Semgrep CLI is useful for security-oriented agent workflows when scans stay report-first and remediation requires approval.
Supports machine-readable scan output suitable for agent summaries and CI reports.
Can run in shell, CI, or agent sessions without prompts for common scanning tasks.
Scanning is generally safe, but remediation, ignore rules, and policy changes require review.
Help output and documented examples are sufficient for building AGENTS.md command rules.
インストール方法
$ pipx install semgrep $ brew install semgrep よく使うコマンド
$ semgrep scan --config auto --json --output semgrep.json Creates a JSON report of code findings.
$ semgrep scan --config .semgrep/ --sarif --output semgrep.sarif Runs repository-specific rules.
$ ${EDITOR:-vi} .semgrep/ Rule changes can suppress findings and require review.
Agent 使用例
Use Semgrep CLI to scan and summarize findings. Prefer JSON/SARIF output. Do not edit ignore rules, update dependencies, or delete files without approval. 安全メモ
- Run scans in read-only/report mode before allowing an agent to modify files or suppress findings.
- Treat ignore-file edits, policy changes, dependency updates, and destructive cleanup as approval-required.
- Prefer JSON or SARIF output so the agent can cite exact findings instead of paraphrasing terminal text.
Agent workflow
Use Semgrep to scan code before large refactors or security-sensitive PRs. Summarize findings with rule ID, file path, severity, and suggested remediation.
Approval boundary
Changing rules, ignoring findings, or applying broad automated rewrites should require user review.