Quickstart
Learn how to set up Semgrep, scan your first project for security issues, and view your findings. A project can be any codebase, repository, or folder within a monorepo.
You must have Python 3.9 or later installed on the machine where the Semgrep CLI is running.
- 
Navigate to Semgrep AppSec Platform, and sign up by clicking on Continue with GitHub or Continue with GitLab. Follow the on-screen prompts to grant Semgrep the necessary permissions. 
- 
Provide the Organization display name you'd like to use, then click Create new organization. 
- 
When asked Where do you want to scan? click Run on CLI. 
- 
Launch your CLI, and follow the instructions on the Scan a project on your machine page. For your convenience, the same information is presented below, along with instructions for Windows users. - macOS
- Linux
- Windows (beta)
- Windows Subsystem for Linux (WSL)
- Docker
 - 
Install the Semgrep CLI and confirm the installation: # install through homebrew
 brew install semgrep
 # install through pip
 python3 -m pip install semgrep
 # confirm installation succeeded by printing the currently installed version
 semgrep --versionnoteHomebrew users: ensure that you've added Homebrew to your PATH. 
- 
Log in to your Semgrep account. Running this command launches a browser window, but you can also use the link that's returned in the CLI to proceed: semgrep login
- 
In the Semgrep CLI login, click Activate to proceed. 
- 
Return to the CLI, navigate to the root of your project, and run your first scan: semgrep ci
 - 
Install the Semgrep CLI and confirm the installation: # install through pip
 python3 -m pip install semgrep
 # if you get the following error "error: externally-managed-environment",
 # see semgrep.dev/docs/kb/semgrep-appsec-platform/error-externally-managed-environment
 # confirm installation succeeded by printing the currently installed version
 semgrep --version
- 
Log in to your Semgrep account. Running this command launches a browser window, but you can also use the link that's returned in the CLI to proceed: semgrep login
- 
In the Semgrep CLI login, click Activate to proceed. 
- 
Return to the CLI, navigate to the root of your project, and run your first scan: semgrep ci
 - 
Download and install Python. Make sure to check the box to add python.exe to the PATH, otherwise you will have difficulty running Pip and Semgrep. 
- 
Configure your system to run Python with UTF-8 text encodings by default. In PowerShell, run: [System.Environment]::SetEnvironmentVariable('PYTHONUTF8', '1', 'User')
- 
Install the Semgrep CLI and confirm the installation. In PowerShell, run: # install through pip
 pip install –upgrade semgrep
 # if you get the following error "error: externally-managed-environment",
 # see semgrep.dev/docs/kb/semgrep-appsec-platform/error-externally-managed-environment
 # confirm installation succeeded by printing the currently installed version
 semgrep --version
- 
Log in to your Semgrep account. Running this command launches a browser window, but you can also use the link that's returned in the CLI to proceed: semgrep login
- 
In the Semgrep CLI login, click Activate to proceed. 
- 
Return to the CLI, navigate to the root of your project, and run your first scan: semgrep ci
 PrerequisitesEnsure that you have the Windows Subsystem for Linux installed before proceeding. - 
Using the WSL interface, install the Semgrep CLI and confirm the installation: # install through pip
 python3 -m pip install semgrep
 # confirm installation succeeded by printing the currently installed version
 semgrep --version
- 
Log in to your Semgrep account. Running this command launches a browser window, but you can also use the link that's returned in the CLI to proceed: semgrep login
- 
In the Semgrep CLI login, click Activate to proceed. 
- 
Return to the WSL interface, navigate to the root of your project, and run your first scan: semgrep ci
 PrerequisitesEnsure that you have Docker installed before proceeding. - 
Pull the latest image and confirm the version: docker pull semgrep/semgrep
 # confirm version
 docker run --rm semgrep/semgrep semgrep --version
- 
For users running Docker on macOS or Linux Docker: - 
Log in to your Semgrep account (running this command will launch a browser window, but you can also use the link that's returned in the CLI to proceed): docker run -it semgrep/semgrep semgrep login
- 
In the Semgrep CLI login, click Activate to proceed. Return to the CLI and copy the login token that's shown. 
- 
Navigate into the root of your project, and run your first scan. Be sure to substitute YOUR_TOKENwith the login token value you copied in the previous step:docker run -e SEMGREP_APP_TOKEN=YOUR_TOKEN --rm -v "${PWD}:/src" semgrep/semgrep semgrep ciThe provided -voption mounts the current directory into the container to be scanned. Navigate into a different project or provide a specific local directory in the command to scan a different project.
 
- 
- 
For users running Docker on Windows: - 
Log in to your Semgrep account (running this command will launch a browser window, but you can also use the link that's returned in the CLI to proceed): docker run -it semgrep/semgrep semgrep login
- 
In the Semgrep CLI login, click Activate to proceed. Return to the CLI, and copy the login token that's shown. 
- 
Navigate into the root of your project, and run your first scan. Be sure to substitute YOUR_TOKENwith the login token value you copied in the previous step:docker run -e SEMGREP_APP_TOKEN=YOUR_TOKEN --rm -v "%cd%:/src" semgrep/semgrep semgrep ciThe provided -voption mounts the current directory into the container to be scanned. Navigate into a different project or provide a specific local directory in the command to scan a different project.
 
- 
 
- 
Once you've scanned your first application, return to Semgrep AppSec Platform, and click View findings to see the security vulnerabilities in your project. Alternatively, you can view your results in Semgrep AppSec Platform's Dashboard page. For detailed information, click Code to access your SAST findings or Supply Chain to access your SCA findings. infoCode is not uploaded. Only findings are sent to Semgrep AppSec Platform. 
Scan without a GitHub or GitLab account
If you don't have a GitHub or GitLab account, you can use semgrep scan in your CLI. See Scan your project for more details.
Not finding what you need in this doc? Ask questions in our Community Slack group, or see Support for other ways to get help.