PREREQUISITESYou must have Python 3.10 or later installed on the machine where the Semgrep CLI is running.
Go to Semgrep AppSec Platform, and sign up by clicking on Continue with GitHub or Continue with GitLab. Follow the on-screen prompts to grant Semgrep the necessary permissions. Provide the Organization display name you’d like to use, then click Create new organization.
When asked Where do you want to scan? click Run on CLI.
Launch your CLI, and follow the instructions on the Scan a project on your machine page. For your convenience, the same information is presented below, along with instructions for Windows users. macOS
Linux
Windows (beta)
Docker
i. Install the Semgrep CLI and confirm the installation:NOTEpipx and uv are the preferred installation methods. The Homebrew formula is maintained on a best-effort basis and often lags behind the latest release.Homebrew users: ensure that you’ve added Homebrew to your PATH. ii. Log in to your Semgrep account. Running this command launches a browser window, but you can also use the link that’s returned in the CLI to proceed:iii. In the Semgrep CLI login, click Activate to proceed.iv. Return to the CLI, navigate to the root of your project, and run your first scan: i. Install the Semgrep CLI and confirm the installation:ii. Log in to your Semgrep account. Running this command launches a browser window, but you can also use the link that’s returned in the CLI to proceed:iii. In the Semgrep CLI login, click Activate to proceed.iv. Return to the CLI, navigate to the root of your project, and run your first scan: i. Download and install Python. Make sure to check the box to add python.exe to the PATH, otherwise you will have difficulty running Semgrep.ii. Configure your system to run Python with UTF-8 text encodings by default. In PowerShell, run:iii. Install the Semgrep CLI and confirm the installation. In PowerShell, run:iv. Log in to your Semgrep account. Running this command launches a browser window, but you can also use the link that’s returned in the CLI to proceed:v. In the Semgrep CLI login, click Activate to proceed.vi. Return to the CLI, navigate to the root of your project, and run your first scan: i. Pull the latest image and confirm the version:ii. For users running Docker on macOS or Linux Docker:a. Log in to your Semgrep account (running this command will launch a browser window, but you can also use the link that’s returned in the CLI to proceed):b. In the Semgrep CLI login, click Activate to proceed. Return to the CLI and copy the login token that’s shown.c. Navigate into the root of your project, and run your first scan. Be sure to substitute YOUR_TOKEN with the login token value you copied in the previous step:The provided -v option mounts the current directory into the container to be scanned. Navigate into a different project or provide a specific local directory in the command to scan a different project.iii. For users running Docker on Windows:a. Log in to your Semgrep account (running this command will launch a browser window, but you can also use the link that’s returned in the CLI to proceed):b. In the Semgrep CLI login, click Activate to proceed. Return to the CLI, and copy the login token that’s shown.c. Navigate into the root of your project, and run your first scan. Be sure to substitute YOUR_TOKEN with the login token value you copied in the previous step:The provided -v option mounts the current directory into the container to be scanned. Navigate into a different project or provide a specific local directory in the command to scan a different project. Once you’ve scanned your first application, return to Semgrep AppSec Platform to see the security vulnerabilities in your project. For detailed information, click Code to access your SAST findings or Supply Chain to access your SCA findings.INFOCode is not uploaded. Only findings are sent to Semgrep AppSec Platform.
Scan without a GitHub or GitLab account
If you don’t have a GitHub or GitLab account, you can use semgrep scan in your CLI. See Scan your project for more details.