Install and Use Semgrep

By /

Semgrep is a fast, open-source static analysis tool for finding bugs, enforcing code standards, and identifying security issues. This guide walks through installing Semgrep on Ubuntu 24.04 using Python virtual environments, scanning a large codebase like AOSP, and visualizing results in VS Code with SARIF format.

Install Semgrep on Ubuntu 24.04 (via venv)

To avoid global installations and keep things isolated, use a Python virtual environment:

# Update system and install required packages
sudo apt update
sudo apt install -y python3 python3-venv python3-pip

# Create a virtual environment
python3 -m venv ~/.venv/semgrep

# Activate the environment
source ~/.venv/semgrep/bin/activate

# Upgrade pip and install Semgrep
pip install --upgrade pip
pip install semgrep

To use Semgrep later:

source ~/.venv/semgrep/bin/activate

To exit:

deactivate

Quick Scan: AOSP with Exclusions

Here’s an example of scanning the AOSP tree while excluding large or irrelevant directories:

semgrep scan \
  --exclude=out \
  --exclude=.repo \
  --exclude=prebuilts \
  --exclude=external \
  --exclude=tools \
  --sarif \
  --sarif-output=semgrep-aosp15.sarif \
  --metrics=off

Output

┌──────────────┐
│ Scan Summary │
└──────────────┘
✅ Scan completed successfully.
 • Findings: 3785 (3785 blocking)
 • Rules run: 776
 • Targets scanned: 287305
 • Parsed lines: ~99.9%
 • Scan skipped:
   ◦ Matching --exclude patterns: 136
   ◦ Files larger than  files 1.0 MB: 2997
   ◦ Files matching .semgrepignore patterns: 7549
 • For a detailed list of skipped files and lines, run semgrep with the --verbose flag
Ran 776 rules on 287305 files: 3785 findings.
💎 Missed out on 1390 pro rules since you aren't logged in!
⚡ Supercharge Semgrep OSS when you create a free account at https://sg.run/rules.

📢 Too many findings? Try Semgrep Pro for more powerful queries and less noise.
   See https://sg.run/false-positives.

View SARIF Results in Visual Studio Code

Semgrep outputs results in SARIF format — a standardized format supported by security tools and code editors.

Step 1: Install SARIF Viewer

In VS Code:

  1. Open Extensions (Ctrl+Shift+X)
  2. Search for SARIF Viewer
  3. Install SARIF Viewer by Microsoft

Step 2: Open the SARIF File

  • Use File → Open File or Ctrl+O
  • Open your SARIF file: semgrep-aosp15.sarif
  • The SARIF Viewer will open in the sidebar

Step 3: Navigate Findings

  • LOCATIONS tab shows issues by file and line number
  • Click on an issue to jump directly to the source code
  • Hover to view rule details, severity, and suggestions

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top