semgrep
If you do not want to use default semgrep recommended rules, you can send them as arguments
Example: REPOSITORY_SEMGREP_ARGUMENTS: ["--config","p/ruleset1","p/ruleset2"]
semgrep documentation
- Visit Official Web Site
- See How to configure semgrep rules
- See How to disable semgrep rules in files
- See Index of problems detected by semgrep
Configuration in MegaLinter
- Enable semgrep by adding
REPOSITORY_SEMGREP
in ENABLE_LINTERS variable - Disable semgrep by adding
REPOSITORY_SEMGREP
in DISABLE_LINTERS variable
Variable | Description | Default value |
---|---|---|
REPOSITORY_SEMGREP_RULESETS | List of semgrep rulesets identifiers that you want to enforce | auto |
REPOSITORY_SEMGREP_RULESETS_TYPE | MegaLinter semgrep ruleset list preset id . Available values: security | `` |
REPOSITORY_SEMGREP_ARGUMENTS | User custom arguments to add in linter CLI call Ex: -s --foo "bar" |
|
REPOSITORY_SEMGREP_FILE_EXTENSIONS | Allowed file extensions. "*" matches any extension, "" matches empty extension. Empty list excludes all filesEx: [".py", ""] |
Exclude every file |
REPOSITORY_SEMGREP_FILE_NAMES_REGEX | File name regex filters. Regular expression list for filtering files by their base names using regex full match. Empty list includes all files Ex: ["Dockerfile(-.+)?", "Jenkinsfile"] |
Include every file |
REPOSITORY_SEMGREP_PRE_COMMANDS | List of bash commands to run before the linter | None |
REPOSITORY_SEMGREP_POST_COMMANDS | List of bash commands to run after the linter | None |
REPOSITORY_SEMGREP_DISABLE_ERRORS | Run linter but consider errors as warnings | false |
REPOSITORY_SEMGREP_DISABLE_ERRORS_IF_LESS_THAN | Maximum number of errors allowed | 0 |
IDE Integration
Use semgrep in your favorite IDE to catch errors before MegaLinter !
IDE | Extension Name | Install | |
---|---|---|---|
Visual Studio Code | VsCode SemGrep |
MegaLinter Flavours
This linter is available in the following flavours
Flavor | Description | Embedded linters | Info | |
---|---|---|---|---|
all | Default MegaLinter Flavor | 101 | ||
documentation | MegaLinter for documentation projects | 42 | ||
dotnet | Optimized for C, C++, C# or VB based projects | 50 | ||
go | Optimized for GO based projects | 44 | ||
java | Optimized for JAVA based projects | 44 | ||
javascript | Optimized for JAVASCRIPT or TYPESCRIPT based projects | 51 | ||
php | Optimized for PHP based projects | 46 | ||
python | Optimized for PYTHON based projects | 50 | ||
ruby | Optimized for RUBY based projects | 43 | ||
rust | Optimized for RUST based projects | 43 | ||
salesforce | Optimized for Salesforce based projects | 45 | ||
security | Optimized for security | 20 | ||
swift | Optimized for SWIFT based projects | 43 | ||
terraform | Optimized for TERRAFORM based projects | 48 |
Behind the scenes
How are identified applicable files
- If this linter is active, all files will always be linted
How the linting is performed
semgrep is called once on the whole project directory
- filtering can not be done using MegaLinter configuration variables,it must be done using semgrep configuration or ignore file (if existing)
VALIDATE_ALL_CODEBASE: false
does not make semgrep analyze only updated files
Example calls
semgrep /tmp/lint
semgrep
Installation on mega-linter Docker image
- PIP packages (Python):