/pre-commit

Pre-commit hooks to run Semgrep

Primary LanguageShellGNU Lesser General Public License v2.1LGPL-2.1

Semgrep pre-commit

This repository contains several hooks designed to be used with the pre-commit framework. Pre-commit uses git hooks (including, but not only, the eponymous one) to run checks.

See .pre-commit-hooks.yaml for the hooks this repository defines.

semgrep ci

To configure pre-commit to run custom rules and rulesets from the Semgrep AppSec Platform, similar to semgrep ci, we provide the semgrep-ci hook. This can be used by adding the following to your .pre-commit-config.yaml after installing pre-commit:

- repo: https://github.com/semgrep/pre-commit
  rev: 'v1.74.0'
  hooks:
    - id: semgrep-ci

semgrep scan

Likewise, you can configure a hook to run a semgrep scan with the semgrep hook. As an example, the following configuration would scan the files to be committed with a specified config, skipping files with unknown extensions:

- repo: https://github.com/semgrep/pre-commit
  rev: 'v1.74.0'
  hooks:
    - id: semgrep
      # See https://semgrep.dev/explore to select a ruleset and copy its URL
      args: ['--config', '<SEMGREP_RULESET_URL>', '--error', '--skip-unknown-extensions']

Running Pro rules

If you would like to run the pre-commit hook locally while using Semgrep Pro rules:

  1. Log in to your Semgrep account. Running this command launches a browser window, but you can also use the link that's returned in the CLI to proceed:

    $ semgrep login
    
  2. In the Semgrep CLI login, click Activate to proceed.


The code in this repository is licensed under the terms of the LGPL 2.1. For more information about the licensing details of Semgrep itself see our licensing page.