Semgrep

raw JSON →
1.156.0 verified Tue May 12 auth: no python install: verified quickstart: verified

Semgrep is a fast, open-source, static analysis engine for finding bugs, detecting vulnerabilities in third-party dependencies, and enforcing code standards across over 30 programming languages. It scans code locally, without uploading it to external servers by default. As of version 1.156.0, it is actively developed with frequent (often weekly) releases, offering both a free Community Edition and a commercial AppSec Platform with enhanced features.

pip install semgrep

Common errors

error semgrep: command not found
cause The Semgrep executable is not installed on your system or its installation directory is not included in your system's PATH environment variable.
fix
Install Semgrep using your preferred package manager (e.g., brew install semgrep on macOS, pip install semgrep for Python environments) and ensure the installation path is in your system's PATH.
error Error: No rules specified. Use --config to specify rules.
cause Semgrep was executed without providing any rules to scan with, or the path specified for `--config` was invalid or pointed to an empty directory.
fix
Provide a valid rule configuration using the --config flag, specifying a single rule file, a directory containing rule files, or a Semgrep registry rule (e.g., semgrep --config auto . or semgrep --config path/to/rules.yaml .).
error Error: failed to parse rule in <file_path>
cause There is a syntax error in the YAML structure of the rule file, or the rule's content does not conform to Semgrep's expected rule schema.
fix
Carefully review the specified rule file (<file_path>) for incorrect YAML syntax (e.g., indentation, missing colons) or structural issues. Refer to the official Semgrep documentation for correct rule writing and schema guidelines (e.g., https://semgrep.dev/docs/writing-rules/).
error WARNING: Could not find language for file <file_path>. Skipping.
cause Semgrep could not automatically determine the programming language of the specified file, often due to an unknown file extension, or the file is empty/malformed, causing it to be skipped during the scan.
fix
Ensure files have standard extensions for their respective languages. If Semgrep still can't detect it, you can explicitly specify the language using the --lang flag (e.g., semgrep --lang python --config rules.yaml your_file).

Warnings

breaking The experimental and undocumented `semgrep install-ci` command was removed.
fix Remove any usage of `semgrep install-ci`. Consult official documentation for recommended CI/CD integration patterns.
breaking Connecting to the Semgrep MCP server via streamableHttp now requires OAuth.
fix Ensure your integrations with the Semgrep MCP server (Model Context Protocol) are updated to use OAuth for authentication.
gotcha The default memory policy for Semgrep's engine was changed from 'eager' to 'balanced'. This may alter performance characteristics and resource usage for some scans.
fix Monitor scan performance and resource consumption after upgrading. If necessary, consult Semgrep documentation for options to adjust memory policies or optimize scans.
gotcha By default, `semgrep scan` and `semgrep ci` commands exit with code 0 even if findings are present. This can lead to silent failures in CI/CD pipelines.
fix To force a non-zero exit code on findings, use the `--error` flag with `semgrep scan` or configure blocking rules in the Semgrep AppSec Platform for `semgrep ci`.
gotcha Semgrep Community Edition (OSS) may miss many true positives for security vulnerabilities, especially those requiring cross-file, cross-function, or data-flow analysis.
fix For comprehensive security scanning (SAST, SCA, secrets), Semgrep, Inc. strongly recommends using the commercial Semgrep AppSec Platform which includes advanced analysis capabilities and AI-assisted triage.
gotcha Semgrep reported 'Nothing to scan' and warned about a mismatch between the project root and scanning root (e.g., 'project root X does not contain scanning root Y'). This means Semgrep could not find the specified files to scan.
fix Ensure Semgrep is executed from the intended project directory. When specifying files to scan (e.g., using explicit paths or `.` for current directory), confirm they are accessible and correctly located relative to where Semgrep is invoked. Check for issues with bind mounts or working directories in containerized environments (like CI/CD) that might alter Semgrep's perception of the filesystem.

Install compatibility verified last tested: 2026-05-12

python os / libc status wheel install import disk
3.10 alpine (musl) wheel - 0.01s 410.9M
3.10 alpine (musl) - - 0.01s 312.6M
3.10 slim (glibc) wheel 17.0s 0.01s 407M
3.10 slim (glibc) - - 0.01s 313M
3.11 alpine (musl) wheel - 0.02s 421.7M
3.11 alpine (musl) - - 0.02s 322.7M
3.11 slim (glibc) wheel 16.6s 0.02s 418M
3.11 slim (glibc) - - 0.02s 323M
3.12 alpine (musl) wheel - 0.02s 411.9M
3.12 alpine (musl) - - 0.02s 312.9M
3.12 slim (glibc) wheel 13.5s 0.02s 408M
3.12 slim (glibc) - - 0.02s 313M
3.13 alpine (musl) wheel - 0.02s 411.8M
3.13 alpine (musl) - - 0.02s 312.7M
3.13 slim (glibc) wheel 13.9s 0.01s 408M
3.13 slim (glibc) - - 0.02s 313M
3.9 alpine (musl) wheel - 0.01s 250.0M
3.9 alpine (musl) - - 0.01s 249.9M
3.9 slim (glibc) wheel 14.4s 0.01s 251M
3.9 slim (glibc) - - 0.01s 250M

Imports

Quickstart verified last tested: 2026-04-24

This quickstart demonstrates how to programmatically run a Semgrep scan on a Python file using the `subprocess` module. It creates a dummy file with a common vulnerability pattern, runs Semgrep with a security ruleset, and parses the JSON output to display findings.

import subprocess
import json
import os

# Create a dummy Python file to scan for demonstration
dummy_code = """
import os

def vulnerable_function(user_input):
    # This pattern (os.system with user input) is often flagged by security rules
    os.system(f"echo {user_input}") 

def harmless_function():
    print("Hello, Semgrep!")
"""

file_path = "vulnerable_app.py"
with open(file_path, "w") as f:
    f.write(dummy_code)

print(f"Created {file_path} for scanning.")

try:
    # Run Semgrep scan on the dummy file with a common security ruleset
    # Use --json for machine-readable output and --error to get a non-zero exit code on findings
    # `check=False` is used to allow inspection of output even if Semgrep exits with findings (code 1)
    result = subprocess.run(
        ["semgrep", "scan", "--config", "p/security-audit", file_path, "--json", "--error"],
        capture_output=True,
        text=True,
        check=False 
    )

    print("\n--- Semgrep CLI Output (stdout) ---")
    print(result.stdout)

    if result.stderr:
        print("\n--- Semgrep CLI Error (stderr) ---")
        print(result.stderr)

    if result.returncode != 0:
        print(f"\nSemgrep exited with non-zero code: {result.returncode}. This indicates findings or an actual error.")
    else:
        print("\nSemgrep exited with code 0. No findings or --error was not used/no blocking rules.")

    # Parse JSON output if available
    try:
        json_output = json.loads(result.stdout)
        if json_output.get("results"):
            print(f"\nFound {len(json_output['results'])} security findings:")
            for finding in json_output["results"]:
                print(f"  - Rule: {finding['check_id']} at {finding['start']['line']}:{finding['start']['col']}")
                print(f"    Message: {finding['extra']['message']}")
        else:
            print("\nNo findings reported in JSON output.")
    except json.JSONDecodeError:
        print("\nCould not decode JSON output.")

except FileNotFoundError:
    print("Error: 'semgrep' command not found. Please ensure Semgrep is installed and in your PATH.")
except Exception as e:
    print(f"An unexpected error occurred: {e}")
finally:
    # Clean up the dummy file
    if os.path.exists(file_path):
        os.remove(file_path)
        print(f"\nCleaned up {file_path}.")
last verified Tue May 12
next check Fri Jun 26