Semgrep

Semgrep is a fast static analysis tool for finding security issues across many languages.

Installation

# Python
python -m pip install semgrep

# Homebrew
brew install semgrep

Basic Usage

# Run recommended rules
semgrep --config auto

# OWASP Top 10 pack
semgrep --config p/owasp-top-ten

# Scan a specific path
semgrep --config auto ./src

Scenarios

# Scan only changed files in git (fast triage)
git diff --name-only HEAD~1 | xargs semgrep --config auto

# Limit to a language pack
semgrep --config p/javascript ./src

# Exclude vendor or build directories
semgrep --config auto --exclude node_modules --exclude dist

# Use a local custom ruleset
semgrep --config ./rules ./src

Output

# SARIF output for code scanning tools
semgrep --config auto --sarif -o semgrep.sarif