Skip to main content

Scan your codebase and export results

Navigate to the root of your codebase to run first scan. The specific command you use depends on how you want to view the results. To view the results in the CLI:
To export the results to a plain text file:
To export the results to a SARIF file:
To export the results to a JSON file:
The JSON schema for Semgrep’s CLI output can be found in semgrep/semgrep-interfaces.
In addition to the --text, --json, and --sarif flags, which set the primary output formats, and the --output= flag that saves the results to a file or posts to a URL, you can append -- -output= to obtain additional output streams:
Accepted values for : text, json, sarif, gitlab-sast, gitlab-secrets, junit-xml, emacs, vim

Scan your codebase with a specific ruleset

You can scan your codebase using --config auto to run Semgrep with rules that apply to your programming languages and frameworks:
INFOSemgrep collects pseudonymous metrics when you use rules from the Registry. You can turn this off with --metrics=off.
To scan your codebase with a specific ruleset, either one that you write or one that you obtain from the Semgrep Registry, use the --config flag.
You can include as many configuration flags as necessary.
Rules stored under a hidden directory, such as dir/.hidden/myrule.yml, are processed by Semgrep when scanning with the --config flag. Scan with rules in a directory and all its subdirectories:
Scan with all YAML rules detected in the current working directory and all its subdirectories:

Test custom rules

Semgrep includes features to test the custom rules that you write:

Improve performance for large codebases

You can set the number of subprocesses Semgrep uses to run checks in parallel:
By default, the number of jobs Semgrep uses is equivalent to the number of cores detected on the system.
Semgrep doesn’t currently support parallelism on Windows.

Set log levels

Semgrep provides three levels of logging:

Example usage

To set the logging level for a scan, include the flag when scanning your project:

Exit codes

The command semgrep scan finishes with exit code 0 as long as the scan completes, regardless of whether there were findings. To finish with exit code 1 when there are findings, pass in the --error flag.