Semgrep is a fast, static analysis tool powered by an open-source engine for finding bugs, detecting vulnerabilities, and enforcing code standards. Semgrep Visual Studio Code extension scans lines when you change or open files or all files in your workspace. It offers:
- Automatic scans whenever you open a file
- Inline results and problem highlighting, as well as quick links to the definitions of the rules underlying the findings
- Autofix, which allows you to apply Semgrep's suggested resolution for the findings
main-vs-code-video.mp4
- Windows users must use Semgrep VS Code extension v1.6.2 or later.
-
Install the Semgrep extension in Visual Studio Code.
-
Use Ctrl+⇧Shift+P or ⌘Command+⇧Shift+P (macOS) to launch the Command Palette, and run the following to sign in to Semgrep Cloud Platform:
Semgrep: Sign in
You can use the extension without signing in, but doing so enables better results since you benefit from Semgrep Code and its Pro rules.
-
Launch the Command Palette using Ctrl+⇧Shift+P or ⌘Command+⇧Shift+P (macOS), and scan your files by running:
Semgrep: Scan all files in workspace
-
To see detailed vulnerability information, hover over the code that's underlined in yellow. You can also see the findings identified by Semgrep using ⇧Shift+Ctrl+M or ⌘Command+⇧Shift+M (macOS) and opening the Problems tab.
seeing-vuln-details.mp4
Try Autofix.
auto-fix-video.mp4
Add and update new rules to expand Semgrep extension capabilities.
updating-rules-video.mp4
Fine-tune and customize the rules Semgrep uses to improve your scan results:
- Go to Semgrep Registry. Ensure that you are signed in.
- Explore the Semgrep Registry. When you find a rule you want to add, click the plus sign to expand the rule. Click Add to Policy, and select your mode. You can view and manage all of your rules in Policies.
- Rescan your code. Use Ctrl+⇧Shift+P or ⌘Command+⇧Shift+P (macOS) to launch the Command Palette, then run
Semgrep: Update rules
.
Semgrep supports 30+ languages, including:
Apex · Bash · C · C++ · C# · Clojure · Dart · Dockerfile · Elixir · HTML · Go · Java · JavaScript · JSX · JSON · Julia · Jsonnet · Kotlin · Lisp · Lua · OCaml · PHP · Python · R · Ruby · Rust · Scala · Scheme · Solidity · Swift · Terraform · TypeScript · TSX · YAML · XML · Generic (ERB, Jinja, etc.)
To configure the Semgrep extension, open its Extension Settings page:
- Use ⇧Shift+Ctrl+X or ⇧Shift+⌘Command+X (macOS) to open the Extensions view.
- Select Semgrep.
- Click the gear and select Extension Settings.
- Semgrep › Do Hover: Enable AST node views when hovering over a finding.
- Semgrep › Path: Set the path to the Semgrep executable.
- Semgrep › Scan: Configuration: Specify rules or rulesets you want Semgrep to use to scan your code. Each item can be a YAML configuration file, a URL of a configuration file, or a directory of YAML files. Use
auto
to automatically obtain rules tailored to your project. Semgrep uses your project URL to log into the Semgrep Registry. See Running rules for more information. RunSemgrep: Update rules
using the Visual Studio Code Command Palette to update the rules configuration for your next scan whenever you change the rule configuration. - Semgrep › Scan: Exclude: List files and directories that Semgrep should ignore when scanning.
- Semgrep › Scan: Include: List files and directories scanned by Semgrep. This option globally overrides the workspace setting. As a result, Semgrep scans all included paths.
- Semgrep › Scan: Jobs: Specify how many parallel jobs can run simultaneously. The default number of parallel jobs is one.
- Semgrep › Scan: Max Memory: Sets the maximum memory in MB to use.
- Semgrep › Scan: Max Target Bytes: Sets the maximum size of the target in bytes to scan.
- Semgrep › Scan: Only Git Dirty: Allow Semgrep to scan your code whenever you open a new file and display the findings for lines that have changed since the last commit. On by default.
- Semgrep › Scan: Pro_intrafile: Enable intrafile scanning using the Pro Engine.
- Semgrep › Scan: Timeout: Set the maximum run time in seconds before Semgrep times out and stops scanning your code. The default value is 30.
- Semgrep › Scan: Timeout Threshold: Set the maximum number of rules that can timeout on a file before the file is skipped. If set to 0, there will be no limit. Defaults to 3.
- Semgrep > Trace: Server: This option is useful for debugging. The messages option displays communication of the Semgrep Visual Studio Code extension with the LSP server. The default option is verbose.
The following experimental features should only be used upon recommendation by Semgrep:
- Semgrep > Use JS: Use the JavaScript version of the extension. Enabled by default for Windows users.
- Semgrep > Heap Size JS: Set the maximum heap size in MB for the JavaScript version of the extension. Increase if the extension crashes while downloading rules.
- Semgrep > Ignore Cli Version: Ignore the CLI Version and enable all extension features.
- Semgrep > Stack Size JS: Set the maximum stack size in KB for the JavaScript version of the extension.
Run Semgrep extension commands through the Visual Studio Code Command Palette. You can access the Command Palette using Ctrl+⇧Shift+P or ⌘Command+⇧Shift+P (macOS). The following list includes all available Semgrep extension commands:
Semgrep: Scan all files in a workspace
: Scan all files in the current workspace.Semgrep Search: Clear
: Clear pattern searches from the Primary Side Bar's Semgrep Search view.Semgrep Search: Focus on Search Results View
: Bring the Primary Side Bar's Semgrep Search view into focusSemgrep Restart Language Server
: Restart the language serverSemgrep: Scan changed files in a workspace
: Scan files that have been changed since the last commit in your current workspace.Semgrep: Search by pattern
: Search for patterns in code using Semgrep pattern syntax. For more information, see Pattern syntax documentation.Semgrep: Show Generic AST
: Show generic AST in a new windowSemgrep: Show named Generic AST
: Show named AST in a new windowSemgrep: Sign in
: Sign in or log in to the Semgrep Cloud Platform (this command opens a new window in your browser). When you sign in, you can automatically scan with Semgrep Pro rules and add additional rules to the Policies in Semgrep Code. If you are logged in with the command-line interface usingsemgrep login
, you are already signed in with the Visual Studio Code Semgrep extension also. Alternatively, you can log in through your command-line interface by runningsemgrep login
.Semgrep: Sign out
: Log out from Semgrep Cloud Platform. Alternatively, you can sign out through your command-line interface by runningsemgrep logout
.Semgrep: Update rules
: For logged-in users. If the rules in the Policies or rules included through the Semgrep › Scan: Configuration configuration option have been changed, this command loads the new configuration of your rules for your next scan.
Tip: You can click the Semgrep icon in the Visual Studio Code to access all available commands quickly.
If you need our support, join the Semgrep community Slack workspace and tell us about any problems you encounter.