semgrep

To use SemGrep in MegaLinter you must define a list of rulesets to use.

Example: REPOSITORY_SEMGREP_RULESETS: ["p/docker-compose","p/owasp-top-ten"]

Exception for standalone and security flavors docker images, that use a list of security rulesets by default.

semgrep documentation

Version in MegaLinter: 1.26.0
Visit Official Web Site
See How to configure semgrep rules
See How to disable semgrep rules in files
See How to ignore files and directories with semgrep
- You can define a .semgrepignore file to ignore files and folders
See Index of problems detected by semgrep

Configuration in MegaLinter

Enable semgrep by adding REPOSITORY_SEMGREP in ENABLE_LINTERS variable
Disable semgrep by adding REPOSITORY_SEMGREP in DISABLE_LINTERS variable

Variable	Description	Default value
REPOSITORY_SEMGREP_RULESETS	List of semgrep rulesets identifiers that you want to enforce	`auto`
REPOSITORY_SEMGREP_RULESETS_TYPE	MegaLinter semgrep ruleset list preset id . Available values: security	``
REPOSITORY_SEMGREP_ARGUMENTS	User custom arguments to add in linter CLI call Ex: `-s --foo "bar"`
REPOSITORY_SEMGREP_PRE_COMMANDS	List of bash commands to run before the linter	None
REPOSITORY_SEMGREP_POST_COMMANDS	List of bash commands to run after the linter	None
REPOSITORY_SEMGREP_UNSECURED_ENV_VARIABLES	List of env variables explicitly not filtered before calling REPOSITORY_SEMGREP and its pre/post commands	None
REPOSITORY_SEMGREP_DISABLE_ERRORS	Run linter but consider errors as warnings	`false`
REPOSITORY_SEMGREP_DISABLE_ERRORS_IF_LESS_THAN	Maximum number of errors allowed	`0`
REPOSITORY_SEMGREP_CLI_EXECUTABLE	Override CLI executable	`['semgrep']`

IDE Integration

Use semgrep in your favorite IDE to catch errors before MegaLinter !

	IDE	Extension Name	Install
	Visual Studio Code	VSCode SemGrep

MegaLinter Flavours

This linter is available in the following flavours

Flavor	Description	Embedded linters
all	Default MegaLinter Flavor	113
cupcake	MegaLinter for the most commonly used languages	81
documentation	MegaLinter for documentation projects	47
dotnet	Optimized for C, C++, C# or VB based projects	59
go	Optimized for GO based projects	49
java	Optimized for JAVA based projects	51
javascript	Optimized for JAVASCRIPT or TYPESCRIPT based projects	56
php	Optimized for PHP based projects	50
python	Optimized for PYTHON based projects	58
ruby	Optimized for RUBY based projects	47
rust	Optimized for RUST based projects	47
salesforce	Optimized for Salesforce based projects	50
security	Optimized for security	21
swift	Optimized for SWIFT based projects	47
terraform	Optimized for TERRAFORM based projects	51

Behind the scenes

How are identified applicable files

If this linter is active, all files will always be linted

How the linting is performed

semgrep is called once on the whole project directory (project CLI lint mode)

filtering can not be done using MegaLinter configuration variables,it must be done using semgrep configuration or ignore file (if existing)
VALIDATE_ALL_CODEBASE: false doesn't make semgrep analyze only updated files

Example calls

semgrep /tmp/lint

semgrep

Help content

Usage: semgrep [OPTIONS] COMMAND [ARGS]...

  To get started quickly, run `semgrep scan --config auto`

  Run `semgrep SUBCOMMAND --help` for more information on each subcommand

  If no subcommand is passed, will run `scan` subcommand by default

Options:
  -h, --help  Show this message and exit.

Commands:
  ci                   The recommended way to run semgrep in CI
  install-semgrep-pro  Install the Semgrep Pro Engine
  login                Obtain and save credentials for semgrep.dev
  logout               Remove locally stored credentials to semgrep.dev
  lsp                  [EXPERIMENTAL] Start the Semgrep LSP server
  publish              Upload rule to semgrep.dev
  scan                 Run semgrep rules on files
  shouldafound         Report a false negative in this project.

Installation on mega-linter Docker image

PIP packages (Python):
- semgrep