Generating an Opengrep SAST Report

Introduction

Opengrep is an open-source static analysis tool. You can read more about the Opengrep project here.

This guide covers:

1. Running a basic Opengrep scan using default rules.

2. Generating and using a SARIF report.

Prerequisites

Before starting, ensure the following

• Linux, macOS, or Windows

• Internet access to download Opengrep

Installing and Running Opengrep

Step 1: Download Opengrep

Use wget to download the latest release:

wget https://github.com/opengrep/opengrep/releases/download/v1.0.0-alpha.15/opengrep_manylinux_x86 -O opengrep

💡 Replace the version number if a newer release is available on the Opengrep releases page.

Step 2: Make Opengrep Executable

chmod +x opengrep

This step ensures the binary has the necessary permissions to run.

Running an Opengrep Scan

Step 1: Clone Your Target Repository

For example:

git clone https://github.com/WebGoat/WebGoat
cd WebGoat

💡 Replace WebGoat with your actual project repository.

Step 2: Run the Opengrep Scan

./opengrep ci --sarif --sarif-output opengrep_report.sarif --config auto

This will scan the repository and generate a SARIF report (opengrep_report.sarif) in the current directory.