semgrep-scan

--proInter-file analysis and Pro languages (currently Apex, C#, and Elixir. Requires Semgrep Pro Engine. See https://semgrep.dev/products/pro-engine/ for more.

--vimOutput results in vim single-line format.

--jobsNumber of subprocesses to use to run checks in parallel. Defaults to the number of cores detected on the system (1 if using --pro).

--jsonOutput results in Semgrep's JSON format.

--langParse pattern and all files in specified language. Must be used with -e/--pattern.

--testRun test suite.

--textOutput results in text format.

--timeInclude a timing summary with the results. If output format is json, provides times for each pair (rule, target). This feature is meant for internal use and may be changed or removed without warning. At the current moment, --trace is better supported.

--debugAll of --verbose, but with additional debugging information.

--emacsOutput results in Emacs single-line format.

--errorExit 1 if there are findings. Useful for CI and scripts.

--quietOnly output findings.

--sarifOutput results in SARIF format.

--traceRecord traces from Semgrep scans to help debugging. This feature is meant for internal use and may be changed or removed without warning.

--configYAML configuration file, directory of YAML files ending in .yml|.yaml, URL of a configuration file, or Semgrep registry entry name. Use --config auto to automatically obtain rules tailored to this project; your project URL will be used to log in to the Semgrep registry. To run multiple rule files simultaneously, use --config before every YAML, URL, or Semgrep registry entry name. For example `semgrep --config p/python --config myrules/myrule.yaml` See https://semgrep.dev/docs/writing-rules/rule-syntax for information on configuration file format.

--dryrunIf --dryrun, does not write autofixes to a file. This will print the changes to the console. This lets you see the changes before you commit to them. Only works with the --autofix flag. Otherwise does nothing.

--legacyPrefer old (legacy) behavior.

--remoteRemote will quickly checkout and scan a remote git repository of the format http[s]://<WEBSITE>/.../<REPO>.git. Must be run with --pro Incompatible with --project-root. Note this requires an empty CWD as this command will clone the repository into the CWD. REQUIRES --experimental

--strictReturn a nonzero exit code when WARN level errors are encountered. Fails early if invalid configuration files are present. Defaults to --no-strict.

--autofixApply autofix patches. WARNING: data loss can occur with this flag. Make sure your files are stored in a version control system. Note that this mode is experimental and not guaranteed to function properly.

--developLiving on the edge.

--excludeSkip any file or directory whose path that matches PATTERN. '--exclude=*.py' will ignore the following: 'foo.py', 'src/foo.py', 'foo.py/bar.sh'. '--exclude=tests' will ignore 'tests/foo.py' as well as 'a/b/tests/c/foo.py'. Multiple '--exclude' options may be specified. PATTERN is a glob-style pattern that uses the same syntax as gitignore and semgrepignore, which is documented at https://git-scm.com/docs/gitignore#_pattern_format

--includeSpecify files or directories that should be scanned by semgrep, excluding other files. This filter is applied after these other filters: '--exclude' options, any filtering done by git (or other SCM), and filtering by '.semgrepignore' files. Multiple '--include' options can be specified. A file path is selected if it matches at least one of the include patterns. PATTERN is a glob-style pattern such as 'foo.*' that must match the path. For example, specifying the language with '-l javascript' might preselect files 'src/foo.jsx' and 'lib/bar.js'. Specifying one of '--include=src', '--include=*.jsx', or '--include=src/foo.*' will restrict the selection to the single file 'src/foo.jsx'. A choice of multiple '--include' patterns can be specified. For example, '--include=foo.* --include=bar.*' will select both 'src/foo.jsx' and 'lib/bar.js'. Glob-style patterns follow the syntax supported by gitignore and semgrepignore, which is documented at https://git-scm.com/docs/gitignore#_pattern_format

--metricsConfigures how usage metrics are sent to the Semgrep server. If 'auto', metrics are sent whenever the --config value pulls from the Semgrep server. If 'on', metrics are always sent. If 'off', metrics are disabled altogether and not sent. If absent, the SEMGREP_SEND_METRICS environment variable value will be used. If no environment variable, defaults to 'auto'.

--no-timenegates --time

--patternCode search pattern. See https://semgrep.dev/docs/writing-rules/pattern-syntax for information on pattern features.

--profile<undocumented>

--secretsRun Semgrep Secrets product, including support for secret validation. Requires access to Secrets, contact support@semgrep.com for more information.

--timeoutMaximum time to spend running a rule on a single file in seconds. If set to 0 will not have time limit. Defaults to 5.0 s.

--verboseShow more details about what rules are running, which files failed to parse, etc.

--dump-astIf --dump-ast, shows AST of the input file or passed expression and then exit (can use --json).

--no-errornegates --error

--no-tracenegates --trace

--oss-onlyRun using only the OSS engine, even if the Semgrep Pro toggle is on. This may still run Pro rules, but only using the OSS features.

--severityReport findings only from rules matching the supplied severity level. By default all applicable rules are run. Can add multiple times. Each should be one of INFO, WARNING, or ERROR.

--validateValidate configuration file(s). This will check YAML files for errors and run 'p/semgrep-rule-lints' on the YAML files. No search is performed.

--junit-xmlOutput results in JUnit XML format.

--no-dryrunnegates --dryrun

--no-strictnegates --strict

--diff-depthThe depth of the Pro (interfile) differential scan, the number of steps (both in the caller and callee sides) from the targets in the call graph tracked by the deep preprocessor. Only applied in differential scan mode. Default to 2.

--max-memoryMaximum system memory in MiB to use during the interfile pre-processing phase, or when running a rule on a single file. If set to 0, will not have memory limit. Defaults to 0. For CI scans that use the Pro Engine, defaults to 5000 MiB.

--no-autofixnegates -a/--autofix

--configYAML configuration file, directory of YAML files ending in .yml|.yaml, URL of a configuration file, or Semgrep registry entry name. Use --config auto to automatically obtain rules tailored to this project; your project URL will be used to log in to the Semgrep registry. To run multiple rule files simultaneously, use --config before every YAML, URL, or Semgrep registry entry name. For example `semgrep --config p/python --config myrules/myrule.yaml` See https://semgrep.dev/docs/writing-rules/rule-syntax for information on configuration file format.

--force-colorAlways include ANSI color in the output, even if not writing to a TTY; defaults to using the TTY status

--gitlab-sastOutput results in GitLab SAST format.

--replacementAn autofix expression that will be applied to any matches found with --pattern. Only valid with a command-line specified pattern.

--enable-nosemEnables 'nosem'. Findings will not be reported on lines containing a 'nosem' comment at the end. Enabled by default.

--exclude-ruleSkip any rule with the given id. Can add multiple times.

--experimentalEnable experimental features.

--project-rootThe project root for gitignore and semgrepignore purposes is detected automatically from the presence of a .git/ directory in the current directory or one of its parents. If not found, the current directory is used as the project root. This option forces a specific directory to be the project root. This is useful for testing or for restoring compatibility with older semgrep implementations that only looked for a .semgrepignore file in the current directory. REQUIRES --experimental

--configYAML configuration file, directory of YAML files ending in .yml|.yaml, URL of a configuration file, or Semgrep registry entry name. Use --config auto to automatically obtain rules tailored to this project; your project URL will be used to log in to the Semgrep registry. To run multiple rule files simultaneously, use --config before every YAML, URL, or Semgrep registry entry name. For example `semgrep --config p/python --config myrules/myrule.yaml` See https://semgrep.dev/docs/writing-rules/rule-syntax for information on configuration file format.

--disable-nosemnegates --enable-nosem

--no-git-ignorenegates --use-git-ignore

--optimizationsTurn on/off optimizations. Default = 'all'. Use 'none' to turn all optimizations off.

--pro-intrafileIntra-file inter-procedural taint analysis. Implies --pro-languages. Requires Semgrep Pro Engine. See https://semgrep.dev/products/pro-engine/ for more.

--pro-languagesEnable Pro languages (currently Apex, C#, and Elixir). Requires Semgrep Pro Engine. See https://semgrep.dev/products/pro-engine/ for more.

Source code folder

--gitlab-secretsOutput results in GitLab Secrets format.

--no-force-colornegates --force-color

--trace-endpointEndpoint to send OpenTelemetry traces to, if `--trace` is present. The value may be `semgrep-prod` (default), `semgrep-dev`, `semgrep-local`, or any valid URL. This feature is meant for internal use and may be changed or removed wihtout warning.

--use-git-ignoreSkip files ignored by git. Scanning starts from the root folder specified on the Semgrep command line. Normally, if the scanning root is within a git repository, only the tracked files and the new files would be scanned. Git submodules and git- ignored files would normally be skipped. --no-git-ignore will disable git-aware filtering. Setting this flag does nothing if the scanning root is not in a git repository.

--baseline-commitOnly show results that are not found in this commit hash. Aborts run if not currently in a git directory, there are unstaged changes, or given baseline hash doesn't exist.

--dataflow-tracesExplain how non-local values reach the location of a finding (only affects text and SARIF output).

--max-target-bytesMaximum size for a file to be scanned by Semgrep, e.g '1.5MB'. Any input program larger than this will be ignored. A zero or negative value disables this filter. Defaults to 1000000 bytes

--rewrite-rule-idsRewrite rule ids when they appear in nested sub-directories (Rule 'foo' in test/rules.yaml will be renamed 'test.foo').

--test-ignore-todoIf --test-ignore-todo, ignores rules marked as '#todoruleid:' in test files.

--interfile-timeoutMaximum time to spend on interfile analysis. If set to 0 will not have time limit. Defaults to 0 s for all CLI scans. For CI scans, it defaults to 3 hours.

--timeout-thresholdMaximum number of rules that can time out on a file before the file is skipped. If set to 0 will not have limit. Defaults to 3.

--files-with-matchesOutput only the names of files containing matches. REQUIRES --experimental

--historical-secretsScans git history using Secrets rules.

--incremental-outputOutput results incrementally. REQUIRES --experimental

--max-chars-per-lineMaximum number of characters to show per line.

--pro-path-sensitivePath sensitivity. Implies --pro-intrafile. Requires Semgrep Pro Engine. See https://semgrep.dev/products/pro-engine/ for more.

--use-osemgrep-sarifOutput results using osemgrep.

--no-rewrite-rule-idsnegates --rewrite-rule-ids

--no-test-ignore-todonegates --test-ignore-todo

--enable-version-checkChecks Semgrep servers to see if the latest version is run; disabling this may reduce exit time after returning results.

--max-log-list-entriesMaximum number of entries that will be shown in the log (e.g., list of rule ids, list of skipped files). A zero or negative value disables this filter. Defaults to 100

--disable-version-checknegates --enable-version-check

--matching-explanationsAdd debugging information in the JSON output to trace how different parts of a rule are matched (a.k.a., Inspect Rule in the Semgrep playground)

--max-lines-per-findingMaximum number of lines of code that will be shown for each match before trimming (set to 0 for unlimited).

--no-secrets-validationDisables secret validation.

--exclude-minified-filesSkip minified files. These are files that are > 7% whitespace, or who have a large number of bytes per line. By defualt minified files are scanned

--scan-unknown-extensionsIf true, target files specified directly on the command line will bypass normal language detection. They will be analyzed according to the value of --lang if applicable, or otherwise with the analyzers/languages specified in the Semgrep rule(s) regardless of file extension or file type. This setting doesn't apply to target files discovered by scanning folders. Defaults to false.

--skip-unknown-extensionsnegates --scan-unknown-extensions

--show-supported-languagesPrint a list of languages that are currently supported by Semgrep.

--no-exclude-minified-filesnegates --exclude-minified-files

--allow-untrusted-validatorsAllows running rules with validators from origins other than semgrep.dev. Avoid running rules from origins you don't trust.

--allow-dynamic-dependency-resolutionExperimental: allow resolving dependencies dynamically by communicating with package managers during the scan.