | --no-autofix | negates -a/--autofix |
| config-file | FILE | --config | A YAML rule file to load as the configuration (FILE form of --config). |
| force-color | BOOLEAN | --force-color | Always include ANSI color in the output, even if not writing to a TTY; defaults to using the TTY status |
| gitlab-sast | BOOLEAN | --gitlab-sast | Output results in GitLab SAST format. |
| replacement | STRING | --replacement | An autofix expression that will be applied to any matches found with --pattern. Only valid with a command-line specified pattern. |
| enable-nosem | BOOLEAN | --enable-nosem | Enables 'nosem'. Findings will not be reported on lines containing a 'nosem' comment at the end. Enabled by default. |
| exclude-rule | STRING | --exclude-rule | Skip any rule with the given id. Can add multiple times. |
| experimental | BOOLEAN | --experimental | Enable experimental features. |
| project-root | STRING | --project-root | Force a specific directory as the project root for gitignore and semgrepignore. Requires --experimental. |
| config-folder | FOLDER | --config | A directory of YAML rule files to load as the configuration (FOLDER form of --config). |
| disable-nosem | BOOLEAN | --disable-nosem | negates --enable-nosem |
| no-git-ignore | BOOLEAN | --no-git-ignore | negates --use-git-ignore |
| optimizations | STRING | --optimizations | Turn on/off optimizations. Default = 'all'. Use 'none' to turn all optimizations off. |
| pro-intrafile | BOOLEAN | --pro-intrafile | Intra-file inter-procedural taint analysis. Implies --pro-languages. Requires Semgrep Pro Engine. See https://semgrep.dev/products/pro-engine/ for more. |
| pro-languages | BOOLEAN | --pro-languages | Enable Pro languages (currently Apex, C#, and Elixir). Requires Semgrep Pro Engine. See https://semgrep.dev/products/pro-engine/ for more. |
| target-folder | FOLDER | · | Source code folder |
| gitlab-secrets | BOOLEAN | --gitlab-secrets | Output results in GitLab Secrets format. |
| no-force-color | BOOLEAN | --no-force-color | negates --force-color |
| trace-endpoint | STRING | --trace-endpoint | Endpoint to send OpenTelemetry traces to when --trace is set (internal use). |
| use-git-ignore | BOOLEAN | --use-git-ignore | Skip files ignored by git when the scan root is inside a repository. |
| baseline-commit | STRING | --baseline-commit | Only show results that are not found in this commit hash. Aborts run if not currently in a git directory, there are unstaged changes, or given baseline hash doesn't exist. |
| dataflow-traces | BOOLEAN | --dataflow-traces | Explain how non-local values reach the location of a finding (only affects text and SARIF output). |
| max-target-bytes | STRING | --max-target-bytes | Maximum size for a file to be scanned, e.g. 1.5MB; 0 or negative disables it (default 1000000). |
| rewrite-rule-ids | BOOLEAN | --rewrite-rule-ids | Rewrite rule ids when they appear in nested sub-directories (Rule 'foo' in test/rules.yaml will be renamed 'test.foo'). |
| test-ignore-todo | BOOLEAN | --test-ignore-todo | If --test-ignore-todo, ignores rules marked as '#todoruleid:' in test files. |
| interfile-timeout | STRING | --interfile-timeout | Maximum time to spend on interfile analysis. If set to 0 will not have time limit. Defaults to 0 s for all CLI scans. For CI scans, it defaults to 3 hours. |
| timeout-threshold | STRING | --timeout-threshold | Maximum number of rules that can time out on a file before the file is skipped. If set to 0 will not have limit. Defaults to 3. |
| files-with-matches | BOOLEAN | --files-with-matches | Output only the names of files containing matches. REQUIRES --experimental |
| historical-secrets | BOOLEAN | --historical-secrets | Scans git history using Secrets rules. |
| incremental-output | BOOLEAN | --incremental-output | Output results incrementally. REQUIRES --experimental |
| max-chars-per-line | STRING | --max-chars-per-line | Maximum number of characters to show per line. |
| pro-path-sensitive | BOOLEAN | --pro-path-sensitive | Path sensitivity. Implies --pro-intrafile. Requires Semgrep Pro Engine. See https://semgrep.dev/products/pro-engine/ for more. |
| use-osemgrep-sarif | BOOLEAN | --use-osemgrep-sarif | Output results using osemgrep. |
| no-rewrite-rule-ids | BOOLEAN | --no-rewrite-rule-ids | negates --rewrite-rule-ids |
| no-test-ignore-todo | BOOLEAN | --no-test-ignore-todo | negates --test-ignore-todo |
| enable-version-check | BOOLEAN | --enable-version-check | Checks Semgrep servers to see if the latest version is run; disabling this may reduce exit time after returning results. |
| max-log-list-entries | STRING | --max-log-list-entries | Maximum number of entries that will be shown in the log (e.g., list of rule ids, list of skipped files). A zero or negative value disables this filter. Defaults to 100 |
| disable-version-check | BOOLEAN | --disable-version-check | negates --enable-version-check |
| matching-explanations | BOOLEAN | --matching-explanations | Add debugging information in the JSON output to trace how different parts of a rule are matched (a.k.a., "Inspect Rule" in the Semgrep playground) |
| max-lines-per-finding | STRING | --max-lines-per-finding | Maximum number of lines of code that will be shown for each match before trimming (set to 0 for unlimited). |
| no-secrets-validation | BOOLEAN | --no-secrets-validation | Disables secret validation. |
| exclude-minified-files | BOOLEAN | --exclude-minified-files | Skip minified files. These are files that are > 7% whitespace, or who have a large number of bytes per line. By defualt minified files are scanned |
| scan-unknown-extensions | BOOLEAN | --scan-unknown-extensions | Analyze files named directly on the command line regardless of extension, using --lang or the rule's language. |
| skip-unknown-extensions | BOOLEAN | --skip-unknown-extensions | negates --scan-unknown-extensions |
| show-supported-languages | BOOLEAN | --show-supported-languages | Print a list of languages that are currently supported by Semgrep. |
| no-exclude-minified-files | BOOLEAN | --no-exclude-minified-files | negates --exclude-minified-files |
| allow-untrusted-validators | BOOLEAN | --allow-untrusted-validators | Allows running rules with validators from origins other than semgrep.dev. Avoid running rules from origins you don't trust. |
| allow-dynamic-dependency-resolution | BOOLEAN | --allow-dynamic-dependency-resolution | Experimental: allow resolving dependencies dynamically by communicating with package managers during the scan. |
example
# scan a source tree with auto-selected rules, emit SARIF, and fail on findingssemgrep scan --config auto --sarif --error ./src > findings.sarifScanning 128 files tracked by git with 342 rules: src/app.py ❱ python.lang.security.audit.dangerous-subprocess-use [ERROR] A command built from user input is passed to a shell. 22┆ subprocess.call("ping -c 1 " + host, shell=True) src/db.py ❱ python.sqlalchemy.security.sqlalchemy-execute-raw-query [WARNING] Raw SQL built with string formatting; use bound parameters. 58┆ conn.execute("SELECT * FROM users WHERE id = %s" % uid) Ran 342 rules on 128 files: 2 findings (2 blocking).guidance
Reach for semgrep-scan when you want fast, language-aware static analysis with rules you can read and extend. It analyzes source code, so it sits in the build and review stage rather than the live-target stage. For runtime web testing, pair it with dynamic scanners instead.
Probes live web servers for exposed files. Dynamic, not source analysis. Complements Semgrep on the deployed side.
Tests deployed endpoints for request smuggling. Runtime testing rather than code review.
Enumerates IIS short filenames on live hosts. A deployment-side check, not a static one.
faq
related
Find common security issues in Python code.
A source code scanner that reviews Ruby code for security issues.
Analyze big volumes of data in search of hardcoded secrets like keys and passwords.
Git ripper that can rip repositories even when directory browsing is turned off.
Check whether a Git repository pulls in Log4J, and list the files that use it.
Detect hardcoded secrets like passwords, API keys, and tokens in git repos.
A source-code folder feeds semgrep-scan, which matches security patterns across the tree and writes the findings as a queryable output.
Facts on this page come from the live Trickest tool library.