Generating a Semgrep SAST Report

Introduction

Semgrep is a powerful static analysis tool for identifying security vulnerabilities and enforcing code standards. It can generate reports in SARIF format, which is useful for integrating with security tools like GitHub Advanced Security, Mobb, and other security platforms.

This guide covers two approaches:

1. Running a basic Semgrep scan using Community Edition (CE) rules.

2. Running an advanced scan with Pro Rules (requires a Semgrep account).

Prerequisites

Before starting, ensure the following:

• Python 3 installed on your system

• macOS, Linux, or Windows through Subsystem for Linux (WSL)

Running a Basic Semgrep Scan (Community Edition - CE)

The CE version is free and works without a Semgrep account.

Step 1: Install Semgrep

pip install semgrep==1.97.0

💡 Use version 1.97.0 to maintain compatibility as newer versions may change APIs.

Step 2: Clone Your Target Repository (optional)

For example:

💡 You can replace WebGoat with any other target repository you want to scan.

Step 3: Run the Scan

This will generate a SARIF report (semgrep-ce-webgoat.sarif) in the current directory.

Running a Semgrep Scan with Pro Rules

If you have a Semgrep AppSec Platform account, you can use Pro Rules, which provide more comprehensive scanning.

Step 1: Create a Semgrep Account

• Go to Semgrep.dev and sign up.

Step 2: Install Semgrep CLI

Step 3: Login to Semgrep

🔗 This will open a browser window prompting you to authenticate your CLI token.

💡 If running on a headless system (like a CI/CD pipeline), you may need to copy & paste the URL manually into a browser.

Step 4: Clone Your Target Repository (Optional)

Step 5: Run the Scan with Pro Rules

Option 1: Run a Complete Scan (Both Pro + CE rules)

Option 2: Run Only Pro Rules

This generates a SARIF report (semgrep-prorule-webgoat.sarif) with Pro Rules applied.