# Generating a Semgrep SAST Report ## **Introduction** Semgrep is a powerful static analysis tool for identifying security vulnerabilities and enforcing code standards. It can generate reports in **SARIF format**, which is useful for integrating with security tools like **GitHub Advanced Security, Mobb, and other security platforms**. This guide covers **two approaches**: 1. **Running a basic Semgrep scan using Community Edition (CE)** rules. 2. **Running an advanced scan with Pro Rules** (requires a Semgrep account). ## **Prerequisites** Before starting, ensure the following: * **Python 3 installed** on your system * **macOS**, **Linux,** or **Windows** through Subsystem for Linux (WSL) ## **Running a Basic Semgrep Scan (Community Edition - CE)** The **CE version** is free and works without a Semgrep account. #### **Step 1: Install Semgrep** ```bash pip install semgrep==1.97.0 ``` 💡 *Use version 1.97.0 to maintain compatibility as newer versions may change APIs.* #### **Step 2: Clone Your Target Repository (optional)** For example: ```bash git clone https://github.com/WebGoat/WebGoat cd WebGoat ``` 💡 *You can replace `WebGoat` with any other target repository you want to scan.* #### **Step 3: Run the Scan** ```bash semgrep scan --config=auto --sarif --output=semgrep-ce-webgoat.sarif --verbose ``` This will generate a **SARIF report (`semgrep-ce-webgoat.sarif`)** in the current directory. ## **Running a Semgrep Scan with Pro Rules** If you have a **Semgrep AppSec Platform** account, you can use **Pro Rules**, which provide more comprehensive scanning. #### **Step 1: Create a Semgrep Account** * Go to [**Semgrep.dev**](https://semgrep.dev/) and sign up. #### **Step 2: Install Semgrep CLI** ```bash pip install semgrep ``` #### **Step 3: Login to Semgrep** ```bash semgrep login ``` 🔗 This will open a **browser window** prompting you to authenticate your CLI token. 💡 If running on a headless system (like a CI/CD pipeline), you may need to copy & paste the URL manually into a browser. #### **Step 4: Clone Your Target Repository (Optional)** ```bash git clone https://github.com/webgoat/webgoat cd webgoat ``` #### **Step 5: Run the Scan with Pro Rules** **Option 1**: Run a Complete Scan (Both **Pro + CE** rules) ```bash semgrep scan --config=auto --sarif --output=semgrep-prorule-webgoat.sarif --verbose ``` **Option 2**: Run Only **Pro Rules** ```bash bashCopyEditsemgrep scan --config=auto --pro --sarif --output=semgrep-prorule-webgoat.sarif --verbose ``` This generates a **SARIF report (`semgrep-prorule-webgoat.sarif`)** with **Pro Rules applied**. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.mobb.ai/mobb-user-docs/integrating-sast-findings/semgrep-opengrep/generating-a-semgrep-sast-report.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.