Mobb User Docs
Start NowBlogsWatch NowContact Us
  • What is Mobb?
  • What's New with Mobb
  • Supported Fixes
  • Getting Started
    • System Requirements
    • Onboarding Guide
      • Registering a Mobb account
      • Try Mobb now!
      • Running Mobb against your own code
      • Automate Mobb in a CI/CD pipeline
    • Working with the Fix Report
    • Mobb CLI Overview
      • Analyze Mode
      • Scan Mode
      • Add SCM Token Mode
      • Review Mode
      • Convert-to-SARIF Mode
      • Common Deployment Scenarios
  • Mobb Dashboard
  • Integrating SAST Findings
    • Checkmarx
      • Generating Checkmarx One JSON Report from CLI
    • Snyk
    • SonarQube
      • Generating a SonarQube SAST Report
    • Fortify
    • CodeQL
    • Semgrep/Opengrep
      • Generating a Semgrep SAST Report
      • Generating an Opengrep SAST Report
  • CI/CD Integrations
    • GitHub Actions
      • GitHub Fixer for CxOne
      • GitHub Fixer for Opengrep
    • GitLab Pipeline
    • Azure DevOps
    • Jenkins
    • CircleCI
    • Bamboo
    • Bitbucket Pipeline
    • Harness
  • Administration
    • User Management
    • Project Settings
    • Access Tokens
    • Organization-Level Fix Policy
    • Integrations Page
    • SAML Single Sign-On Flow
  • More Info
    • Mobb Broker
      • Mobb Broker Token Rotation
      • Secure storage of Mobb broker in AWS Secrets Manager
    • Providing Fix Feedback
    • Frequently Asked Questions (FAQ)
    • Data Protection and Retention
    • Service Level Agreement
  • Fixing Guides
    • SQL Injection
    • Path Traversal
    • Log Forging
    • XSS
    • XXE
    • Server Side Request Forgery
    • HttpOnly Cookie Vulnerabilities
    • Hardcoded Domain in HTML
    • Hardcoded Secrets
    • HTTP Response Splitting Attacks
    • Insecure Cookie Vulnerabilities
    • Insecure Randomness
    • Missing Check against Null
    • Missing Rate Limiting
    • Regex Missing Timeout
    • System Information Leakage
  • Mobb REST API Guide
Powered by GitBook
On this page
  • Introduction
  • Prerequisites
  • Running a Basic Semgrep Scan (Community Edition - CE)
  • Running a Semgrep Scan with Pro Rules

Was this helpful?

  1. Integrating SAST Findings
  2. Semgrep/Opengrep

Generating a Semgrep SAST Report

Introduction

Semgrep is a powerful static analysis tool for identifying security vulnerabilities and enforcing code standards. It can generate reports in SARIF format, which is useful for integrating with security tools like GitHub Advanced Security, Mobb, and other security platforms.

This guide covers two approaches:

  1. Running a basic Semgrep scan using Community Edition (CE) rules.

  2. Running an advanced scan with Pro Rules (requires a Semgrep account).

Prerequisites

Before starting, ensure the following:

  • Python 3 installed on your system

  • macOS, Linux, or Windows through Subsystem for Linux (WSL)

Running a Basic Semgrep Scan (Community Edition - CE)

The CE version is free and works without a Semgrep account.

Step 1: Install Semgrep

pip install semgrep==1.97.0

💡 Use version 1.97.0 to maintain compatibility as newer versions may change APIs.

Step 2: Clone Your Target Repository (optional)

For example:

git clone https://github.com/WebGoat/WebGoat
cd WebGoat

💡 You can replace WebGoat with any other target repository you want to scan.

Step 3: Run the Scan

semgrep scan --config=auto --sarif --output=semgrep-ce-webgoat.sarif --verbose

This will generate a SARIF report (semgrep-ce-webgoat.sarif) in the current directory.

Running a Semgrep Scan with Pro Rules

If you have a Semgrep AppSec Platform account, you can use Pro Rules, which provide more comprehensive scanning.

Step 1: Create a Semgrep Account

Step 2: Install Semgrep CLI

pip install semgrep

Step 3: Login to Semgrep

semgrep login

🔗 This will open a browser window prompting you to authenticate your CLI token.

💡 If running on a headless system (like a CI/CD pipeline), you may need to copy & paste the URL manually into a browser.

Step 4: Clone Your Target Repository (Optional)

git clone https://github.com/webgoat/webgoat
cd webgoat

Step 5: Run the Scan with Pro Rules

Option 1: Run a Complete Scan (Both Pro + CE rules)

semgrep scan --config=auto --sarif --output=semgrep-prorule-webgoat.sarif --verbose

Option 2: Run Only Pro Rules

bashCopyEditsemgrep scan --config=auto --pro --sarif --output=semgrep-prorule-webgoat.sarif --verbose

This generates a SARIF report (semgrep-prorule-webgoat.sarif) with Pro Rules applied.

PreviousSemgrep/OpengrepNextGenerating an Opengrep SAST Report

Last updated 2 months ago

Was this helpful?

Go to and sign up.

Semgrep.dev