> ## Documentation Index
> Fetch the complete documentation index at: https://docs.semgrep.dev/llms.txt
> Use this file to discover all available pages before exploring further.

# Semgrep JSON and SARIF fields

> This reference provides Semgrep fields for JSON and SARIF output.

For fields that are exclusive to Semgrep AppSec Platform, you must [sign in](https://semgrep.dev/login) to generate values for those fields.

## Semgrep Code

### JSON

#### JSON top-level fields

These tables provide a **partial** overview of the fields available to Semgrep Community Edition (CE) and Semgrep AppSec Platform. Refer to the sample schema for all the fields.

| Field                      | Semgrep CE                              | Semgrep AppSec Platform                 |
| :------------------------- | :-------------------------------------- | :-------------------------------------- |
| `errors`                   | ✅                                       | ✅                                       |
| `interfile_languages_used` | ❌                                       | ✅                                       |
| `paths`                    | ✅                                       | ✅                                       |
| `results`                  | See [`results` object](#results-object) | See [`results` object](#results-object) |
| `skipped_rules`            | ✅                                       | ✅                                       |
| `version`                  | ✅                                       | ✅                                       |

#### `results` object

| Field           | Semgrep CE                          | Semgrep AppSec Platform             |
| :-------------- | :---------------------------------- | :---------------------------------- |
| `check_id`      | ✅                                   | ✅                                   |
| `end`           | ✅                                   | ✅                                   |
| `extra`         | See [`extra` object](#extra-object) | See [`extra` object](#extra-object) |
| `skipped_rules` | ✅                                   | ✅                                   |
| `start`         | ✅                                   | ✅                                   |
| `paths`         | ✅                                   | ✅                                   |

#### `extra` object

| Field                                      | Semgrep CE                                | Semgrep AppSec Platform                   |
| :----------------------------------------- | :---------------------------------------- | :---------------------------------------- |
| `engine_kind`                              | ✅                                         | ✅                                         |
| `fingerprint`                              | ❌                                         | ✅                                         |
| `fix`                                      | ✅                                         | ✅                                         |
| `is_ignored`                               | ❌                                         | ✅                                         |
| `lines`<strong>\*</strong>                 | ❌                                         | ✅                                         |
| `message`                                  | ✅                                         | ✅                                         |
| `metadata`                                 | See [`metadata` object](#metadata-object) | See [`metadata` object](#metadata-object) |
| `metavars`                                 | ❌                                         | ✅                                         |
| `severity`                                 | ✅                                         | ✅                                         |
| `validation_state`(for Secrets scans only) | ✅                                         | ✅                                         |

*\*<strong>`lines`</strong> refers to the **text** of the matched lines, not the line numbers themselves. See the [`results` object](#results-object) to view line numbers.*

#### `metadata` object

| Field                 | Semgrep CE | Semgrep AppSec Platform |
| :-------------------- | :--------- | :---------------------- |
| `category`            | ✅          | ✅                       |
| `confidence`          | ✅          | ✅                       |
| `cwe`                 | ✅          | ✅                       |
| `impact`              | ✅          | ✅                       |
| `license`             | ✅          | ✅                       |
| `likelihood`          | ✅          | ✅                       |
| `owasp`               | ✅          | ✅                       |
| `references`          | ✅          | ✅                       |
| `semgrep.dev`         | ❌          | ✅                       |
| `semgrep.policy`      | ❌          | ✅                       |
| `shortlink`           | ✅          | ✅                       |
| `source`              | ✅          | ✅                       |
| `subcategory`         | ✅          | ✅                       |
| `technology`          | ✅          | ✅                       |
| `vulnerability_class` | ✅          | ✅                       |

#### JSON example output

The following snippet is a JSON output example with all the fields for Semgrep Code.

```json expandable theme={null}
{
  "check_id": "yaml.github-actions.security.run-shell-injection.run-shell-injection",
  "path": "STRING",
  "start": 
  {
    "line": 18,
    "col": 9,
    "offset": 300
  },
  "end": {
    "line": 18,
    "col": 82,
    "offset": 373
  },
  "extra": {
    "metavars": {
      "$SHELL": {
        "start": {
          "line": 18,
          "col": 14,
          "offset": 305
        },
        "end": {
          "line": 18,
          "col": 82,
          "offset": 373
        },
        "abstract_content": "echo \"was the box ticked? ${BOX_TICKED}! (${{ inputs.box_ticked }})\""
      }
    },
    "message": "Using variable interpolation `${{...}}` with `github` context data in a `run:` step could allow an attacker to inject their own code into the runner. This would allow them to steal secrets and code. `github` context data can have arbitrary user input and should be treated as untrusted. Instead, use an intermediate environment variable with `env:` to store the data and use the environment variable in the `run:` script. Be sure to use double-quotes the environment variable, like this: \"$ENVVAR\".",
    "metadata": {
      "category": "security",
      "cwe": [
        "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')"
      ],
      "owasp": [
        "A01:2017 - Injection",
        "A03:2021 - Injection"
      ],
      "references": [
        "https://docs.github.com/en/actions/learn-github-actions/security-hardening-for-github-actions#understanding-the-risk-of-script-injections",
        "https://securitylab.github.com/research/github-actions-untrusted-input/"
      ],
      "technology": [
        "github-actions"
      ],
      "cwe2022-top25": true,
      "cwe2021-top25": true,
      "subcategory": [
        "vuln"
      ],
      "likelihood": "HIGH",
      "impact": "HIGH",
      "confidence": "HIGH",
      "license": "Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license",
      "vulnerability_class": [
        "Command Injection"
      ],
      "source": "https://semgrep.dev/r/yaml.github-actions.security.run-shell-injection.run-shell-injection",
      "shortlink": "https://sg.run/11zk",
      "semgrep.dev": {
        "rule": {
          "origin": "community",
          "r_id": 13162,
          "rule_id": "v8UQj2",
          "rv_id": 1025108,
          "url": "https://semgrep.dev/playground/r/akTViyp/yaml.github-actions.security.run-shell-injection.run-shell-injection",
          "version_id": "akTViyp"
        }
      },
      "dev.semgrep.actions": [
        "comment"
      ],
      "semgrep.policy": {
        "id": 91181987,
        "name": "Rule Board - PR Comments column",
        "slug": "rule-board-pr-comments"
      },
      "semgrep.url": "https://semgrep.dev/r/yaml.github-actions.security.run-shell-injection.run-shell-injection"
    },
    "severity": "ERROR",
    "fingerprint": "...",
    "lines": "      - run: echo \"was the box ticked? ${BOX_TICKED}! (${{ inputs.box_ticked }})\"",
    "is_ignored": false,
    "validation_state": "NO_VALIDATOR",
    "engine_kind": "PRO"
  }
}
```

### SARIF

#### SARIF top-level fields

| Field     | Semgrep CE                        | Semgrep AppSec Platform           |
| :-------- | :-------------------------------- | :-------------------------------- |
| `$schema` | ✅                                 | ✅                                 |
| `runs`    | See [`runs` object](#runs-object) | See [`runs` object](#runs-object) |
| `version` | ✅                                 | ✅                                 |

#### `runs` object

| Field             | Semgrep CE                                | Semgrep AppSec Platform                   |
| :---------------- | :---------------------------------------- | :---------------------------------------- |
| `invocations`     | ✅                                         | ✅                                         |
| `results`         | See [`results` object](#results-object-1) | See [`results` object](#results-object-1) |
| `rules`           | ✅                                         | ✅                                         |
| `semanticVersion` | ✅                                         | ✅                                         |

#### `results` object

| Field          | Semgrep CE | Semgrep AppSec Platform |
| :------------- | :--------- | :---------------------- |
| `fingerprints` | ❌          | ✅                       |
| `locations`    | ✅          | ✅                       |
| `message`      | ✅          | ✅                       |
| `properties`   | ✅          | ✅                       |
| `ruleId`       | ✅          | ✅                       |

#### SARIF example output

The following snippet is a SARIF output example with all the fields for Semgrep Code.

```json expandable theme={null}
{
  "version": "2.1.0",
  "runs": [
    {
      "invocations": [
        {
          "executionSuccessful": true,
          "toolExecutionNotifications": []
        }
      ],
      "results": [
        {
          "fingerprints": {
            "matchBasedId/v1": "..."
          },
          "fixes": [
            {
              "artifactChanges": [
                {
                  "artifactLocation": {
                    "uri": "Dockerfile"
                  },
                  "replacements": [
                    {
                      "deletedRegion": {
                        "endColumn": 15,
                        "endLine": 39,
                        "startColumn": 1,
                        "startLine": 39
                      },
                      "insertedContent": {
                        "text": "USER non-root\nCMD [\"./main\"]"
                      }
                    }
                  ]
                }
              ],
              "description": {
                "text": "By not specifying a USER, a program in the container may run as 'root'. This is a security hazard. If an attacker can control a process running as root, they may have control over the container. Ensure that the last USER in a Dockerfile is a USER other than 'root'.\n Rule-defined fix: Semgrep rule suggested fix"
              }
            }
          ],
          "locations": [
            {
              "physicalLocation": {
                "artifactLocation": {
                  "uri": "Dockerfile",
                  "uriBaseId": "%SRCROOT%"
                },
                "region": {
                  "endColumn": 15,
                  "endLine": 39,
                  "snippet": {
                    "text": "CMD [\"./main\"]"
                  },
                  "startColumn": 1,
                  "startLine": 39
                }
              }
            }
          ],
        }
      ],
      "tool": {
        "driver": {
          "name": "Semgrep OSS",
          "rules": [
            {
              "defaultConfiguration": {
                "level": "error"
              },
              "fullDescription": {
                "text": "By not specifying a USER, a program in the container may run as 'root'. This is a security hazard. If an attacker can control a process running as root, they may have control over the container. Ensure that the last USER in a Dockerfile is a USER other than 'root'."
              },
              "help": {
                "markdown": "By not specifying a USER, a program in the container may run as 'root'. This is a security hazard. If an attacker can control a process running as root, they may have control over the container. Ensure that the last USER in a Dockerfile is a USER other than 'root'.\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/dockerfile.security.missing-user.missing-user)\n - [https://owasp.org/Top10/A04_2021-Insecure_Design](https://owasp.org/Top10/A04_2021-Insecure_Design)\n",
                "text": "By not specifying a USER, a program in the container may run as 'root'. This is a security hazard. If an attacker can control a process running as root, they may have control over the container. Ensure that the last USER in a Dockerfile is a USER other than 'root'."
              },
              "helpUri": "https://semgrep.dev/r/dockerfile.security.missing-user.missing-user",
              "id": "dockerfile.security.missing-user.missing-user",
              "name": "dockerfile.security.missing-user.missing-user",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-250: Execution with Unnecessary Privileges",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A04:2021 - Insecure Design",
                  "rule-board-pr-comments",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: dockerfile.security.missing-user.missing-user"
              }
            }
          ],
          "semanticVersion": "1.122.0"
        }
      }
    }
  ],
  "$schema": "https://docs.oasis-open.org/sarif/sarif/v2.1.0/os/schemas/sarif-schema-2.1.0.json"
}
```

## Semgrep Supply Chain

<Note>
  **INFO**

  You must log in to Semgrep to scan with Semgrep Supply Chain.
</Note>

### JSON

#### JSON example output

The following snippet is a JSON output example with all the fields for Semgrep Supply Chain.

```json expandable theme={null}
{
  "version": "1.122.0",
  "results": [
    {
      "check_id": "ssc-parity-0ddf890152a281f12fd6d01c3953da8d88ce2e7b",
      "path": "go.mod",
      "start": {
        "line": 6,
        "col": 1,
        "offset": 0
      },
      "end": {
        "line": 6,
        "col": 1,
        "offset": 0
      },
      "extra": {
        "metavars": {},
        "message": "Affected versions of github.com/gin-gonic/gin are vulnerable to Download of Code Without Integrity Check.",
        "metadata": {
          "confidence": "LOW",
          "category": "security",
          "cve": "CVE-2023-29401",
          "cwe": [
            "CWE-494: Download of Code Without Integrity Check"
          ],
          "ghsa": "GHSA-2c4m-59x9-fr2g",
          "owasp": [
            "A06:2021 - Vulnerable and Outdated Components",
            "A08:2021 - Software and Data Integrity Failures"
          ],
          "publish-date": "2023-05-12T20:19:25Z",
          "references": [
            "https://github.com/advisories/GHSA-2c4m-59x9-fr2g",
            "https://nvd.nist.gov/vuln/detail/CVE-2023-29401"
          ],
          "sca-fix-versions": [
            {
              "github.com/gin-gonic/gin": "1.9.1"
            }
          ],
          "sca-kind": "legacy",
          "sca-schema": 20230302,
          "sca-severity": "MODERATE",
          "sca-vuln-database-identifier": "CVE-2023-29401",
          "technology": [
            "go"
          ],
          "license": "Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license",
          "vulnerability_class": [
            "Cryptographic Issues"
          ],
          "semgrep.dev": {
            "rule": {
              "r_id": 109470,
              "rv_id": 953164,
              "rule_id": "4bURlK3",
              "version_id": "w8TKlRo",
              "url": "https://semgrep.dev/orgs/-/supply-chain/advisories?q=ssc-parity-0ddf890152a281f12fd6d01c3953da8d88ce2e7b",
              "origin": "custom",
              "rule_name": "ssc-parity-0ddf890152a281f12fd6d01c3953da8d88ce2e7b"
            },
            "src": "unchanged"
          },
          "source": "https://semgrep.dev/orgs/-/supply-chain/advisories?q=ssc-parity-0ddf890152a281f12fd6d01c3953da8d88ce2e7b",
          "semgrep.url": "https://semgrep.dev/orgs/-/supply-chain/advisories?q=ssc-parity-0ddf890152a281f12fd6d01c3953da8d88ce2e7b",
          "dev.semgrep.actions": []
        },
        "severity": "WARNING",
        "fingerprint": "...",
        "lines": "\tgithub.com/gin-gonic/gin v1.6.3 // indirect",
        "is_ignored": false,
        "sca_info": {
          "reachability_rule": false,
          "sca_finding_schema": 20220913,
          "dependency_match": {
            "dependency_pattern": {
              "ecosystem": "gomod",
              "package": "github.com/gin-gonic/gin",
              "semver_range": ">=1.3.1-0.20190301021747-ccb9e902956d, <1.9.1"
            },
            "found_dependency": {
              "package": "github.com/gin-gonic/gin",
              "version": "1.6.3",
              "ecosystem": "gomod",
              "allowed_hashes": {},
              "resolved_url": "github.com/gin-gonic/gin",
              "transitivity": "transitive",
              "manifest_path": "go.mod",
              "lockfile_path": "go.mod",
              "line_number": 6
            },
            "lockfile": "go.mod"
          },
          "reachable": false
        },
        "engine_kind": "OSS"
      }
    }
  ],
  "errors": [],
  "paths": {
    "scanned": [
      "go.mod"
    ]
  },
  "interfile_languages_used": [],
  "skipped_rules": []
}
```

### SARIF

#### SARIF example output

The following snippet is a SARIF output example with all the fields for Semgrep Supply Chain.

```json expandable theme={null}
{
  "version": "2.1.0",
  "runs": [
    {
      "invocations": [
        {
          "executionSuccessful": true,
          "toolExecutionNotifications": []
        }
      ],
      "results": [
        {
          "fingerprints": {
            "matchBasedId/v1": "..."
          },
          "locations": [
            {
              "physicalLocation": {
                "artifactLocation": {
                  "uri": "go.mod",
                  "uriBaseId": "%SRCROOT%"
                },
                "region": {
                  "endColumn": 1,
                  "endLine": 6,
                  "snippet": {
                    "text": "\tgithub.com/gin-gonic/gin v1.6.3 // indirect"
                  },
                  "startColumn": 1,
                  "startLine": 6
                }
              }
            }
          ],
          "message": {
            "text": "Affected versions of github.com/gin-gonic/gin are vulnerable to Download of Code Without Integrity Check."
          },
          "properties": {
            "exposure": "undetermined"
          },
          "ruleId": "ssc-parity-0ddf890152a281f12fd6d01c3953da8d88ce2e7b"
        },
      ],
      "tool": {
        "driver": {
          "name": "Semgrep OSS",
          "rules": [
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "Affected versions of github.com/gin-gonic/gin are vulnerable to Download of Code Without Integrity Check."
              },
              "help": {
                "markdown": "Affected versions of github.com/gin-gonic/gin are vulnerable to Download of Code Without Integrity Check.\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/orgs/-/supply-chain/advisories?q=ssc-parity-0ddf890152a281f12fd6d01c3953da8d88ce2e7b)\n - [https://github.com/advisories/GHSA-2c4m-59x9-fr2g](https://github.com/advisories/GHSA-2c4m-59x9-fr2g)\n - [https://nvd.nist.gov/vuln/detail/CVE-2023-29401](https://nvd.nist.gov/vuln/detail/CVE-2023-29401)\n",
                "text": "Affected versions of github.com/gin-gonic/gin are vulnerable to Download of Code Without Integrity Check."
              },
              "helpUri": "https://semgrep.dev/orgs/-/supply-chain/advisories?q=ssc-parity-0ddf890152a281f12fd6d01c3953da8d88ce2e7b",
              "id": "ssc-parity-0ddf890152a281f12fd6d01c3953da8d88ce2e7b",
              "name": "ssc-parity-0ddf890152a281f12fd6d01c3953da8d88ce2e7b",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-494: Download of Code Without Integrity Check",
                  "LOW CONFIDENCE",
                  "OWASP-A06:2021 - Vulnerable and Outdated Components",
                  "OWASP-A08:2021 - Software and Data Integrity Failures",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: ssc-parity-0ddf890152a281f12fd6d01c3953da8d88ce2e7b"
              }
            },
          ],
          "semanticVersion": "1.122.0"
        }
      }
    }
  ],
  "$schema": "https://docs.oasis-open.org/sarif/sarif/v2.1.0/os/schemas/sarif-schema-2.1.0.json"
}
```
