semgrep
To use SemGrep in MegaLinter you must define a list of rulesets to use.
Example: REPOSITORY_SEMGREP_RULESETS: ["p/docker-compose","p/owasp-top-ten"]
Exception for standalone and security flavors docker images, that use a list of security rulesets by default.
semgrep documentation
- Version in MegaLinter: 1.23.0
- Visit Official Web Site
- See How to configure semgrep rules
- See How to disable semgrep rules in files
- See How to ignore files and directories with semgrep
- You can define a
.semgrepignore
file to ignore files and folders
- You can define a
- See Index of problems detected by semgrep
Configuration in MegaLinter
- Enable semgrep by adding
REPOSITORY_SEMGREP
in ENABLE_LINTERS variable - Disable semgrep by adding
REPOSITORY_SEMGREP
in DISABLE_LINTERS variable
Variable | Description | Default value |
---|---|---|
REPOSITORY_SEMGREP_RULESETS | List of semgrep rulesets identifiers that you want to enforce | auto |
REPOSITORY_SEMGREP_RULESETS_TYPE | MegaLinter semgrep ruleset list preset id . Available values: security | `` |
REPOSITORY_SEMGREP_ARGUMENTS | User custom arguments to add in linter CLI call Ex: -s --foo "bar" |
|
REPOSITORY_SEMGREP_PRE_COMMANDS | List of bash commands to run before the linter | None |
REPOSITORY_SEMGREP_POST_COMMANDS | List of bash commands to run after the linter | None |
REPOSITORY_SEMGREP_DISABLE_ERRORS | Run linter but consider errors as warnings | false |
REPOSITORY_SEMGREP_DISABLE_ERRORS_IF_LESS_THAN | Maximum number of errors allowed | 0 |
REPOSITORY_SEMGREP_CLI_EXECUTABLE | Override CLI executable | ['semgrep'] |
IDE Integration
Use semgrep in your favorite IDE to catch errors before MegaLinter !
IDE | Extension Name | Install | |
---|---|---|---|
Visual Studio Code | VSCode SemGrep |
MegaLinter Flavours
This linter is available in the following flavours
Flavor | Description | Embedded linters | Info | |
---|---|---|---|---|
all | Default MegaLinter Flavor | 113 | ||
cupcake | MegaLinter for the most commonly used languages | 81 | ||
documentation | MegaLinter for documentation projects | 47 | ||
dotnet | Optimized for C, C++, C# or VB based projects | 59 | ||
go | Optimized for GO based projects | 49 | ||
java | Optimized for JAVA based projects | 51 | ||
javascript | Optimized for JAVASCRIPT or TYPESCRIPT based projects | 56 | ||
php | Optimized for PHP based projects | 50 | ||
python | Optimized for PYTHON based projects | 58 | ||
ruby | Optimized for RUBY based projects | 47 | ||
rust | Optimized for RUST based projects | 47 | ||
salesforce | Optimized for Salesforce based projects | 50 | ||
security | Optimized for security | 21 | ||
swift | Optimized for SWIFT based projects | 47 | ||
terraform | Optimized for TERRAFORM based projects | 51 |
Behind the scenes
How are identified applicable files
- If this linter is active, all files will always be linted
How the linting is performed
semgrep is called once on the whole project directory (project
CLI lint mode)
- filtering can not be done using MegaLinter configuration variables,it must be done using semgrep configuration or ignore file (if existing)
VALIDATE_ALL_CODEBASE: false
doesn't make semgrep analyze only updated files
Example calls
semgrep /tmp/lint
semgrep
Help content
Usage: semgrep [OPTIONS] COMMAND [ARGS]...
To get started quickly, run `semgrep scan --config auto`
Run `semgrep SUBCOMMAND --help` for more information on each subcommand
If no subcommand is passed, will run `scan` subcommand by default
Options:
-h, --help Show this message and exit.
Commands:
ci The recommended way to run semgrep in CI
install-semgrep-pro Install the Semgrep Pro Engine
login Obtain and save credentials for semgrep.dev
logout Remove locally stored credentials to semgrep.dev
lsp [EXPERIMENTAL] Start the Semgrep LSP server
publish Upload rule to semgrep.dev
scan Run semgrep rules on files
shouldafound Report a false negative in this project.
Installation on mega-linter Docker image
- PIP packages (Python):