⚠️ NOTE: This project is experimental and not actively maintained by r2c ⚠️
semgrep-vscode
A Visual Studio Code extension for Semgrep.
- See Semgrep scan results inline each time you save a file
- Choose which Semgrep rules you run by setting semgrep.rules in Visual Studio Code
Prerequisites
Either pip or homebrew must be installed in order to use this extension.
If you choose to install via brew during setup, you need to take one extra step to let Visual Studio Code find where brew installed semgrep
For other installation instructions, see the Semgrep README.
Features
Scanning
Scan your code using Semgrep and get inline results and problem highlighting! Nifty!
Automatic Config Detection
This extension will detect any semgrep.yaml
files in an open workspace and scan automatically
Hot Reloading
Made an edit to your Semgrep configuration file? Semgrep will automatically rescan your workspace for you!
Automatic Scanning
Opened a file? Semgrep will scan it right away!
Semgrep App Rules
Have rules configured for your code on the Semgrep App? Login to scan for them!
Want to understand why a rule has matched? Now there are handy labels of what each metavariable is!
Autofix
Have an autofix rule? Hit a button and fix it instantly in the editor.
Rule Quick Links
Want to go to the definition of a local or app rule? Hover over a match and click the link!
Commands
All commands can be run through the VSCode command palette
Semgrep: Login
Login to the Semgrep App (this will open a new window in your browser) to enable scanning with rules from the App.
Semgrep: Scan
Scan currently focused file according to configured rules.
Semgrep: Scan Workspace
Scan all files in the currently open workspace.
Configuration
You can set the following options by going to Preferences > Settings:
Properties
- semgrep.path
- Type:
string
- path: #/properties/semgrep.path
- Default: "semgrep"
- semgrep.logging
- Enable logging for the extension and the LSP server.
- Type:
boolean
- path: #/properties/semgrep.logging
- Default: false
- semgrep.scan.configuration
- Each item can be a YAML configuration file, directory of YAML files ending in .yml | .yaml, URL of a configuration file, or Semgrep registry entry name. Use "auto" to automatically obtain rules tailored to this project; your project URL will be used to log in to the Semgrep registry.
- Type:
array
- path: #/properties/semgrep.scan.configuration
- Default: ``
- Items
- Type:
string
- path: #/properties/semgrep.scan.configuration/items
- semgrep.scan.exclude
- List of files or directories to exclude.
- Type:
array
- path: #/properties/semgrep.scan.exclude
- Default: ``
- Items
- Type:
string
- path: #/properties/semgrep.scan.exclude/items
- semgrep.scan.include
- List of files or directories to include.
- Type:
array
- path: #/properties/semgrep.scan.include
- Default: ``
- Items
- Type:
string
- path: #/properties/semgrep.scan.include/items
- semgrep.scan.jobs
- Number of parallel jobs to run.
- Type:
integer
- path: #/properties/semgrep.scan.jobs
- Default:
1
- semgrep.scan.disableNoSem
- Disable no-semgrep comments.
- Type:
boolean
- path: #/properties/semgrep.scan.disableNoSem
- Default: false
- semgrep.scan.baselineCommit
- Baseline commit to scan from
- Type:
string
- path: #/properties/semgrep.scan.baselineCommit
- semgrep.scan.severity
- Severity of rules to scan for.
- Type:
array
- path: #/properties/semgrep.scan.severity
- Default:
INFO,WARNING,ERROR
- Items
- Type:
string
- path: #/properties/semgrep.scan.severity/items
- The value is restricted to the following:
- "INFO"
- "WARNING"
- "ERROR"
- semgrep.scan.maxMemory
- Maximum memory to use in megabytes.
- Type:
integer
- path: #/properties/semgrep.scan.maxMemory
- Default:
0
- semgrep.scan.maxTargetBytes
- Maximum size of target in bytes to scan.
- Type:
integer
- path: #/properties/semgrep.scan.maxTargetBytes
- Default:
0
- semgrep.scan.timeoutThreshold
- Maximum time to scan in seconds.
- Type:
integer
- path: #/properties/semgrep.scan.timeoutThreshold
- Default:
0
- semgrep.scan.useGitIgnore
- Skip files ignored by git
- Type:
boolean
- path: #/properties/semgrep.scan.useGitIgnore
- Default: true
- semgrep.lsp.watchOpenFiles
- Scan all opened files automatically on open and save.
- Type:
boolean
- path: #/properties/semgrep.lsp.watchOpenFiles
- Default: true
- semgrep.lsp.watchWorkspace
- Scan all workspace folders automatically on open and when folders are added or removed.
- Type:
boolean
- path: #/properties/semgrep.lsp.watchWorkspace
- Default: true
- semgrep.lsp.watchConfigs
- Watch all semgrep config files for changes and rescan when they are saved.
- Type:
boolean
- path: #/properties/semgrep.lsp.watchConfigs
- Default: true
- semgrep.lsp.autodetectConfigs
- Automatically detect configuration files in workspace folders according to the glob pattern **/{semgrep,.semgrep}.{yml,yaml}
- Type:
boolean
- path: #/properties/semgrep.lsp.autodetectConfigs
- Default: true
- semgrep.lsp.ciEnabled
- When logged in, the LSP will runs rules configured on Semgrep App
- Type:
boolean
- path: #/properties/semgrep.lsp.ciEnabled
- Default: true
- semgrep.metrics
- Enable or disable metrics collection. Auto will only report metrics when rules are pulled from the registry
- Type:
string
- path: #/properties/semgrep.metrics
- Default: "on"
Support
Please join the Semgrep community Slack workspace
for support if you run into problems.