> ## Documentation Index
> Fetch the complete documentation index at: https://docs.semgrep.dev/llms.txt
> Use this file to discover all available pages before exploring further.

# Perform cross-file analysis

> Use Semgrep Code's **cross-file (interfile) analysis** to detect vulnerabilities across files and folders within a project.

By design, Semgrep open source software, Semgrep Community Edition (CE) can only analyze interactions within a single function, also known as **intraprocedural analysis**. This limited scope makes Semgrep CE fast and easy to integrate into developer workflows.

Semgrep Code runs **cross-function (interprocedural)** analysis by default, and gives security teams the option to trade off speed for better results and deeper analysis with **cross-file analysis**. By analyzing interactions across files and functions, Semgrep Code can reduce noise, uncover new vulnerabilities, and make results easier to understand.

<Note>
  **LANGUAGE SUPPORT**

  Refer to [<Icon icon="file-lines" iconType="regular" /> Supported languages](/supported-languages) to see languages supported by Semgrep Code.
</Note>

## Run cross-file analysis

This section guides you through installing the proprietary cross-file (interfile) analysis binary and helps you to scan your projects both in CLI and with Semgrep AppSec Platform.

### Run cross-file analysis with Semgrep AppSec Platform

<Info>
  **PREREQUISITE**

  You have completed a [Semgrep core deployment](/deployment/core-deployment).
</Info>

This is the preferred method to run cross-file analysis. It enables you to view and triage your findings from a centralized location. Your source code is not uploaded.

<Steps>
  <Step>
    Sign in to [<Icon icon="external-link" iconType="solid" /> Semgrep AppSec Platform](https://semgrep.dev/login).
  </Step>

  <Step>
    Go to **[Settings > General > Code](https://semgrep.dev/orgs/-/settings/general/code)**.
  </Step>

  <Step>
    Click the **<Icon icon="toggle-large-on" iconType="solid" /> <Tooltip tip="Also known as interfile analysis. Accounts for information flowing between files, including cross-file taint analysis, constant propagation, and type inference." cta="See full definition." href="/writing-rules/glossary#cross-file-analysis">Cross-file analysis</Tooltip>** toggle to turn on this feature.
  </Step>

  <Step>
    Ensure that you have the **default ruleset** added in your **[Policies page](https://semgrep.dev/orgs/-/policies)**. If this ruleset is **not** added, go to [<Icon icon="external-link" iconType="solid" /> Semgrep Registry - Default ruleset page](https://semgrep.dev/p/default), then click **Add to <Tooltip tip="A policy defines the set of rules that Semgrep runs and the workflow actions it undertakes when a rule from the policy generates a finding. The workflow action can include notifying Slack channels or posting a comment in the pull request or merge request that generated the finding. Not to be confused with policy-as-code." cta="See full definition." href="/semgrep-code/glossary#policy">Policy</Tooltip>**. For best results, set this ruleset to the **Monitor** rule mode.
  </Step>
</Steps>

**Full scans** now include cross-file analysis. You can trigger a full scan through your CI provider. Note that cross-file analysis does **not** currently run on diff-aware (pull request or merge request) scans.

### Run cross-file analysis in the CLI

<Info>
  **PREREQUISITE**

  * Local installation of Semgrep CLI. See [<Icon icon="file-lines" iconType="regular" /> Getting started with Semgrep](/getting-started/quickstart) to install Semgrep CLI.
</Info>

<Steps>
  <Step>
    Sign up or sign in to [<Icon icon="external-link" iconType="solid" /> Semgrep AppSec Platform](https://semgrep.dev/login).
  </Step>

  <Step>
    For first-time users, click **Create an organization**. Note that you can further integrate organizations (orgs) with GitLab accounts and GitHub accounts, including personal and org accounts, after you complete this procedure.
  </Step>

  <Step>
    Go to **[Settings > General > Code](https://semgrep.dev/orgs/-/settings/general/code)**.
  </Step>

  <Step>
    Click the **<Icon icon="toggle-large-on" iconType="solid" /> <Tooltip tip="Also known as interfile analysis. Accounts for information flowing between files, including cross-file taint analysis, constant propagation, and type inference." cta="See full definition." href="/writing-rules/glossary#cross-file-analysis">Cross-file analysis</Tooltip>** toggle to turn on this feature.
  </Step>

  <Step>
    Ensure that you are in the **root directory** of the repository you want to scan.
  </Step>

  <Step>
    In your CLI, log in to your Semgrep AppSec Platform account and run a scan:

    ```bash theme={null}
    semgrep login && semgrep ci
    ```
  </Step>
</Steps>

#### Update cross-file analysis in the CLI

<Tooltip tip="Also known as interfile analysis. Accounts for information flowing between files, including cross-file taint analysis, constant propagation, and type inference." cta="See full definition." href="/writing-rules/glossary#cross-file-analysis">Cross-file analysis</Tooltip> uses a separate `semgrep` binary. To update to the latest version, follow these steps:

<Steps>
  <Step>
    Update your Semgrep CLI tool with the following command:

    <Tabs>
      <Tab title="macOS">
        ```bash theme={null}
            brew upgrade semgrep
        ```

        Alternatively, using pipx ([https://pipx.pypa.io/stable/how-to/install-pipx/](https://pipx.pypa.io/stable/how-to/install-pipx/)) or uv ([https://docs.astral.sh/uv/](https://docs.astral.sh/uv/)):

        ```bash theme={null}
        pipx upgrade semgrep
        # or
        uv tool upgrade semgrep
        ```
      </Tab>

      <Tab title="Linux">
        Using pipx ([https://pipx.pypa.io/stable/how-to/install-pipx/](https://pipx.pypa.io/stable/how-to/install-pipx/)) or uv ([https://docs.astral.sh/uv/](https://docs.astral.sh/uv/)):

        ```bash theme={null}
        pipx upgrade semgrep
        # or
        uv tool upgrade semgrep
        ```
      </Tab>

      <Tab title="Windows">
        ```bash theme={null}
            # ensure that you have Python 3.9 or later installed
            # before proceeding

            pipx upgrade semgrep
            # or
            uv tool upgrade semgrep
        ```
      </Tab>

      <Tab title="Docker">
        ```bash theme={null}
            docker pull semgrep/semgrep:latest
        ```
      </Tab>
    </Tabs>
  </Step>

  <Step>
    Log in to Semgrep AppSec Platform:

    ```bash theme={null}
    semgrep login
    ```
  </Step>

  <Step>
    Update the Semgrep cross-file binary:

    ```bash theme={null}
    semgrep install-semgrep-pro
    ```
  </Step>
</Steps>

### Write rules that analyze across files and functions

To create rules that analyze across files and functions, add `interfile: true` under the `options` key when defining a rule. This key tells Semgrep to use the rule for both cross-function and cross-file analysis.

#### Cross-function example

The following example shows how to define the `interfile` key (see the **Rule** pane) and the resulting cross-function analysis in the **Test code** pane.

<Frame>
  <iframe title="Interfile key example" src="https://semgrep.dev/embed/editor?snippet=lRZ5" width="100%" height="432px" loading="lazy" frameBorder="0" />
</Frame>

Click **<Icon icon="play" iconType="solid" /> Run** to see the true positive in lines 27-30.

Semgrep Code performed cross-function analysis as the `userInput()` source was called in `main()` while the `exec()` sink was called in the `DockerCompose` class.

Interact with the rule widget to compare Semgrep Community Edition (CE) and Semgrep Code. In the **Rule** pane, you can remove the lines:

```yaml theme={null}
options:
  interfile: true
```

This results in a failure to detect the true positive, because Semgrep did not perform cross-function analysis.

## Known limitations of cross-file analysis

### CommonJS

Currently Semgrep's cross-file analysis does not handle specific cases of CommmonJS where you define a function and assign it to an export later. <Tooltip tip="Also known as interfile analysis. Accounts for information flowing between files, including cross-file taint analysis, constant propagation, and type inference." cta="See full definition." href="/writing-rules/glossary#cross-file-analysis">Cross-file analysis</Tooltip> does not track the code below:

```js theme={null}
function get_user() {
    return get_user_input("example")
  }

module.exports = get_user
```

### Regressions in cross-file analysis

<Tooltip tip="Also known as interfile analysis. Accounts for information flowing between files, including cross-file taint analysis, constant propagation, and type inference." cta="See full definition." href="/writing-rules/glossary#cross-file-analysis">Cross-file analysis</Tooltip> resolves names differently than Semgrep CE's analysis. Consequently, rules with `interfile: true` may produce different results than Semgrep CE. Some instances could be regarded as regressions; if you encounter them, please file a bug report. When you need to report a bug in Semgrep's cross-file analysis, go through [Semgrep Support](/support). You can also contact us through [Semgrep Community Slack group](https://go.semgrep.dev/slack).

## Appendix

### Types of Semgrep Code analysis

**Cross-file (interfile) analysis**

* Cross-file analysis finds patterns spanning multiple files within a project to help security engineers deeply understand their organization's security issues. This analysis reduces noise and detects issues that Semgrep CE can't find.
* Cross-file analysis runs on full scans. These scans may take longer to complete and can use more memory than Semgrep CE scans. See the available languages for cross-file analysis in [Supported languages](/supported-languages/#semgrep-pro-engine).
* In Semgrep Code, cross-file analysis includes cross-function analysis as well.

**Cross-function (interprocedural) analysis**

* Cross-function analysis finds patterns within a single file spanning code blocks and functions.
* Semgrep Code scans run cross-function analysis by default.
* See an example of cross-function analysis in [Semgrep Code cross-function example](#pro-engine-cross-function-example).
* See the available languages for cross-function analysis in [<Icon icon="file-text" iconType="solid" /> Supported languages](/supported-languages/#semgrep-pro-engine).

#### Semgrep Code cross-file CI scan issues

To provide reliably completed scans, Semgrep Code can **fall back** from cross-file analysis to single-file analysis. This ensures that in the vast majority of cases, scans run successfully.

By default, if a scan uses more than **5 GB** of memory during cross-file pre-processing, the scan uses single-file analysis to ensure lower memory consumption. Similarly, if a cross-file scan doesn't complete after 3 hours, the analysis times out and Semgrep re-scans the repository using single-file analysis. Typically, this happens because the repository is very large.

If 1-2 repositories cause CI scan issues and scanning these repositories with interfile analysis is not critical, modify your configuration file to use `semgrep ci --pro-intrafile`. This overrides the Semgrep AppSec Platform setting for these repositories, and always runs these scans with single-file, cross-function analysis.

If many repositories cause scan issues, or you have critical repositories you are unable to scan with Semgrep's interfile analysis:

<Steps>
  <Step>
    Disable the <Icon icon="toggle-large-on" iconType="solid" /> **<Tooltip tip="Also known as interfile analysis. Accounts for information flowing between files, including cross-file taint analysis, constant propagation, and type inference." cta="See full definition." href="/writing-rules/glossary#cross-file-analysis">Cross-file analysis</Tooltip>** toggle in the **[Settings > General > Code](https://semgrep.dev/orgs/-/settings/general/code)** page of your organization.
  </Step>

  <Step>
    Review scan troubleshooting guides such as [A Semgrep scan is having a problem - what next?](/kb/semgrep-code/semgrep-scan-troubleshooting) or [Troubleshooting "You are seeing this because the engine was killed."](/kb/semgrep-code/scan-engine-kill)
  </Step>

  <Step>
    If you need additional guidance, [contact Semgrep Support](/support), or reach out to the Semgrep team in the <a href="https://go.semgrep.dev/slack">Semgrep Community Slack</a> so we can help you resolve the issue and create a plan for your organization.
  </Step>
</Steps>

### Difference between cross-file analysis and join mode

<Tooltip tip="Also known as interfile analysis. Accounts for information flowing between files, including cross-file taint analysis, constant propagation, and type inference." cta="See full definition." href="/writing-rules/glossary#cross-file-analysis">Cross-file analysis</Tooltip> is different from [join mode](/writing-rules/experiments/join-mode/overview), which also allows you to perform cross-file analyses by letting you join on the metavariable matches in separate rules. Join mode is an experimental feature which is not actively developed or maintained. You may encounter many issues while using join mode.

### Feedback for Semgrep Code's advanced analyses

The team at Semgrep is excited to hear what's on your mind. As you explore these features, we want to know what you'd like to be able to capture with it. We believe that this deeper analysis helps users find more vulnerabilities, build trust with developers, and enforce code standards quickly. Let us know what you think about the results in the <a href="https://go.semgrep.dev/slack">Semgrep Community Slack</a>.
