82 /100
Semgrep CLI is useful for security-oriented agent workflows when scans stay report-first and remediation requires approval.
Structured output 86/100
Supports machine-readable scan output suitable for agent summaries and CI reports.
Non-interactive use 86/100
Can run in shell, CI, or agent sessions without prompts for common scanning tasks.
Safety boundaries 72/100
Scanning is generally safe, but remediation, ignore rules, and policy changes require review.
Agent docs 80/100
Help output and documented examples are sufficient for building AGENTS.md command rules.
安装方式
pipx
$ pipx install semgrep Homebrew
$ brew install semgrep 常用命令
Run default scan · 安全
$ semgrep scan --config auto --json --output semgrep.json Creates a JSON report of code findings.
Run local rules · 安全
$ semgrep scan --config .semgrep/ --sarif --output semgrep.sarif Runs repository-specific rules.
Change rules · 需确认
$ ${EDITOR:-vi} .semgrep/ Rule changes can suppress findings and require review.
Agent 使用示例
Claude Code / Codex CLI
Use Semgrep CLI to scan and summarize findings. Prefer JSON/SARIF output. Do not edit ignore rules, update dependencies, or delete files without approval. 安全说明
- Run scans in read-only/report mode before allowing an agent to modify files or suppress findings.
- Treat ignore-file edits, policy changes, dependency updates, and destructive cleanup as approval-required.
- Prefer JSON or SARIF output so the agent can cite exact findings instead of paraphrasing terminal text.
Agent 工作流
在大型重构或安全敏感 PR 前运行 Semgrep。总结规则 ID、文件路径、严重级别和建议修复方式。
审批边界
修改规则、忽略发现项或执行大范围自动重写都必须人工确认。