Semgrep is a fast, static analysis tool for finding bugs, detecting vulnerabilities, and enforcing code standards powered by an open-source engine. Semgrep Visual Studio Code extension scans lines when you change or open files, or scans all files in your workspace.

Semgrep VS Code extension communicates with Semgrep command-line interface (CLI) to run scans. Install Semgrep CLI before you can use the VS Code extension. To install Semgrep CLI:

# For macOS
$ brew install semgrep

# For Ubuntu/WSL/Linux/macOS
$ python3 -m pip install semgrep

# To try Semgrep without installation run via Docker
$ docker run --rm -v "${PWD}:/src" returntocorp/semgrep semgrep

1. Install Semgrep extension in Visual Studio Code. For more information, see Install an extension in Visual Studio Code documentation.
2. Sign in: Press Ctrl+⇧Shift+P or ⌘Command+⇧Shift+P (macOS) and sign in to Semgrep Cloud Platform by running the following command:

   Semgrep: Sign in
   

3. Test the extension by pressing Ctrl+⇧Shift+P or ⌘Command+⇧Shift+P (macOS) and run the following command:

   Semgrep: Scan all files in workspace
   

4. Find vulnerability details information, hold the pointer over the code that has the yellow underline. You can also find details in the Problems tab by pressing ⇧Shift+Ctrl+M or ⌘Command+⇧Shift+M (macOS).
   seeing-vuln-details.mp4

Try Autofix.

Add and update new rules to expand Semgrep extension capabilities.

You can fine-tune and customize rules to improve your scan results:

1. Go to Semgrep Registry. Ensure that you are signed in.
2. Explore the Semgrep Registry, select a rule, and then click Add to Policy.
3. Manage rules in the Policies page.
4. Each time you change rule configuration press Ctrl+⇧Shift+P or ⌘Command+⇧Shift+P (macOS) in VS Code, and then run Semgrep: Update rules.

Semgrep supports 30+ languages.

Configure Semgrep VS Code extension in the extension settings. To access the extension settings:

1. Go to Extensions view by pressing ⇧Shift+Ctrl+X or ⇧Shift+⌘Command+X (macOS) on your keyboard.
2. Select Semgrep extension.
3. Click the gear icon, and then select Extension Settings.

The most important configuration options are:

• Semgrep › Metrics: Enabled: Semgrep extension gathers metrics for Semgrep, Inc by default. See Semgrep Privacy Policy for details. To disable this option, clear the Semgrep › Metrics: Enabled checkbox.
• Semgrep › Scan: Only Git Dirty: On by default. Semgrep checks when you open a new file, scans, and then displays findings for lines changed since the last commit.
• Semgrep › Scan: Configuration: Specify rules or rulesets you want Semgrep to use to scan your code. Each item can be a YAML configuration file, a URL of a configuration file, or a directory of YAML files. Use "auto" to automatically obtain rules tailored to your project. Your project URL will be used to log in to the Semgrep Registry. See Running rules in Semgrep documentation for more information. When you change the rule configuration, run Semgrep: Update rules command in Visual Studio Code Command Palette to update the rules configuration for your next scan.
• Semgrep › Scan: Include - List files and directories scanned by Semgrep. This option globally overrides the workspace setting. As a result, Semgrep scans all included paths.
• Semgrep › Scan: Jobs - Specify how many parallel jobs of Semgrep extension can run at the same time. The default number of parallel jobs is 1.

Advanced configuration options:

• Semgrep › Scan: Timeout - After the specified maximum time runs out Semgrep scan times out (stops). Numbers are indicated in seconds. The default value is 30.
• Semgrep > Trace: Server - This option is useful for debugging. The messages option displays communication of the Semgrep Visual Studio Code extension with the LSP server. The default option is verbose.

Run Semgrep extension commands through the Visual Studio Code Command Palette. You can access the Command Palette by pressing Ctrl+⇧Shift+P or ⌘Command+⇧Shift+P (macOS) on your keyboard. See Command Palette documentation. The following list includes all available Semgrep extension commands:

• Semgrep: Sign in: Sign in or log in to the Semgrep Cloud Platform (this command opens a new window in your browser). When you sign in, you can automatically scan with Semgrep Pro rules and add additional rules to the Policies in Semgrep Code. If you are logged in with the command-line interface using semgrep login you are already signed in with the Visual Studio Code Semgrep extension also. Alternatively, you can log in through your command-line interface bu running semgrep login.
• Semgrep: Sign out: Log out from Semgrep Cloud Platform. Alternatively, you can sign out through your command-line interface by running semgrep logout.
• Semgrep: Scan changed files in a workspace: Scan files that have been changed since the last commit in your current workspace.
• Semgrep: Scan all files in a workspace: Scan all files in the current workspace.
• Semgrep: Update rules: For logged-in users. If the rules in the Policies or rules included through the Semgrep › Scan: Configuration configuration option have been changed, this command loads the new configuration of your rules for your next scan.
• Semgrep: Search by pattern: Search for patterns in code using Semgrep pattern syntax. For more information, see Pattern syntax documentation.

Tip: You can also click the Semgrep icon in the Visual Studio Code to quickly access all available commands.

Scan your code using Semgrep to get inline results and problem highlighting.

When you open a file, Semgrep scans it right away.

Sign in to receive better results, new true positive findings and fewer false positives. When you sign in, you can get all the benefits of Semgrep Code and Pro rules.

With Semgrep autofix rules, you can instantly apply their fix in Visual Studio Code.

Want to go to the definition of a local or Semgrep Code rule? Hover over a match and click the link!

If you need our support, join the Semgrep community Slack workspace and tell us about any problems you encountered.