{"id":118273,"date":"2026-07-06T10:16:40","date_gmt":"2026-07-06T04:46:40","guid":{"rendered":"https:\/\/www.guvi.in\/blog\/?p=118273"},"modified":"2026-07-06T10:16:42","modified_gmt":"2026-07-06T04:46:42","slug":"semgrep-static-analysis-tutorial","status":"publish","type":"post","link":"https:\/\/www.guvi.in\/blog\/semgrep-static-analysis-tutorial\/","title":{"rendered":"Semgrep Static Analysis Tutorial: Find Bugs Before They Ship"},"content":{"rendered":"\n<p>Bugs and vulnerabilities are easier to fix the moment you write them, not weeks later in production. This Semgrep static analysis tutorial shows you how to catch issues right in your terminal, before you even open a pull request. By the end, you will have it installed, run a real scan, and understand what the results mean.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>TL;DR Summary<\/strong><\/h2>\n\n\n\n<ul>\n<li>This Semgrep static analysis tutorial shows you how to install Semgrep, run your first scan, and read the results, no security background needed.<\/li>\n\n\n\n<li>Semgrep is free, open-source, and finds bugs and vulnerabilities by matching patterns that look like your actual code.<\/li>\n\n\n\n<li>Setup takes under 5 minutes using pip, brew, or Docker.<\/li>\n\n\n\n<li>Companies like Dropbox, Figma, and Snowflake run Semgrep in production pipelines.<\/li>\n\n\n\n<li>Once comfortable with the CLI, you can plug Semgrep straight into GitHub Actions for automatic scanning on every pull request.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>What is Semgrep?<\/strong><\/h2>\n\n\n\n<p><a href=\"https:\/\/semgrep.dev\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Semgrep<\/a> is a fast, open-source static analysis tool that finds bugs, vulnerabilities, and bad patterns in your code. Instead of complicated regex or abstract syntax trees, Semgrep rules look almost exactly like the code you already write.<\/p>\n\n\n\n<p>It supports over 30 languages including Python, JavaScript, Java, Go, and TypeScript, and ships with thousands of community rules ready to use out of the box. Code never leaves your machine, everything runs locally.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Semgrep Static Analysis Tutorial: Installation<\/strong><\/h2>\n\n\n\n<p>You have three options, pick whichever fits your setup.<\/p>\n\n\n\n<ul>\n<li><strong>pip (recommended, works everywhere):<\/strong> <strong>pip install semgrep<\/strong><\/li>\n\n\n\n<li><strong>Homebrew (macOS):<\/strong> <strong>brew install semgrep<\/strong><\/li>\n\n\n\n<li><a href=\"https:\/\/www.guvi.in\/blog\/what-is-docker-in-devops\/\" target=\"_blank\" rel=\"noreferrer noopener\"><strong>Docker<\/strong><\/a><strong>:<\/strong> <strong>docker run semgrep\/semgrep<\/strong><\/li>\n<\/ul>\n\n\n\n<p>Once installed, confirm it worked by running <strong>semgrep &#8211;version<\/strong>. You should see a version number printed back, confirming the CLI is ready to use.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Running Your First Scan<\/strong><\/h2>\n\n\n\n<p>This is the core of any Semgrep static analysis tutorial: actually scanning real code.<\/p>\n\n\n\n<p>Navigate to your project folder and run:<\/p>\n\n\n\n<p><strong>semgrep &#8211;config auto .<\/strong><\/p>\n\n\n\n<p>The <strong>&#8211;config auto<\/strong> flag tells Semgrep to automatically pick relevant rules based on the languages it detects in your project. The <strong>.<\/strong> simply means &#8220;scan the current directory and everything inside it.&#8221;<\/p>\n\n\n\n<p>In a few seconds, Semgrep prints every finding directly in your terminal, showing the file, the line number, a short description of the issue, and a severity level.<\/p>\n\n\n\n<p>If you want to scan with a specific, well-known ruleset instead, try:<\/p>\n\n\n\n<p><strong>semgrep &#8211;config p\/security-audit .<\/strong><\/p>\n\n\n\n<p>This applies a curated set of security-focused rules maintained by the Semgrep community.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Understanding Semgrep Output<\/strong><\/h2>\n\n\n\n<p>Every finding in this Semgrep static analysis tutorial follows the same structure, which makes results easy to read once you know what to look for.<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table><tbody><tr><td><strong>Field<\/strong><\/td><td><strong>What It Tells You<\/strong><\/td><\/tr><tr><td>Rule ID<\/td><td>The specific check that triggered (e.g. python.lang.security.audit)<\/td><\/tr><tr><td>File and line<\/td><td>Exactly where in your code the issue was found<\/td><\/tr><tr><td>Message<\/td><td>A plain-English explanation of the problem<\/td><\/tr><tr><td>Severity<\/td><td>ERROR, WARNING, or INFO, ranked by how serious the issue is<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p>Start by fixing every <strong>ERROR<\/strong>, these are usually genuine security or correctness issues. <strong>WARNING<\/strong> findings are worth reviewing but are less urgent. <strong>INFO<\/strong> findings are often style suggestions rather than real problems.<\/p>\n\n\n\n<p>Security-aware coding is becoming a baseline expectation for developers in 2026. If you want to build the broader DevOps and <a href=\"https:\/\/www.guvi.in\/blog\/understanding-ci-cd\/\" target=\"_blank\" rel=\"noreferrer noopener\">CI\/CD<\/a> foundation that tools like Semgrep plug into, HCL GUVI&#8217;s<a href=\"https:\/\/www.guvi.in\/zen-class\/devops-course\/?utm_source=blog&amp;utm_medium=hyperlink&amp;utm_campaign=semgrep-static-analysis-tutorial\" target=\"_blank\" rel=\"noreferrer noopener\"> DevOps Course<\/a> covers pipelines, automation, and real-world projects with NSDC certification.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Writing a Simple Custom Rule<\/strong><\/h2>\n\n\n\n<p>One of the most powerful parts of this Semgrep static analysis tutorial is that you are not limited to pre-written rules. You can write your own in a few lines of YAML.<\/p>\n\n\n\n<p>Here is a simple rule that flags any use of Python&#8217;s dangerous <strong>eval()<\/strong> function:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>rules:\n  - id: no-eval\n    pattern: eval(...)\n    message: Avoid using eval(), it can execute arbitrary code.\n    languages: &#91;python]\n    severity: WARNING\n<\/code><\/pre>\n\n\n\n<p>Save this as <strong>rule.yaml<\/strong> and run it with:<\/p>\n\n\n\n<p><strong>semgrep &#8211;config rule.yaml .<\/strong><\/p>\n\n\n\n<p>Notice the pattern looks just like real Python code, with <strong>&#8230;<\/strong> acting as a wildcard for any arguments. This is what makes Semgrep approachable, you are pattern-matching code, not writing complex parsing logic.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Adding Semgrep to GitHub Actions<\/strong><\/h2>\n\n\n\n<p>Once you are comfortable running scans locally, the natural next step in any Semgrep static analysis tutorial is automating it. Add this file as <strong>.github\/workflows\/semgrep.yml<\/strong>:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>name: Semgrep Scan\non: &#91;pull_request]\njobs:\n  semgrep:\n    runs-on: ubuntu-latest\n    steps:\n      - uses: actions\/checkout@v4\n      - uses: semgrep\/semgrep-action@v1\n        with:\n          config: auto\n<\/code><\/pre>\n\n\n\n<p>Now every pull request automatically triggers a scan, and findings can appear directly as comments on the PR, catching issues before a human reviewer even looks at the code.<\/p>\n\n\n\n<div style=\"background-color: #099f4e; border: 3px solid #110053; border-radius: 12px; padding: 18px 22px; color: #FFFFFF; font-size: 18px; font-family: Montserrat, Helvetica, sans-serif; line-height: 1.6; box-shadow: 0 4px 12px rgba(0, 0, 0, 0.15); max-width: 750px; margin: 22px auto;\">\n  <h3 style=\"margin-top: 0; font-size: 22px; font-weight: 700; color: #ffffff;\">\ud83d\udca1 Did You Know?<\/h3>\n  <ul style=\"padding-left: 20px; margin: 10px 0;\">\n    <li>Semgrep scans over 100 million lines of code daily across its global user base, making it one of the most widely adopted static analysis tools in modern software development. Leading technology companies such as Dropbox, Figma, Snowflake, and HashiCorp use Semgrep in their development and security pipelines. Despite operating at massive scale, the open-source engine featured in this Semgrep static analysis tutorial remains completely free for developers and organizations to use.<\/li>\n  <\/ul>\n<\/div>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Common Mistakes to Avoid<\/strong><\/h2>\n\n\n\n<ul>\n<li><strong>Enabling every rule on day one.<\/strong> Running the full security-audit ruleset on a large codebase can return hundreds of findings instantly, overwhelming teams. Start with <strong>&#8211;config auto<\/strong> and expand gradually.<\/li>\n\n\n\n<li><strong>Treating every finding as urgent.<\/strong> Triage by severity first. Chasing INFO-level suggestions before fixing ERROR findings wastes momentum.<\/li>\n\n\n\n<li><strong>Skipping CI integration.<\/strong> Running Semgrep manually once is useful, but real value comes from catching issues automatically on every future pull request.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Conclusion<\/strong><\/h2>\n\n\n\n<p>This Semgrep static analysis tutorial covered everything you need to start catching bugs before they ship: installing the CLI, running your first scan, reading results by severity, writing a basic custom rule, and automating scans through GitHub Actions. Static analysis is most powerful when it becomes a habit, not a one-time check. Run it locally as you code, and let CI catch anything you missed.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>FAQs<\/strong><\/h2>\n\n\n<div id=\"rank-math-faq\" class=\"rank-math-block\">\n<div class=\"rank-math-list \">\n<div id=\"faq-question-1782217103896\" class=\"rank-math-list-item\">\n<h3 class=\"rank-math-question \"><strong>1. Is Semgrep free to use?<\/strong><\/h3>\n<div class=\"rank-math-answer \">\n\n<p>Yes. The Semgrep CLI covered in this tutorial is completely free, no account required to scan code locally.<\/p>\n\n<\/div>\n<\/div>\n<div id=\"faq-question-1782217120204\" class=\"rank-math-list-item\">\n<h3 class=\"rank-math-question \"><strong>2. What languages does Semgrep support?<\/strong><\/h3>\n<div class=\"rank-math-answer \">\n\n<p>Over 30 languages including Python, JavaScript, TypeScript, Java, Go, C#, and Ruby.<\/p>\n\n<\/div>\n<\/div>\n<div id=\"faq-question-1782217137238\" class=\"rank-math-list-item\">\n<h3 class=\"rank-math-question \"><strong>3. Does Semgrep upload my code anywhere?<\/strong><\/h3>\n<div class=\"rank-math-answer \">\n\n<p>No. Scans run entirely on your local machine or build environment.<\/p>\n\n<\/div>\n<\/div>\n<div id=\"faq-question-1782217153600\" class=\"rank-math-list-item\">\n<h3 class=\"rank-math-question \"><strong>4. How is Semgrep different from other static analysis tools?<\/strong><\/h3>\n<div class=\"rank-math-answer \">\n\n<p>Its rules look like the actual code you write instead of complex regex, making it far easier to read, write, and customize.<\/p>\n\n<\/div>\n<\/div>\n<div id=\"faq-question-1782217171154\" class=\"rank-math-list-item\">\n<h3 class=\"rank-math-question \"><strong>5. Can I write my own Semgrep rules?<\/strong><\/h3>\n<div class=\"rank-math-answer \">\n\n<p>Yes, in simple YAML files with a pattern that mirrors real code syntax, as shown in the custom rule example above.<\/p>\n\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>Bugs and vulnerabilities are easier to fix the moment you write them, not weeks later in production. This Semgrep static analysis tutorial shows you how to catch issues right in your terminal, before you even open a pull request. By the end, you will have it installed, run a real scan, and understand what the [&hellip;]<\/p>\n","protected":false},"author":65,"featured_media":120866,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[621],"tags":[],"views":"34","authorinfo":{"name":"Jebasta","url":"https:\/\/www.guvi.in\/blog\/author\/jebasta\/"},"thumbnailURL":"https:\/\/www.guvi.in\/blog\/wp-content\/uploads\/2026\/06\/Semgrep-Static-Analysis-300x116.webp","_links":{"self":[{"href":"https:\/\/www.guvi.in\/blog\/wp-json\/wp\/v2\/posts\/118273"}],"collection":[{"href":"https:\/\/www.guvi.in\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.guvi.in\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.guvi.in\/blog\/wp-json\/wp\/v2\/users\/65"}],"replies":[{"embeddable":true,"href":"https:\/\/www.guvi.in\/blog\/wp-json\/wp\/v2\/comments?post=118273"}],"version-history":[{"count":2,"href":"https:\/\/www.guvi.in\/blog\/wp-json\/wp\/v2\/posts\/118273\/revisions"}],"predecessor-version":[{"id":120868,"href":"https:\/\/www.guvi.in\/blog\/wp-json\/wp\/v2\/posts\/118273\/revisions\/120868"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.guvi.in\/blog\/wp-json\/wp\/v2\/media\/120866"}],"wp:attachment":[{"href":"https:\/\/www.guvi.in\/blog\/wp-json\/wp\/v2\/media?parent=118273"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.guvi.in\/blog\/wp-json\/wp\/v2\/categories?post=118273"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.guvi.in\/blog\/wp-json\/wp\/v2\/tags?post=118273"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}