{"passport":{"unfragile":{"@version":"1.0","version":"2026-05","artifact":{"id":"semgrep-cli","slug":"semgrep-cli","name":"Semgrep CLI","type":"cli","url":"https://github.com/semgrep/semgrep","page_url":"https://unfragile.ai/semgrep-cli","categories":["code-review-security"],"tags":[],"pricing":{"model":"free","free":true,"starting_price":null},"status":"active","verified":false},"capabilities":[{"id":"semgrep-cli__cap_0","uri":"capability://code.generation.editing.pattern.based.code.vulnerability.detection.across.30.languages","name":"pattern-based code vulnerability detection across 30+ languages","description":"Semgrep-core (OCaml engine) performs AST-based pattern matching against user-defined or curated rules to identify security vulnerabilities, code anti-patterns, and compliance violations. The engine parses source code into language-specific abstract syntax trees using tree-sitter and custom parsers, then matches patterns expressed in Semgrep's domain-specific language (YAML-based rule syntax) against the AST structure. This approach enables structural matching rather than regex-based detection, reducing false positives and enabling cross-language consistency.","intents":["Find SQL injection, XSS, and authentication bypass vulnerabilities in my codebase","Enforce company-wide code standards and architectural patterns across multiple languages","Detect use of deprecated APIs or insecure cryptographic functions","Identify hardcoded secrets and credential leakage patterns"],"best_for":["Security teams conducting code audits and vulnerability assessments","DevSecOps engineers integrating static analysis into CI/CD pipelines","Individual developers scanning their own code during development"],"limitations":["Community Edition limited to single-function pattern matching; cross-function analysis requires Pro Engine","Pattern matching accuracy depends on rule quality; false positives possible with overly broad patterns","No semantic understanding of business logic; cannot detect logic flaws or authorization bypass without explicit patterns","Performance degrades on very large codebases (>1M LOC) without incremental scanning"],"requires":["Python 3.8+ for CLI","OCaml runtime for semgrep-core engine","Source code in supported language (Python, JavaScript, Go, Java, C#, Ruby, PHP, etc.)","Rule definitions in YAML format or access to Semgrep Registry"],"input_types":["source code files","YAML rule definitions","configuration files (.semgrep.yml)"],"output_types":["JSON findings with file path, line number, rule ID","SARIF format for CI/CD integration","human-readable text output","CSV export"],"categories":["code-generation-editing","security-analysis","static-analysis"],"confidence":0.5,"matches":0,"success_rate":0},{"id":"semgrep-cli__cap_1","uri":"capability://code.generation.editing.dataflow.and.taint.analysis.for.cross.function.vulnerability.chaining","name":"dataflow and taint analysis for cross-function vulnerability chaining","description":"Semgrep's taint analysis engine (available in Pro Engine) tracks data flow across function boundaries to detect vulnerability chains where untrusted input reaches a dangerous sink. The system constructs a dataflow graph by analyzing variable assignments, function parameters, return values, and object field mutations across the codebase. It identifies sources (user input, external data), sinks (SQL queries, command execution, file writes), and sanitizers (validation functions) to determine if tainted data can reach dangerous operations without proper sanitization.","intents":["Detect SQL injection chains where user input flows through multiple functions before reaching a database query","Find command injection vulnerabilities where environment variables or user input reach shell execution","Identify cross-site scripting (XSS) where unsanitized user input reaches DOM manipulation or template rendering","Reduce false positives by confirming that detected patterns are actually reachable from untrusted sources"],"best_for":["Security teams requiring deep vulnerability analysis beyond pattern matching","Organizations using Semgrep AppSec Platform with Pro Engine subscription","Teams building custom rules that need to express data dependency relationships"],"limitations":["Pro Engine feature only; not available in Community Edition","Cross-file analysis limited to explicitly imported modules; dynamic imports not fully supported","Interprocedural analysis can be slow on large codebases; requires careful rule tuning to avoid timeout","Cannot track data flow through external libraries without source code access","Sanitizer detection requires explicit rule definition; no automatic sanitizer recognition"],"requires":["Semgrep Pro Engine (paid subscription)","Full source code access for cross-function analysis","Taint analysis rules written in Semgrep rule syntax with taint-tracking metadata","Python 3.8+ for CLI"],"input_types":["source code files","taint analysis rules (YAML with taint-tracking patterns)","function call graphs (implicit, derived from AST)"],"output_types":["JSON findings with taint flow path (source → intermediate functions → sink)","SARIF format with dataflow location chain","human-readable vulnerability chain explanation"],"categories":["code-generation-editing","planning-reasoning","security-analysis"],"confidence":0.5,"matches":0,"success_rate":0},{"id":"semgrep-cli__cap_10","uri":"capability://code.generation.editing.language.specific.parser.support.with.graceful.error.handling","name":"language-specific parser support with graceful error handling","description":"Semgrep includes language-specific parsers (built on tree-sitter and custom OCaml implementations) for 30+ programming languages. Each parser converts source code into an AST that the pattern matching engine can analyze. The system implements graceful error handling where parse errors in individual files do not stop the scan; instead, errors are logged and scanning continues on other files. This enables Semgrep to scan heterogeneous codebases with mixed languages and syntax variations without failing on unparseable code.","intents":["Scan codebases with multiple programming languages in a single command","Handle syntax variations and edge cases in language implementations","Continue scanning even if some files have syntax errors or are unparseable","Support new language versions as they are released"],"best_for":["Polyglot teams using multiple programming languages","Organizations with legacy code containing syntax variations or non-standard constructs","Teams requiring broad language coverage without language-specific tools"],"limitations":["Parser quality varies by language; some languages have more complete coverage than others","Syntax errors in source files are silently skipped; no detailed error reporting per file","Custom language extensions or DSLs may not parse correctly without custom parser modifications","Parser updates require Semgrep updates; cannot use custom parsers without forking","Performance varies significantly by language; some parsers slower than others"],"requires":["Python 3.8+ for CLI","Source code in supported language (Python, JavaScript, Go, Java, C#, Ruby, PHP, TypeScript, Kotlin, Scala, C, C++, etc.)","Valid or near-valid syntax (graceful error handling helps, but severely malformed code may not parse)"],"input_types":["source code files in supported languages","language detection (automatic based on file extension)"],"output_types":["AST representation (internal, used for pattern matching)","parse errors (logged, do not stop scan)","findings (from pattern matching on successfully parsed files)"],"categories":["code-generation-editing","data-processing-analysis"],"confidence":0.5,"matches":0,"success_rate":0},{"id":"semgrep-cli__cap_11","uri":"capability://tool.use.integration.mcp.model.context.protocol.server.for.ai.assisted.code.analysis","name":"mcp (model context protocol) server for ai-assisted code analysis","description":"Semgrep includes an MCP server implementation that exposes scanning capabilities to AI models and LLM-based tools. The MCP server allows AI assistants to invoke Semgrep scans, retrieve findings, and analyze code patterns programmatically. This enables integration with AI-powered code review tools, automated remediation assistants, and LLM-based security analysis workflows. The server implements standard MCP protocols for tool invocation and result streaming.","intents":["Integrate Semgrep findings into AI-powered code review assistants","Enable LLM-based tools to analyze code patterns and suggest fixes","Automate vulnerability remediation using AI models with Semgrep findings as input","Build custom AI workflows that combine Semgrep analysis with LLM reasoning"],"best_for":["Teams building AI-powered code analysis tools","Organizations integrating Semgrep with LLM-based assistants (Claude, GPT, etc.)","Developers creating custom AI workflows for code review and remediation"],"limitations":["MCP server requires separate process; adds latency compared to direct CLI invocation","MCP protocol has limited streaming capabilities; large finding sets may require pagination","AI models may misinterpret Semgrep findings or suggest incorrect fixes","MCP server does not provide real-time scanning; results are point-in-time snapshots","Requires MCP-compatible client; not all AI tools support MCP protocol"],"requires":["Python 3.8+ for CLI","MCP-compatible client (e.g., Claude, custom LLM integration)","Network connectivity between client and MCP server","Semgrep API token (optional, for organization policies)"],"input_types":["MCP tool invocation requests (scan, get-findings, etc.)","source code path or repository URL","rule configuration"],"output_types":["MCP tool results (findings in JSON format)","streaming results (for large finding sets)","error messages (if scan fails)"],"categories":["tool-use-integration","memory-knowledge"],"confidence":0.5,"matches":0,"success_rate":0},{"id":"semgrep-cli__cap_12","uri":"capability://data.processing.analysis.token.and.position.tracking.for.precise.finding.location.reporting","name":"token and position tracking for precise finding location reporting","description":"Semgrep's OCaml engine tracks token positions and source locations during AST parsing and pattern matching, enabling precise reporting of finding locations (file, line, column, character offset). The system maintains a mapping between AST nodes and their source positions, allowing findings to be reported with exact character ranges. This enables IDE integration, inline code comments, and precise highlighting in web interfaces. The position tracking is implemented at the parser level and maintained through the entire analysis pipeline.","intents":["Display findings with exact line and column numbers for IDE integration","Highlight vulnerable code ranges in web dashboards and code review tools","Generate precise SARIF output with character-level location information","Enable automated code fixes by identifying exact token ranges to modify"],"best_for":["Teams integrating Semgrep with IDEs and code editors","Organizations building web dashboards for finding visualization","Developers implementing automated remediation tools"],"limitations":["Position tracking adds memory overhead; very large files may consume significant memory","Position information depends on accurate parser implementation; custom languages may have inaccurate positions","Minified or obfuscated code may have misleading position information","Position tracking does not account for file encoding issues; UTF-8 assumed"],"requires":["Python 3.8+ for CLI","OCaml engine with position tracking support (built-in)"],"input_types":["source code files","AST nodes with position metadata"],"output_types":["findings with file, line, column, and character offset","SARIF output with precise location ranges","JSON findings with position metadata"],"categories":["data-processing-analysis","tool-use-integration"],"confidence":0.5,"matches":0,"success_rate":0},{"id":"semgrep-cli__cap_2","uri":"capability://code.generation.editing.multi.language.rule.definition.and.custom.rule.authoring","name":"multi-language rule definition and custom rule authoring","description":"Semgrep provides a YAML-based domain-specific language (DSL) for expressing code patterns that work across multiple programming languages. Rules are defined in YAML with pattern syntax that abstracts away language-specific details (e.g., a pattern for 'function call' works identically in Python, JavaScript, and Go). The pysemgrep CLI parses rule files, validates syntax, and passes compiled rules to semgrep-core for matching. Users can write custom rules targeting their codebase, organization standards, or specific vulnerability patterns without modifying the core engine.","intents":["Write custom security rules for vulnerabilities specific to my application architecture","Enforce internal coding standards and architectural patterns across my team's codebase","Create rules for detecting use of deprecated internal APIs or libraries","Share reusable rules across teams via Semgrep Registry or internal rule repositories"],"best_for":["Security engineers building organization-specific rule sets","Platform teams enforcing architectural standards across multiple codebases","Developers prototyping custom analysis rules without OCaml knowledge"],"limitations":["YAML rule syntax has a learning curve; complex patterns require understanding Semgrep's pattern language","Rule performance not guaranteed; poorly written rules can cause timeouts on large files","No built-in rule versioning or dependency management; rules must be manually updated","Limited debugging tools for rule development; requires manual testing against sample code","Cross-language patterns may not capture language-specific idioms or edge cases"],"requires":["YAML syntax knowledge","Understanding of Semgrep pattern syntax (metavariables, pattern operators, etc.)","Sample code files to test rules against","Semgrep CLI installed (Python 3.8+)"],"input_types":["YAML rule files (.yml, .yaml)","pattern expressions (string-based DSL)","sample source code for testing"],"output_types":["compiled rule objects (internal OCaml representation)","rule validation errors (YAML parsing, pattern syntax errors)","test results against sample code"],"categories":["code-generation-editing","data-processing-analysis"],"confidence":0.5,"matches":0,"success_rate":0},{"id":"semgrep-cli__cap_3","uri":"capability://automation.workflow.ci.cd.pipeline.integration.with.policy.enforcement.and.finding.triage","name":"ci/cd pipeline integration with policy enforcement and finding triage","description":"The `semgrep ci` command integrates Semgrep into CI/CD workflows by scanning code, uploading findings to semgrep.dev, comparing against baseline scans, and enforcing organization-wide policies. The Python CLI (pysemgrep) orchestrates the workflow: it authenticates to Semgrep App using API tokens, fetches organization-specific rules and policies, runs the OCaml scanning engine, and reports results. The system can block CI builds based on policy rules (e.g., 'fail if critical vulnerabilities detected'), automatically triage findings based on organization rules, and track finding status across commits.","intents":["Automatically scan every pull request and block merges if critical vulnerabilities are introduced","Track vulnerability remediation status and assign findings to developers","Enforce organization-wide security policies across all repositories","Generate compliance reports showing vulnerability trends and remediation progress"],"best_for":["DevSecOps teams integrating security scanning into CI/CD pipelines","Organizations using Semgrep AppSec Platform for centralized policy management","Teams requiring automated finding triage and developer assignment"],"limitations":["Requires Semgrep App authentication; cannot run in fully offline mode with policy enforcement","Policy evaluation happens server-side; local-only scanning cannot enforce policies","Finding comparison against baseline requires storing previous scan results; no built-in persistence","CI command slower than local scan due to API communication and finding upload overhead (~30-60 seconds additional latency)","Policy rules limited to rule-based filtering; cannot express complex business logic for triage decisions"],"requires":["Semgrep API token (from semgrep.dev account)","CI/CD system integration (GitHub Actions, GitLab CI, Jenkins, CircleCI, etc.)","Network access to semgrep.dev API","Python 3.8+ for CLI","Semgrep AppSec Platform subscription for policy enforcement (optional for basic scanning)"],"input_types":["source code repository","organization API token","policy configuration (fetched from semgrep.dev)","baseline scan results (from previous commits)"],"output_types":["JSON findings with metadata (rule ID, severity, CWE)","exit code indicating pass/fail based on policies","findings uploaded to semgrep.dev for web dashboard","SARIF format for CI/CD tool integration"],"categories":["automation-workflow","tool-use-integration","safety-moderation"],"confidence":0.5,"matches":0,"success_rate":0},{"id":"semgrep-cli__cap_4","uri":"capability://data.processing.analysis.incremental.scanning.with.baseline.comparison.and.delta.reporting","name":"incremental scanning with baseline comparison and delta reporting","description":"Semgrep supports incremental scanning mode where it compares current scan results against a baseline (previous commit or main branch) to report only new or changed findings. The Python CLI manages baseline storage and comparison logic: it fetches the previous scan's JSON output, compares rule matches by file path and line number, and reports only findings that are new, moved, or changed in severity. This reduces noise in CI/CD by surfacing only actionable changes rather than all findings in the codebase.","intents":["Show developers only the new vulnerabilities they introduced in their pull request","Avoid overwhelming CI output with pre-existing findings that are not their responsibility","Track whether a finding has been fixed or moved to a different location in the code","Gradually improve code quality by focusing on new issues while addressing legacy findings separately"],"best_for":["Teams with large legacy codebases containing many pre-existing findings","Pull request workflows where developers should only fix their own introductions","Organizations gradually rolling out Semgrep to existing projects"],"limitations":["Baseline comparison requires storing previous scan results; no built-in persistence (must use external storage or semgrep.dev)","Line number changes (e.g., from code reformatting) can cause false positives in delta detection","Baseline comparison logic is simple (file path + line number matching); cannot handle complex refactoring","Incremental scanning only works for rule-based findings; cannot incrementally analyze dataflow across commits","Requires explicit baseline configuration; default behavior scans entire codebase"],"requires":["Previous scan results in JSON format (from semgrep.dev or local storage)","Git repository with commit history (for baseline identification)","Python 3.8+ for CLI","Semgrep AppSec Platform (optional; can use local baseline files)"],"input_types":["current source code","baseline scan JSON (from previous commit)","git diff information (optional, for identifying changed files)"],"output_types":["delta findings JSON (new, removed, changed findings only)","human-readable diff report showing before/after findings","exit code indicating if new critical findings were introduced"],"categories":["data-processing-analysis","automation-workflow"],"confidence":0.5,"matches":0,"success_rate":0},{"id":"semgrep-cli__cap_5","uri":"capability://safety.moderation.secrets.detection.with.semantic.validation.and.entropy.analysis","name":"secrets detection with semantic validation and entropy analysis","description":"Semgrep includes built-in rules for detecting hardcoded secrets (API keys, passwords, tokens, private keys) using pattern matching combined with entropy analysis and semantic validation. The system matches common secret patterns (e.g., 'aws_access_key_id = ...', 'password: ...') and validates candidates using entropy scoring and format-specific checks (e.g., verifying AWS key format, checking if a string is a valid JWT). This reduces false positives compared to simple regex matching by confirming that detected patterns actually look like valid secrets.","intents":["Prevent accidental commit of API keys, database passwords, and authentication tokens","Detect hardcoded private keys (RSA, SSH, PGP) before they reach the repository","Find credentials in configuration files, environment variable assignments, and test code","Identify secrets in comments and documentation that might be overlooked by developers"],"best_for":["Security teams implementing secrets scanning in pre-commit hooks and CI/CD","Organizations with strict credential management policies","Teams using Semgrep AppSec Platform for supply chain security"],"limitations":["Pattern-based detection cannot find novel or custom secret formats without explicit rules","Entropy analysis can produce false positives on high-entropy non-secrets (e.g., hashes, UUIDs)","Cannot detect secrets in binary files, images, or compressed archives","Semantic validation requires knowledge of secret format; custom formats need custom rules","Does not check if detected secrets are actually valid or currently active (requires external API calls)"],"requires":["Semgrep AppSec Platform subscription for advanced secrets detection (optional; basic patterns available in Community Edition)","Source code files in text format","Python 3.8+ for CLI"],"input_types":["source code files","configuration files (.env, .yaml, .json, etc.)","secrets detection rules (built-in or custom)"],"output_types":["JSON findings with secret type and confidence score","SARIF format with secret location and pattern matched","human-readable report with redacted secret values"],"categories":["safety-moderation","code-generation-editing"],"confidence":0.5,"matches":0,"success_rate":0},{"id":"semgrep-cli__cap_6","uri":"capability://data.processing.analysis.supply.chain.vulnerability.scanning.with.reachability.analysis","name":"supply chain vulnerability scanning with reachability analysis","description":"Semgrep AppSec Platform includes supply chain scanning that detects vulnerable dependencies and determines if the vulnerability is actually reachable from application code. The system scans dependency manifests (package.json, requirements.txt, go.mod, pom.xml, etc.), identifies known vulnerable versions, and uses taint analysis to determine if the vulnerable function is actually called from application code. This reduces alert fatigue by filtering out vulnerabilities in unused dependencies or unreachable code paths.","intents":["Identify vulnerable third-party libraries in my project dependencies","Determine which vulnerabilities actually impact my application (reachability analysis)","Prioritize remediation by focusing on reachable vulnerabilities first","Track dependency updates and verify that patches actually fix the vulnerability"],"best_for":["Organizations using Semgrep AppSec Platform for supply chain security","Teams managing large dependency trees with many transitive dependencies","Security teams requiring precise vulnerability prioritization"],"limitations":["Requires Semgrep Pro Engine and AppSec Platform subscription","Reachability analysis limited to explicitly imported modules; dynamic imports not fully supported","Vulnerability database must be kept up-to-date; requires regular syncs with CVE sources","Cannot detect vulnerabilities in native dependencies or compiled binaries","Reachability analysis can be slow on large codebases with many dependencies"],"requires":["Semgrep AppSec Platform subscription (paid)","Dependency manifest files (package.json, requirements.txt, go.mod, etc.)","Source code for reachability analysis","Network access to semgrep.dev for vulnerability database","Python 3.8+ for CLI"],"input_types":["dependency manifest files","source code (for reachability analysis)","vulnerability database (from semgrep.dev)"],"output_types":["JSON findings with vulnerable package, version, and CVE ID","reachability status (reachable, unreachable, unknown)","remediation guidance (update to version X)","SBOM (Software Bill of Materials) export"],"categories":["data-processing-analysis","safety-moderation","search-retrieval"],"confidence":0.5,"matches":0,"success_rate":0},{"id":"semgrep-cli__cap_7","uri":"capability://tool.use.integration.multi.format.output.and.ci.cd.tool.integration.sarif.json.csv","name":"multi-format output and ci/cd tool integration (sarif, json, csv)","description":"Semgrep outputs findings in multiple formats to integrate with various CI/CD tools and reporting systems. The Python CLI supports JSON (for programmatic processing), SARIF (for GitHub Code Scanning, GitLab SAST, Azure DevOps), CSV (for spreadsheet analysis), and human-readable text. The output formatting layer (in pysemgrep) transforms the OCaml engine's internal finding representation into the requested format, including metadata like rule ID, severity, CWE, and remediation guidance.","intents":["Integrate Semgrep findings into GitHub Code Scanning for inline PR comments","Export findings to JIRA or other issue tracking systems via JSON API","Generate compliance reports in CSV format for auditors and stakeholders","Parse findings programmatically for custom post-processing or filtering"],"best_for":["Teams using multiple CI/CD platforms (GitHub, GitLab, Azure DevOps, Jenkins)","Organizations requiring findings in specific formats for compliance or reporting","Developers building custom integrations on top of Semgrep"],"limitations":["SARIF output limited to features supported by SARIF spec; some Semgrep metadata may not translate","CSV export flattens hierarchical data; complex findings may lose context","Output format selection is CLI-level; cannot mix formats in a single run","Custom output formatting requires post-processing; no templating system built-in"],"requires":["Python 3.8+ for CLI","Semgrep scan completed with findings to export","Target CI/CD tool or reporting system that accepts the chosen format"],"input_types":["internal finding representation (from OCaml engine)","output format flag (--json, --sarif, --csv, --text)"],"output_types":["JSON (structured findings with full metadata)","SARIF (standardized format for code scanning tools)","CSV (tabular format for spreadsheet analysis)","human-readable text (for terminal output)"],"categories":["tool-use-integration","data-processing-analysis"],"confidence":0.5,"matches":0,"success_rate":0},{"id":"semgrep-cli__cap_8","uri":"capability://data.processing.analysis.configuration.resolution.and.rule.discovery.from.multiple.sources","name":"configuration resolution and rule discovery from multiple sources","description":"Semgrep's configuration resolver (pysemgrep) discovers and loads rules from multiple sources: local .semgrep.yml files, Semgrep Registry (curated rules), organization policies (from semgrep.dev), and command-line arguments. The resolver implements a precedence system where local rules override registry rules, and explicit CLI arguments override all defaults. It validates rule syntax, checks for conflicts, and reports errors if rules cannot be loaded. This enables flexible rule management from ad-hoc local testing to organization-wide policy enforcement.","intents":["Load custom rules from my project's .semgrep.yml file for local development","Use curated rules from Semgrep Registry for common vulnerability patterns","Enforce organization-wide security policies fetched from semgrep.dev","Override default rules with custom versions for specific projects"],"best_for":["Teams managing rules across multiple projects and environments","Organizations using Semgrep Registry for baseline security rules","Developers testing custom rules during development"],"limitations":["Rule precedence system can be confusing; unclear which rules are active without verbose output","No built-in rule versioning; cannot pin rules to specific versions across projects","Rule discovery from Semgrep Registry requires network access; offline mode limited to local rules","Configuration validation happens at runtime; syntax errors only detected during scan","No dependency management for rules; circular rule imports or conflicts not detected"],"requires":["Python 3.8+ for CLI",".semgrep.yml file (optional, for local rules)","Network access to semgrep.dev (optional, for Registry and organization policies)","Semgrep API token (optional, for organization policies)"],"input_types":[".semgrep.yml configuration file","Semgrep Registry rule IDs (e.g., 'p/security-audit')","organization policies (from semgrep.dev API)","CLI arguments (--config, --rules)"],"output_types":["resolved rule set (compiled rules ready for scanning)","configuration validation errors","verbose output showing rule sources and precedence"],"categories":["data-processing-analysis","tool-use-integration"],"confidence":0.5,"matches":0,"success_rate":0},{"id":"semgrep-cli__cap_9","uri":"capability://automation.workflow.performance.optimization.with.parallel.scanning.and.caching","name":"performance optimization with parallel scanning and caching","description":"Semgrep optimizes scanning performance through parallel file processing and result caching. The OCaml engine processes multiple files concurrently using worker threads, and the Python CLI implements caching of parse trees and rule compilation results. For large codebases, Semgrep can scan thousands of files in seconds by distributing work across CPU cores. The system also supports incremental scanning where only changed files are re-scanned, further reducing overhead in CI/CD workflows.","intents":["Scan large codebases (>100K files) in reasonable time for CI/CD integration","Reduce scan time in repeated scans by caching parse trees and rule compilation","Parallelize scanning across multiple CPU cores to maximize throughput","Enable fast feedback loops during development by scanning only changed files"],"best_for":["Teams with large codebases requiring fast CI/CD feedback","Organizations running Semgrep on resource-constrained CI/CD runners","Developers using Semgrep in pre-commit hooks requiring sub-second latency"],"limitations":["Parallel scanning adds memory overhead; very large files can cause OOM on resource-constrained systems","Caching assumes file content doesn't change between scans; cache invalidation not automatic","Performance gains from parallelization depend on CPU core count; minimal benefit on single-core systems","Incremental scanning requires tracking file changes; not available in all CI/CD systems","Cache storage requires disk space; no automatic cache cleanup or size limits"],"requires":["Python 3.8+ for CLI","Multi-core CPU for parallel scanning benefits","Sufficient disk space for caching (typically <100MB per project)","File system that supports fast stat() calls (for change detection)"],"input_types":["source code files","cache directory (optional)","file change information (for incremental scanning)"],"output_types":["scan results (same as non-cached scans)","performance metrics (scan time, files processed, cache hit rate)"],"categories":["automation-workflow","data-processing-analysis"],"confidence":0.5,"matches":0,"success_rate":0},{"id":"semgrep-cli__headline","uri":"capability://code.review.security.static.analysis.tool.for.code.security.and.quality","name":"static analysis tool for code security and quality","description":"Semgrep is a lightweight, open-source static analysis tool designed to find bugs, detect security vulnerabilities, and enforce code standards across 30+ programming languages using AI-powered pattern matching.","intents":["best static analysis tool","static analysis for security vulnerabilities","static analysis tool for code quality","open-source code scanning tool","AI-powered code review tool"],"best_for":["developers looking for security audits","teams enforcing coding standards"],"limitations":["may require configuration for specific languages"],"requires":["source code access"],"input_types":["source code"],"output_types":["analysis reports","vulnerability findings"],"categories":["code-review-security"],"confidence":0.5,"matches":0,"success_rate":0}],"trust":{"score":57,"verified":false,"data_access_risk":"high","permissions":["Python 3.8+ for CLI","OCaml runtime for semgrep-core engine","Source code in supported language (Python, JavaScript, Go, Java, C#, Ruby, PHP, etc.)","Rule definitions in YAML format or access to Semgrep Registry","Semgrep Pro Engine (paid subscription)","Full source code access for cross-function analysis","Taint analysis rules written in Semgrep rule syntax with taint-tracking metadata","Source code in supported language (Python, JavaScript, Go, Java, C#, Ruby, PHP, TypeScript, Kotlin, Scala, C, C++, etc.)","Valid or near-valid syntax (graceful error handling helps, but severely malformed code may not parse)","MCP-compatible client (e.g., Claude, custom LLM integration)"],"failure_modes":["Community Edition limited to single-function pattern matching; cross-function analysis requires Pro Engine","Pattern matching accuracy depends on rule quality; false positives possible with overly broad patterns","No semantic understanding of business logic; cannot detect logic flaws or authorization bypass without explicit patterns","Performance degrades on very large codebases (>1M LOC) without incremental scanning","Pro Engine feature only; not available in Community Edition","Cross-file analysis limited to explicitly imported modules; dynamic imports not fully supported","Interprocedural analysis can be slow on large codebases; requires careful rule tuning to avoid timeout","Cannot track data flow through external libraries without source code access","Sanitizer detection requires explicit rule definition; no automatic sanitizer recognition","Parser quality varies by language; some languages have more complete coverage than others","builder identity is not verified yet","no observed match outcomes yet"],"rank_breakdown":{"adoption":0.7,"quality":0.9,"ecosystem":0.39999999999999997,"match_graph":0.25,"freshness":0.52,"weights":{"adoption":0.25,"quality":0.25,"ecosystem":0.1,"match_graph":0.28,"freshness":0.12}},"observed_outcomes":{"matches":0,"success_rate":0,"avg_confidence":0,"top_intents":[],"last_matched_at":null},"maintenance":{"status":"active","updated_at":"2026-06-17T09:51:05.296Z","last_scraped_at":null,"last_commit":null},"community":{"stars":null,"forks":null,"weekly_downloads":null,"model_downloads":null,"model_likes":null}},"distribution":{"claim_url":"https://unfragile.ai/submit?claim=semgrep-cli","compare_url":"https://unfragile.ai/compare?artifact=semgrep-cli"}},"signature":"upcHxG4q1aw/UGFh5YSTdLPV148Hykj5Evs7ZATteswL3rzKprrxawvo6iU/kkk604PCr6m+x4IUrAF5p3OlCQ==","signedAt":"2026-06-20T05:03:14.447Z","signedBy":"unfragile.ai","version":1},"_links":{"self":"https://unfragile.ai/api/v1/passport/semgrep-cli","artifact":"https://unfragile.ai/semgrep-cli","verify":"https://unfragile.ai/api/v1/verify?slug=semgrep-cli","publicKey":"https://unfragile.ai/api/v1/trust-passport-public-key","spec":"https://unfragile.ai/trust","schema":"https://unfragile.ai/schema.json","docs":"https://unfragile.ai/docs"}}