For rule-writing and SAST (static application security testing) terms, see the Rule-writing glossary.Documentation Index
Fetch the complete documentation index at: https://docs.semgrep.dev/llms.txt
Use this file to discover all available pages before exploring further.
Default branch
Also known as a mainline, primary, or trunk branch. In many cases, Semgrep automatically detects these branches as primary branches when it first scans your project. If you have projects (repositories) with unique primary branch names, you can set them through the Semgrep web app.Diff-aware scan
A diff-aware scan is a type of scan that shows only the findings that have been caused by changes in files starting from a specific Git baseline. It is typically performed on feature branches when a pull request or merge request is opened. Unlike full scans, diff-aware scans only consider changes within modified files. At this time, cross-file analysis is not supported for diff-aware scans.Full scan
A full scan scans the entire codebase or Git repository in its current state. It is typically performed on trunk or mainline branches, such asmain. Semgrep, Inc. recommends performing full scans on a recurring basis, such as daily or weekly.
Policy
A policy defines the set of rules that Semgrep runs and the workflow actions it undertakes when a rule from the policy generates a finding. The workflow action performed by Semgrep when it detects a finding can include notifying Slack channels or posting a comment in the pull request or merge request that generated the finding. Not to be confused with policy-as-code.Registry (Semgrep Registry)
A collection of publicly available SAST rules that you can download. Rules can be filtered by language, OWASP bug class, severity, and so on. Contributions are welcome. Rules are frequently organized by rulesets, enabling you to find related rules by framework and language.Sources of rules
The Registry contains rules imported from various repositories. These include rules authored by other individuals or groups, such as Trail of Bits and GitLab. You can view a rule’slicense key to ensure the license meets your needs.
Ruleset
Rulesets are rules related through a programming language, OWASP category, or framework. Rulesets are curated by the team at Semgrep and updated as new rules are added to the Semgrep Registry.Scan target
A scan target is any file, or collection of files and directories that Semgrep can scan. While Semgrep can scan any text file throughgeneric mode, Semgrep primarily scans the following: