tessl/pypi-semgrep
Lightweight static analysis for many languages with programmatic Python API for custom integrations.
- Workspace
- tessl
- Visibility
- Public
- Created
- Last updated
- Describes
'%3e%3cpath%20d='M3.389%209.069c0-.009.043-.033.029-.044L.029%207.77l3.287-1.197L6.574%207.77l.106.083.005%204-3.297%201.185V9.068ZM13.582%209.32V2.74l3.405%201.238v4.104L13.583%209.32ZM10.253%2014.66l-3.476%201.268v-4.027l3.476-1.313v4.072ZM10.253%2010.558l-3.476%201.239V7.784l3.476-1.268v4.042ZM10.253%2014.719v3.968L6.777%2020v-3.998l3.476-1.283ZM17%208.139v4.042l-3.418%201.239V9.378L17%208.138ZM3.3%2017.168%200%2015.943v-4.027l3.3%201.224v4.028ZM6.69%2011.916v4.027l-3.302%201.225v-4.072l3.301-1.18ZM6.69%203.743v4.012l-3.33-1.21V2.564l3.33%201.18Z'/%3e%3cpath%20d='M3.3%2013.066%200%2011.842V7.844l3.3%201.224v3.998ZM13.524%209.334l-.175.088.175-.014v4.027l-3.152%201.183-.06-.032v-3.983l1.986-.767-.111.006-1.876.657V6.531l3.213-1.224v4.027Zm-.263.133c-.065.008-.198.023-.233.088.065-.008.198-.023.233-.088Zm-.321.118c-.065.008-.198.023-.233.088.065-.009.198-.023.233-.088Zm-.321.118c-.066.008-.199.023-.234.088.065-.008.199-.023.234-.088ZM13.524%201.266v3.968l-3.213%201.195V2.46l3.213-1.194ZM10.253%202.475v3.968L6.777%207.726V3.743l3.476-1.268ZM8.2%204.458c-.304.064-.627.5-.708.79-.27.963.636%201.081%201.091.364.277-.437.354-1.308-.383-1.154ZM13.524%2013.51v3.983l-3.17%201.177c-.011%200-.043-.067-.043-.07v-3.895l3.213-1.195Zm-.884%201.63c-.495.085-1.068%201.015-.676%201.435.483.517%201.502-.636%201.147-1.246-.098-.169-.286-.221-.47-.19ZM10.165%202.387l-.037.065-3.395%201.249-3.345-1.212L6.88%201.21l3.285%201.178ZM13.437%201.177l-.088.073-3.057%201.127-3.034-1.082-.277-.133L10.151%200l3.286%201.177Z'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='a'%3e%3cpath%20fill='%23fff'%20d='M0%200h17v20H0z'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e){kind=small}
To install, run
npx @tessl/cli install tessl/pypi-semgrep@1.135.0index.mddocs/
Semgrep
Semgrep is a fast, open-source static analysis tool that searches code, finds bugs, and enforces secure guardrails and coding standards across 30+ programming languages. It provides semantic code search capabilities that go beyond simple string matching, allowing developers to write rules that look like the code they want to find.
Package Information
- Package Name: semgrep
- Package Type: pypi
- Language: Python
- Installation:
pip install semgrep
Core Imports
import semgrepFor programmatic scanning:
from semgrep.run_scan import run_scan, run_scan_and_return_json
from semgrep.config_resolver import get_config, ConfigFor result processing:
from semgrep.rule_match import RuleMatch, RuleMatches
from semgrep.rule import RuleBasic Usage
from pathlib import Path
from semgrep.run_scan import run_scan_and_return_json
from semgrep.config_resolver import get_config
from semgrep.output import OutputSettings
# Configure a scan with rules
config, errors = get_config(
pattern=None, # Use specific rules instead of pattern
lang=None, # Detect languages automatically
config_strs=["p/security-audit"], # Use predefined ruleset
project_url=None,
no_rewrite_rule_ids=False,
replacement=None
)
if errors:
print(f"Configuration errors: {errors}")
exit(1)
# Write config to temporary file (required by API)
config_path = Path("/tmp/semgrep_config.yml")
# Note: In practice, you would need to serialize the config to YAML
# Run scan and get JSON results
results = run_scan_and_return_json(
config=config_path,
scanning_roots=[Path(".")], # Scan current directory
output_settings=OutputSettings()
)
# Process results
if isinstance(results, dict):
for rule_match in results.get('results', []):
print(f"Rule: {rule_match['check_id']}")
print(f"File: {rule_match['path']}")
print(f"Message: {rule_match['message']}")
print(f"Severity: {rule_match['extra']['severity']}")Architecture
Semgrep's architecture consists of several key components that work together to provide comprehensive static analysis:
- Core Engine: The
semgrep-corebinary (written in OCaml) handles pattern matching and semantic analysis - Python CLI: Provides user interface, configuration management, and result processing
- Rule System: YAML-based rules that define patterns to search for in code
- Target Management: File discovery, filtering, and processing pipeline
- Output Formatters: Multiple output formats for different tools and workflows
- CI/CD Integration: Built-in support for various continuous integration platforms
This design allows semgrep to efficiently analyze large codebases while providing flexible configuration and integration options for different development workflows.
Capabilities
Core Scanning Engine
Main scanning functionality for running semgrep analysis on codebases, including baseline scanning, dependency-aware analysis, and result processing.
def run_scan(target_manager, config, **kwargs): ...
def run_scan_and_return_json(target_manager, config, **kwargs): ...
def baseline_run(baseline_handler, **kwargs): ...Configuration Management
Tools for loading, validating, and managing semgrep configurations from various sources including local files, registries, and cloud platforms.
class Config: ...
class ConfigLoader: ...
def get_config(pattern, lang, configs, **kwargs): ...
def resolve_config(config_strings): ...Rule and Match Processing
Classes and functions for working with semgrep rules and processing scan results, including rule validation and match filtering.
class Rule: ...
class RuleMatch: ...
class RuleMatches: ...
def validate_single_rule(rule_dict): ...Output and Formatting
Comprehensive output formatting system supporting multiple formats including JSON, SARIF, text, and XML for integration with various tools and workflows.
class OutputHandler: ...
class OutputSettings: ...
class JsonFormatter: ...
class SarifFormatter: ...Error Handling System
Exception hierarchy and error management functions for handling various types of errors that can occur during scanning and rule processing.
class SemgrepError(Exception): ...
class SemgrepCoreError(SemgrepError): ...
class InvalidRuleSchemaError(SemgrepError): ...
def select_real_errors(errors): ...CI/CD Integration
Classes and utilities for integrating semgrep into various continuous integration and deployment platforms with automatic metadata detection.
class GitMeta: ...
class GithubMeta(GitMeta): ...
class GitlabMeta(GitMeta): ...
class CircleCIMeta(GitMeta): ...Target Management
File discovery, filtering, and processing system for managing scan targets with support for language detection and exclusion patterns.
class TargetManager: ...
class ScanningRoot: ...
class Target: ...
class FilteredFiles: ...