# Generating a Semgrep SAST Report

## **Introduction**

Semgrep is a powerful static analysis tool for identifying security vulnerabilities and enforcing code standards. It can generate reports in **SARIF format**, which is useful for integrating with security tools like **GitHub Advanced Security, Mobb, and other security platforms**.

This guide covers **two approaches**:

1. **Running a basic Semgrep scan using Community Edition (CE)** rules.
2. **Running an advanced scan with Pro Rules** (requires a Semgrep account).

## **Prerequisites**

Before starting, ensure the following:

* **Python 3 installed** on your system
* **macOS**, **Linux,** or **Windows** through Subsystem for Linux (WSL)

## **Running a Basic Semgrep Scan (Community Edition - CE)**

The **CE version** is free and works without a Semgrep account.

#### **Step 1: Install Semgrep**

```bash
pip install semgrep==1.97.0
```

💡 *Use version 1.97.0 to maintain compatibility as newer versions may change APIs.*

#### **Step 2: Clone Your Target Repository (optional)**

For example:

```bash
git clone https://github.com/WebGoat/WebGoat
cd WebGoat
```

💡 *You can replace `WebGoat` with any other target repository you want to scan.*

#### **Step 3: Run the Scan**

```bash
semgrep scan --config=auto --sarif --output=semgrep-ce-webgoat.sarif --verbose
```

This will generate a **SARIF report (`semgrep-ce-webgoat.sarif`)** in the current directory.

## **Running a Semgrep Scan with Pro Rules**

If you have a **Semgrep AppSec Platform** account, you can use **Pro Rules**, which provide more comprehensive scanning.

#### **Step 1: Create a Semgrep Account**

* Go to [**Semgrep.dev**](https://semgrep.dev/) and sign up.

#### **Step 2: Install Semgrep CLI**

```bash
pip install semgrep
```

#### **Step 3: Login to Semgrep**

```bash
semgrep login
```

🔗 This will open a **browser window** prompting you to authenticate your CLI token.

💡 If running on a headless system (like a CI/CD pipeline), you may need to copy & paste the URL manually into a browser.

#### **Step 4: Clone Your Target Repository (Optional)**

```bash
git clone https://github.com/webgoat/webgoat
cd webgoat
```

#### **Step 5: Run the Scan with Pro Rules**

**Option 1**: Run a Complete Scan (Both **Pro + CE** rules)

```bash
semgrep scan --config=auto --sarif --output=semgrep-prorule-webgoat.sarif --verbose
```

**Option 2**: Run Only **Pro Rules**

```bash
bashCopyEditsemgrep scan --config=auto --pro --sarif --output=semgrep-prorule-webgoat.sarif --verbose
```

This generates a **SARIF report (`semgrep-prorule-webgoat.sarif`)** with **Pro Rules applied**.