⚠️ NOTE: This project is experimental and not actively maintained by r2c ⚠️

semgrep-vscode

A Visual Studio Code extension for Semgrep.

• See Semgrep scan results inline each time you save a file
• Choose which Semgrep rules you run by setting semgrep.rules in Visual Studio Code

Prerequisites

Either pip or homebrew must be installed in order to use this extension.

If you choose to install via brew during setup, you need to take one extra step to let Visual Studio Code find where brew installed semgrep

For other installation instructions, see the Semgrep README.

Features

Scanning

Scan your code using Semgrep and get inline results and problem highlighting! Nifty!

Automatic Config Detection

This extension will detect any semgrep.yaml files in an open workspace and scan automatically

Hot Reloading

Made an edit to your Semgrep configuration file? Semgrep will automatically rescan your workspace for you!

Automatic Scanning

Opened a file? Semgrep will scan it right away!

Semgrep App Rules

Have rules configured for your code on the Semgrep App? Login to scan for them!

Metavariable Labelling

Want to understand why a rule has matched? Now there are handy labels of what each metavariable is!

Autofix

Have an autofix rule? Hit a button and fix it instantly in the editor.

Rule Quick Links

Want to go to the definition of a local or app rule? Hover over a match and click the link!

Commands

All commands can be run through the VSCode command palette

Semgrep: Login

Login to the Semgrep App (this will open a new window in your browser) to enable scanning with rules from the App.

Semgrep: Scan

Scan currently focused file according to configured rules.

Semgrep: Scan Workspace

Scan all files in the currently open workspace.

Configuration

You can set the following options by going to Preferences > Settings: Properties

• semgrep.path
  • Type: string
  • path: #/properties/semgrep.path
  • Default: "semgrep"
• semgrep.logging
  • Enable logging for the extension and the LSP server.
  • Type: boolean
  • path: #/properties/semgrep.logging
  • Default: false
• semgrep.scan.configuration
  • Each item can be a YAML configuration file, directory of YAML files ending in .yml | .yaml, URL of a configuration file, or Semgrep registry entry name. Use "auto" to automatically obtain rules tailored to this project; your project URL will be used to log in to the Semgrep registry.
  • Type: array
  • path: #/properties/semgrep.scan.configuration
  • Default: ``
    • Items
    • Type: string
    • path: #/properties/semgrep.scan.configuration/items
• semgrep.scan.exclude
  • List of files or directories to exclude.
  • Type: array
  • path: #/properties/semgrep.scan.exclude
  • Default: ``
    • Items
    • Type: string
    • path: #/properties/semgrep.scan.exclude/items
• semgrep.scan.include
  • List of files or directories to include.
  • Type: array
  • path: #/properties/semgrep.scan.include
  • Default: ``
    • Items
    • Type: string
    • path: #/properties/semgrep.scan.include/items
• semgrep.scan.jobs
  • Number of parallel jobs to run.
  • Type: integer
  • path: #/properties/semgrep.scan.jobs
  • Default: 1
• semgrep.scan.disableNoSem
  • Disable no-semgrep comments.
  • Type: boolean
  • path: #/properties/semgrep.scan.disableNoSem
  • Default: false
• semgrep.scan.baselineCommit
  • Baseline commit to scan from
  • Type: string
  • path: #/properties/semgrep.scan.baselineCommit
• semgrep.scan.severity
  • Severity of rules to scan for.
  • Type: array
  • path: #/properties/semgrep.scan.severity
  • Default: INFO,WARNING,ERROR
    • Items
    • Type: string
    • path: #/properties/semgrep.scan.severity/items
    • The value is restricted to the following:
      1. "INFO"
      2. "WARNING"
      3. "ERROR"
• semgrep.scan.maxMemory
  • Maximum memory to use in megabytes.
  • Type: integer
  • path: #/properties/semgrep.scan.maxMemory
  • Default: 0
• semgrep.scan.maxTargetBytes
  • Maximum size of target in bytes to scan.
  • Type: integer
  • path: #/properties/semgrep.scan.maxTargetBytes
  • Default: 0
• semgrep.scan.timeoutThreshold
  • Maximum time to scan in seconds.
  • Type: integer
  • path: #/properties/semgrep.scan.timeoutThreshold
  • Default: 0
• semgrep.scan.useGitIgnore
  • Skip files ignored by git
  • Type: boolean
  • path: #/properties/semgrep.scan.useGitIgnore
  • Default: true
• semgrep.lsp.watchOpenFiles
  • Scan all opened files automatically on open and save.
  • Type: boolean
  • path: #/properties/semgrep.lsp.watchOpenFiles
  • Default: true
• semgrep.lsp.watchWorkspace
  • Scan all workspace folders automatically on open and when folders are added or removed.
  • Type: boolean
  • path: #/properties/semgrep.lsp.watchWorkspace
  • Default: true
• semgrep.lsp.watchConfigs
  • Watch all semgrep config files for changes and rescan when they are saved.
  • Type: boolean
  • path: #/properties/semgrep.lsp.watchConfigs
  • Default: true
• semgrep.lsp.autodetectConfigs
  • Automatically detect configuration files in workspace folders according to the glob pattern **/{semgrep,.semgrep}.{yml,yaml}
  • Type: boolean
  • path: #/properties/semgrep.lsp.autodetectConfigs
  • Default: true
• semgrep.lsp.ciEnabled
  • When logged in, the LSP will runs rules configured on Semgrep App
  • Type: boolean
  • path: #/properties/semgrep.lsp.ciEnabled
  • Default: true
• semgrep.metrics
  • Enable or disable metrics collection. Auto will only report metrics when rules are pulled from the registry
  • Type: string
  • path: #/properties/semgrep.metrics
  • Default: "on"

Support

Please join the Semgrep community Slack workspace for support if you run into problems.