Skip to content

semgrep

GitHub stars sarif GitHub release (latest SemVer) GitHub last commit GitHub commit activity GitHub contributors

To use SemGrep in MegaLinter you must define a list of rulesets to use.

Example: REPOSITORY_SEMGREP_RULESETS: ["p/docker-compose","p/owasp-top-ten"]

Exception for standalone and security flavors docker images, that use a list of security rulesets by default.

semgrep documentation

semgrep - GitHub

Configuration in MegaLinter

Variable Description Default value
REPOSITORY_SEMGREP_RULESETS List of semgrep rulesets identifiers that you want to enforce auto
REPOSITORY_SEMGREP_RULESETS_TYPE MegaLinter semgrep ruleset list preset id . Available values: security ``
REPOSITORY_SEMGREP_ARGUMENTS User custom arguments to add in linter CLI call
Ex: -s --foo "bar"
REPOSITORY_SEMGREP_PRE_COMMANDS List of bash commands to run before the linter None
REPOSITORY_SEMGREP_POST_COMMANDS List of bash commands to run after the linter None
REPOSITORY_SEMGREP_UNSECURED_ENV_VARIABLES List of env variables explicitly not filtered before calling REPOSITORY_SEMGREP and its pre/post commands None
REPOSITORY_SEMGREP_DISABLE_ERRORS Run linter but consider errors as warnings false
REPOSITORY_SEMGREP_DISABLE_ERRORS_IF_LESS_THAN Maximum number of errors allowed 0
REPOSITORY_SEMGREP_CLI_EXECUTABLE Override CLI executable ['semgrep']

IDE Integration

Use semgrep in your favorite IDE to catch errors before MegaLinter !

IDE Extension Name Install
Visual Studio Code VSCode SemGrep Install in VSCode

MegaLinter Flavours

This linter is available in the following flavours

Flavor Description Embedded linters Info
all Default MegaLinter Flavor 113 Docker Image Size (tag) Docker Pulls
cupcake MegaLinter for the most commonly used languages 81 Docker Image Size (tag) Docker Pulls
documentation MegaLinter for documentation projects 47 Docker Image Size (tag) Docker Pulls
dotnet Optimized for C, C++, C# or VB based projects 59 Docker Image Size (tag) Docker Pulls
go Optimized for GO based projects 49 Docker Image Size (tag) Docker Pulls
java Optimized for JAVA based projects 51 Docker Image Size (tag) Docker Pulls
javascript Optimized for JAVASCRIPT or TYPESCRIPT based projects 56 Docker Image Size (tag) Docker Pulls
php Optimized for PHP based projects 50 Docker Image Size (tag) Docker Pulls
python Optimized for PYTHON based projects 58 Docker Image Size (tag) Docker Pulls
ruby Optimized for RUBY based projects 47 Docker Image Size (tag) Docker Pulls
rust Optimized for RUST based projects 47 Docker Image Size (tag) Docker Pulls
salesforce Optimized for Salesforce based projects 50 Docker Image Size (tag) Docker Pulls
security Optimized for security 21 Docker Image Size (tag) Docker Pulls
swift Optimized for SWIFT based projects 47 Docker Image Size (tag) Docker Pulls
terraform Optimized for TERRAFORM based projects 51 Docker Image Size (tag) Docker Pulls

Behind the scenes

How are identified applicable files

  • If this linter is active, all files will always be linted

How the linting is performed

semgrep is called once on the whole project directory (project CLI lint mode)

  • filtering can not be done using MegaLinter configuration variables,it must be done using semgrep configuration or ignore file (if existing)
  • VALIDATE_ALL_CODEBASE: false doesn't make semgrep analyze only updated files

Example calls

semgrep /tmp/lint
semgrep 

Help content

Usage: semgrep [OPTIONS] COMMAND [ARGS]...

  To get started quickly, run `semgrep scan --config auto`

  Run `semgrep SUBCOMMAND --help` for more information on each subcommand

  If no subcommand is passed, will run `scan` subcommand by default

Options:
  -h, --help  Show this message and exit.

Commands:
  ci                   The recommended way to run semgrep in CI
  install-semgrep-pro  Install the Semgrep Pro Engine
  login                Obtain and save credentials for semgrep.dev
  logout               Remove locally stored credentials to semgrep.dev
  lsp                  [EXPERIMENTAL] Start the Semgrep LSP server
  publish              Upload rule to semgrep.dev
  scan                 Run semgrep rules on files
  shouldafound         Report a false negative in this project.

Installation on mega-linter Docker image