For fields that are exclusive to Semgrep AppSec Platform, you must sign in to generate values for those fields.Documentation Index
Fetch the complete documentation index at: https://docs.semgrep.dev/llms.txt
Use this file to discover all available pages before exploring further.
Semgrep Code
JSON
JSON top-level fields
These tables provide a partial overview of the fields available to Semgrep Community Edition (CE) and Semgrep AppSec Platform. Refer to the sample schema for all the fields.| Field | Semgrep CE | Semgrep AppSec Platform |
|---|---|---|
errors | ✅ | ✅ |
interfile_languages_used | ❌ | ✅ |
paths | ✅ | ✅ |
results | See results object | See results object |
skipped_rules | ✅ | ✅ |
version | ✅ | ✅ |
results object
| Field | Semgrep CE | Semgrep AppSec Platform |
|---|---|---|
check_id | ✅ | ✅ |
end | ✅ | ✅ |
extra | See extra object | See extra object |
skipped_rules | ✅ | ✅ |
start | ✅ | ✅ |
paths | ✅ | ✅ |
extra object
| Field | Semgrep CE | Semgrep AppSec Platform |
|---|---|---|
engine_kind | ✅ | ✅ |
fingerprint | ❌ | ✅ |
fix | ✅ | ✅ |
is_ignored | ❌ | ✅ |
lines* | ❌ | ✅ |
message | ✅ | ✅ |
metadata | See metadata object | See metadata object |
metavars | ❌ | ✅ |
severity | ✅ | ✅ |
validation_state(for Secrets scans only) | ✅ | ✅ |
lines refers to the text of the matched lines, not the line numbers themselves. See the results object to view line numbers.
metadata object
| Field | Semgrep CE | Semgrep AppSec Platform |
|---|---|---|
category | ✅ | ✅ |
confidence | ✅ | ✅ |
cwe | ✅ | ✅ |
impact | ✅ | ✅ |
license | ✅ | ✅ |
likelihood | ✅ | ✅ |
owasp | ✅ | ✅ |
references | ✅ | ✅ |
semgrep.dev | ❌ | ✅ |
semgrep.policy | ❌ | ✅ |
shortlink | ✅ | ✅ |
source | ✅ | ✅ |
subcategory | ✅ | ✅ |
technology | ✅ | ✅ |
vulnerability_class | ✅ | ✅ |
JSON example output
The following snippet is a JSON output example with all the fields for Semgrep Code.{
"check_id": "yaml.github-actions.security.run-shell-injection.run-shell-injection",
"path": "STRING",
"start":
{
"line": 18,
"col": 9,
"offset": 300
},
"end": {
"line": 18,
"col": 82,
"offset": 373
},
"extra": {
"metavars": {
"$SHELL": {
"start": {
"line": 18,
"col": 14,
"offset": 305
},
"end": {
"line": 18,
"col": 82,
"offset": 373
},
"abstract_content": "echo \"was the box ticked? ${BOX_TICKED}! (${{ inputs.box_ticked }})\""
}
},
"message": "Using variable interpolation `${{...}}` with `github` context data in a `run:` step could allow an attacker to inject their own code into the runner. This would allow them to steal secrets and code. `github` context data can have arbitrary user input and should be treated as untrusted. Instead, use an intermediate environment variable with `env:` to store the data and use the environment variable in the `run:` script. Be sure to use double-quotes the environment variable, like this: \"$ENVVAR\".",
"metadata": {
"category": "security",
"cwe": [
"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')"
],
"owasp": [
"A01:2017 - Injection",
"A03:2021 - Injection"
],
"references": [
"https://docs.github.com/en/actions/learn-github-actions/security-hardening-for-github-actions#understanding-the-risk-of-script-injections",
"https://securitylab.github.com/research/github-actions-untrusted-input/"
],
"technology": [
"github-actions"
],
"cwe2022-top25": true,
"cwe2021-top25": true,
"subcategory": [
"vuln"
],
"likelihood": "HIGH",
"impact": "HIGH",
"confidence": "HIGH",
"license": "Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license",
"vulnerability_class": [
"Command Injection"
],
"source": "https://semgrep.dev/r/yaml.github-actions.security.run-shell-injection.run-shell-injection",
"shortlink": "https://sg.run/11zk",
"semgrep.dev": {
"rule": {
"origin": "community",
"r_id": 13162,
"rule_id": "v8UQj2",
"rv_id": 1025108,
"url": "https://semgrep.dev/playground/r/akTViyp/yaml.github-actions.security.run-shell-injection.run-shell-injection",
"version_id": "akTViyp"
}
},
"dev.semgrep.actions": [
"comment"
],
"semgrep.policy": {
"id": 91181987,
"name": "Rule Board - PR Comments column",
"slug": "rule-board-pr-comments"
},
"semgrep.url": "https://semgrep.dev/r/yaml.github-actions.security.run-shell-injection.run-shell-injection"
},
"severity": "ERROR",
"fingerprint": "...",
"lines": " - run: echo \"was the box ticked? ${BOX_TICKED}! (${{ inputs.box_ticked }})\"",
"is_ignored": false,
"validation_state": "NO_VALIDATOR",
"engine_kind": "PRO"
}
}
SARIF
SARIF top-level fields
| Field | Semgrep CE | Semgrep AppSec Platform |
|---|---|---|
$schema | ✅ | ✅ |
runs | See runs object | See runs object |
version | ✅ | ✅ |
runs object
| Field | Semgrep CE | Semgrep AppSec Platform |
|---|---|---|
invocations | ✅ | ✅ |
results | See results object | See results object |
rules | ✅ | ✅ |
semanticVersion | ✅ | ✅ |
results object
| Field | Semgrep CE | Semgrep AppSec Platform |
|---|---|---|
fingerprints | ❌ | ✅ |
locations | ✅ | ✅ |
message | ✅ | ✅ |
properties | ✅ | ✅ |
ruleId | ✅ | ✅ |
SARIF example output
The following snippet is a SARIF output example with all the fields for Semgrep Code.{
"version": "2.1.0",
"runs": [
{
"invocations": [
{
"executionSuccessful": true,
"toolExecutionNotifications": []
}
],
"results": [
{
"fingerprints": {
"matchBasedId/v1": "..."
},
"fixes": [
{
"artifactChanges": [
{
"artifactLocation": {
"uri": "Dockerfile"
},
"replacements": [
{
"deletedRegion": {
"endColumn": 15,
"endLine": 39,
"startColumn": 1,
"startLine": 39
},
"insertedContent": {
"text": "USER non-root\nCMD [\"./main\"]"
}
}
]
}
],
"description": {
"text": "By not specifying a USER, a program in the container may run as 'root'. This is a security hazard. If an attacker can control a process running as root, they may have control over the container. Ensure that the last USER in a Dockerfile is a USER other than 'root'.\n Rule-defined fix: Semgrep rule suggested fix"
}
}
],
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "Dockerfile",
"uriBaseId": "%SRCROOT%"
},
"region": {
"endColumn": 15,
"endLine": 39,
"snippet": {
"text": "CMD [\"./main\"]"
},
"startColumn": 1,
"startLine": 39
}
}
}
],
}
],
"tool": {
"driver": {
"name": "Semgrep OSS",
"rules": [
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "By not specifying a USER, a program in the container may run as 'root'. This is a security hazard. If an attacker can control a process running as root, they may have control over the container. Ensure that the last USER in a Dockerfile is a USER other than 'root'."
},
"help": {
"markdown": "By not specifying a USER, a program in the container may run as 'root'. This is a security hazard. If an attacker can control a process running as root, they may have control over the container. Ensure that the last USER in a Dockerfile is a USER other than 'root'.\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/dockerfile.security.missing-user.missing-user)\n - [https://owasp.org/Top10/A04_2021-Insecure_Design](https://owasp.org/Top10/A04_2021-Insecure_Design)\n",
"text": "By not specifying a USER, a program in the container may run as 'root'. This is a security hazard. If an attacker can control a process running as root, they may have control over the container. Ensure that the last USER in a Dockerfile is a USER other than 'root'."
},
"helpUri": "https://semgrep.dev/r/dockerfile.security.missing-user.missing-user",
"id": "dockerfile.security.missing-user.missing-user",
"name": "dockerfile.security.missing-user.missing-user",
"properties": {
"precision": "very-high",
"tags": [
"CWE-250: Execution with Unnecessary Privileges",
"MEDIUM CONFIDENCE",
"OWASP-A04:2021 - Insecure Design",
"rule-board-pr-comments",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: dockerfile.security.missing-user.missing-user"
}
}
],
"semanticVersion": "1.122.0"
}
}
}
],
"$schema": "https://docs.oasis-open.org/sarif/sarif/v2.1.0/os/schemas/sarif-schema-2.1.0.json"
}
Semgrep Supply Chain
INFOYou must log in to Semgrep to scan with Semgrep Supply Chain.
JSON
JSON example output
The following snippet is a JSON output example with all the fields for Semgrep Supply Chain.{
"version": "1.122.0",
"results": [
{
"check_id": "ssc-parity-0ddf890152a281f12fd6d01c3953da8d88ce2e7b",
"path": "go.mod",
"start": {
"line": 6,
"col": 1,
"offset": 0
},
"end": {
"line": 6,
"col": 1,
"offset": 0
},
"extra": {
"metavars": {},
"message": "Affected versions of github.com/gin-gonic/gin are vulnerable to Download of Code Without Integrity Check.",
"metadata": {
"confidence": "LOW",
"category": "security",
"cve": "CVE-2023-29401",
"cwe": [
"CWE-494: Download of Code Without Integrity Check"
],
"ghsa": "GHSA-2c4m-59x9-fr2g",
"owasp": [
"A06:2021 - Vulnerable and Outdated Components",
"A08:2021 - Software and Data Integrity Failures"
],
"publish-date": "2023-05-12T20:19:25Z",
"references": [
"https://github.com/advisories/GHSA-2c4m-59x9-fr2g",
"https://nvd.nist.gov/vuln/detail/CVE-2023-29401"
],
"sca-fix-versions": [
{
"github.com/gin-gonic/gin": "1.9.1"
}
],
"sca-kind": "legacy",
"sca-schema": 20230302,
"sca-severity": "MODERATE",
"sca-vuln-database-identifier": "CVE-2023-29401",
"technology": [
"go"
],
"license": "Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license",
"vulnerability_class": [
"Cryptographic Issues"
],
"semgrep.dev": {
"rule": {
"r_id": 109470,
"rv_id": 953164,
"rule_id": "4bURlK3",
"version_id": "w8TKlRo",
"url": "https://semgrep.dev/orgs/-/supply-chain/advisories?q=ssc-parity-0ddf890152a281f12fd6d01c3953da8d88ce2e7b",
"origin": "custom",
"rule_name": "ssc-parity-0ddf890152a281f12fd6d01c3953da8d88ce2e7b"
},
"src": "unchanged"
},
"source": "https://semgrep.dev/orgs/-/supply-chain/advisories?q=ssc-parity-0ddf890152a281f12fd6d01c3953da8d88ce2e7b",
"semgrep.url": "https://semgrep.dev/orgs/-/supply-chain/advisories?q=ssc-parity-0ddf890152a281f12fd6d01c3953da8d88ce2e7b",
"dev.semgrep.actions": []
},
"severity": "WARNING",
"fingerprint": "...",
"lines": "\tgithub.com/gin-gonic/gin v1.6.3 // indirect",
"is_ignored": false,
"sca_info": {
"reachability_rule": false,
"sca_finding_schema": 20220913,
"dependency_match": {
"dependency_pattern": {
"ecosystem": "gomod",
"package": "github.com/gin-gonic/gin",
"semver_range": ">=1.3.1-0.20190301021747-ccb9e902956d, <1.9.1"
},
"found_dependency": {
"package": "github.com/gin-gonic/gin",
"version": "1.6.3",
"ecosystem": "gomod",
"allowed_hashes": {},
"resolved_url": "github.com/gin-gonic/gin",
"transitivity": "transitive",
"manifest_path": "go.mod",
"lockfile_path": "go.mod",
"line_number": 6
},
"lockfile": "go.mod"
},
"reachable": false
},
"engine_kind": "OSS"
}
}
],
"errors": [],
"paths": {
"scanned": [
"go.mod"
]
},
"interfile_languages_used": [],
"skipped_rules": []
}
SARIF
SARIF example output
The following snippet is a SARIF output example with all the fields for Semgrep Supply Chain.{
"version": "2.1.0",
"runs": [
{
"invocations": [
{
"executionSuccessful": true,
"toolExecutionNotifications": []
}
],
"results": [
{
"fingerprints": {
"matchBasedId/v1": "..."
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "go.mod",
"uriBaseId": "%SRCROOT%"
},
"region": {
"endColumn": 1,
"endLine": 6,
"snippet": {
"text": "\tgithub.com/gin-gonic/gin v1.6.3 // indirect"
},
"startColumn": 1,
"startLine": 6
}
}
}
],
"message": {
"text": "Affected versions of github.com/gin-gonic/gin are vulnerable to Download of Code Without Integrity Check."
},
"properties": {
"exposure": "undetermined"
},
"ruleId": "ssc-parity-0ddf890152a281f12fd6d01c3953da8d88ce2e7b"
},
],
"tool": {
"driver": {
"name": "Semgrep OSS",
"rules": [
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Affected versions of github.com/gin-gonic/gin are vulnerable to Download of Code Without Integrity Check."
},
"help": {
"markdown": "Affected versions of github.com/gin-gonic/gin are vulnerable to Download of Code Without Integrity Check.\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/orgs/-/supply-chain/advisories?q=ssc-parity-0ddf890152a281f12fd6d01c3953da8d88ce2e7b)\n - [https://github.com/advisories/GHSA-2c4m-59x9-fr2g](https://github.com/advisories/GHSA-2c4m-59x9-fr2g)\n - [https://nvd.nist.gov/vuln/detail/CVE-2023-29401](https://nvd.nist.gov/vuln/detail/CVE-2023-29401)\n",
"text": "Affected versions of github.com/gin-gonic/gin are vulnerable to Download of Code Without Integrity Check."
},
"helpUri": "https://semgrep.dev/orgs/-/supply-chain/advisories?q=ssc-parity-0ddf890152a281f12fd6d01c3953da8d88ce2e7b",
"id": "ssc-parity-0ddf890152a281f12fd6d01c3953da8d88ce2e7b",
"name": "ssc-parity-0ddf890152a281f12fd6d01c3953da8d88ce2e7b",
"properties": {
"precision": "very-high",
"tags": [
"CWE-494: Download of Code Without Integrity Check",
"LOW CONFIDENCE",
"OWASP-A06:2021 - Vulnerable and Outdated Components",
"OWASP-A08:2021 - Software and Data Integrity Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: ssc-parity-0ddf890152a281f12fd6d01c3953da8d88ce2e7b"
}
},
],
"semanticVersion": "1.122.0"
}
}
}
],
"$schema": "https://docs.oasis-open.org/sarif/sarif/v2.1.0/os/schemas/sarif-schema-2.1.0.json"
}