Generating a Semgrep SAST Report
Introduction
Semgrep is a powerful static analysis tool for identifying security vulnerabilities and enforcing code standards. It can generate reports in SARIF format, which is useful for integrating with security tools like GitHub Advanced Security, Mobb, and other security platforms.
This guide covers two approaches:
Running a basic Semgrep scan using Community Edition (CE) rules.
Running an advanced scan with Pro Rules (requires a Semgrep account).
Prerequisites
Before starting, ensure the following:
Python 3 installed on your system
macOS, Linux, or Windows through Subsystem for Linux (WSL)
Running a Basic Semgrep Scan (Community Edition - CE)
The CE version is free and works without a Semgrep account.
Step 1: Install Semgrep
💡 Use version 1.97.0 to maintain compatibility as newer versions may change APIs.
Step 2: Clone Your Target Repository (optional)
For example:
💡 You can replace WebGoat with any other target repository you want to scan.
Step 3: Run the Scan
This will generate a SARIF report (semgrep-ce-webgoat.sarif) in the current directory.
Running a Semgrep Scan with Pro Rules
If you have a Semgrep AppSec Platform account, you can use Pro Rules, which provide more comprehensive scanning.
Step 1: Create a Semgrep Account
Step 2: Install Semgrep CLI
Step 3: Login to Semgrep
🔗 This will open a browser window prompting you to authenticate your CLI token.
💡 If running on a headless system (like a CI/CD pipeline), you may need to copy & paste the URL manually into a browser.
Step 4: Clone Your Target Repository (Optional)
Step 5: Run the Scan with Pro Rules
Option 1: Run a Complete Scan (Both Pro + CE rules)
Option 2: Run Only Pro Rules
This generates a SARIF report (semgrep-prorule-webgoat.sarif) with Pro Rules applied.
Last updated
Was this helpful?