Skip to main content
Version: 2.23 (prerelease)

semgrep


Lightweight static analysis for many languages. Find bug variants with patterns that look like source code. (https://semgrep.dev/)

Pants automatically finds config files (.semgrep.yml, .semgrep.yaml, and .yml or .yaml files within .semgrep/ directories), and runs semgrep against all targets known to Pants.

This version of Pants uses semgrep version 1.72.0 by default. Use a dedicated lockfile and the install_from_resolve option to control this.

Backend: pants.backend.experimental.tools.semgrep

Config section: [semgrep]

Basic options

args

--semgrep-args="[<shell_str>, <shell_str>, ...]"
PANTS_SEMGREP_ARGS
pants.toml
[semgrep]
args = [
<shell_str>,
<shell_str>,
...,
]
default:
[
  "--quiet"
]

Arguments to pass directly to Semgrep, e.g. --semgrep-args='--verbose'.

This includes --quiet by default to reduce the volume of output.

config_name

--semgrep-config-name=<str>
PANTS_SEMGREP_CONFIG_NAME
pants.toml
[semgrep]
config_name = <str>
default: None

The name of the semgrep config file or directory, which will be discovered and used hierarchically. If using a file, it must have the extension .yaml or .yml.

URLs and registry names are not supported.

skip

--[no-]semgrep-skip
PANTS_SEMGREP_SKIP
pants.toml
[semgrep]
skip = <bool>
default: False

If true, don't use Semgrep when running pants lint.

Advanced options

console_script

--semgrep-console-script=<str>
PANTS_SEMGREP_CONSOLE_SCRIPT
pants.toml
[semgrep]
console_script = <str>
default: semgrep

The console script for the tool. Using this option is generally preferable to (and mutually exclusive with) specifying an --entry-point since console script names have a higher expectation of staying stable across releases of the tool. Usually, you will not want to change this from the default.

entry_point

--semgrep-entry-point=<str>
PANTS_SEMGREP_ENTRY_POINT
pants.toml
[semgrep]
entry_point = <str>
default: None

The entry point for the tool. Generally you only want to use this option if the tool does not offer a --console-script (which this option is mutually exclusive with). Usually, you will not want to change this from the default.

force

--[no-]semgrep-force
PANTS_SEMGREP_FORCE
pants.toml
[semgrep]
force = <bool>
default: False

If true, semgrep is always run, even if the input files haven't changed. This can be used to run cloud rulesets like pants lint --semgrep-force --semgrep-args='--config=p/python' ::. Without --semgrep-force, using the cloud rulesets may give inconsistent results on different machines, due to caching, because the rulesets may change.

install_from_resolve

--semgrep-install-from-resolve=<str>
PANTS_SEMGREP_INSTALL_FROM_RESOLVE
pants.toml
[semgrep]
install_from_resolve = <str>
default: None

If specified, install the tool using the lockfile for this named resolve.

This resolve must be defined in [python].resolves, as described in https://www.pantsbuild.org/2.23/docs/python/overview/lockfiles#lockfiles-for-tools.

The resolve's entire lockfile will be installed, unless specific requirements are listed via the requirements option, in which case only those requirements will be installed. This is useful if you don't want to invalidate the tool's outputs when the resolve incurs changes to unrelated requirements.

If unspecified, and the lockfile option is unset, the tool will be installed using the default lockfile shipped with Pants, which uses semgrep version 1.72.0.

If unspecified, and the lockfile option is set, the tool will use the custom semgrep "tool lockfile" generated from the version and extra_requirements options. But note that this mechanism is deprecated.

interpreter_constraints

--semgrep-interpreter-constraints="['<str>', '<str>', ...]"
PANTS_SEMGREP_INTERPRETER_CONSTRAINTS
pants.toml
[semgrep]
interpreter_constraints = [
'<str>',
'<str>',
...,
]
default:
[
  "CPython>=3.8,<4"
]

Python interpreter constraints for this tool.

requirements

--semgrep-requirements="['<str>', '<str>', ...]"
PANTS_SEMGREP_REQUIREMENTS
pants.toml
[semgrep]
requirements = [
'<str>',
'<str>',
...,
]
default: []

If install_from_resolve is specified, install these requirements, at the versions provided by the specified resolve's lockfile.

Values can be pip-style requirements (e.g., tool or tool==1.2.3 or tool>=1.2.3), or addresses of python_requirement targets (or targets that generate or depend on python_requirement targets). Make sure to use the // prefix to refer to targets using their full address from the root (e.g. //3rdparty/python:tool). This is necessary to distinguish address specs from local or VCS requirements.

The lockfile will be validated against the requirements - if a lockfile doesn't provide the requirement (at a suitable version, if the requirement specifies version constraints) Pants will error.

If unspecified, install the entire lockfile.

Deprecated options

None

None