Skip to content

Feedback Issue - Semgrep for SAST

This is a feedback issue for GitLab and r2c on our new Semgrep SAST analyzer. This analyzer currently supports the following languages:

  • TypeScript & JavaScript, running in parallel with our existing analyzer, ESLint
  • Python, running in parallel with our existing analyzer, Bandit
  • C, running in parallel with our existing analyzer, Flawfinder

What is Semgrep? Semgrep is a fast, open-source static analysis tool that finds bugs and enforces code standards at editor, commit, and CI time.

How do I enable it? If you already have ESLint or Bandit enabled, Semgrep will be automatically enabled and run in parallel with those tools. If you override or manage your own SAST CI configuration, you should update your CI configuration. In either case, GitLab SAST will deduplicate results found by Semgrep and ESLint or Bandit.

What if something goes wrong? Follow the troubleshooting steps in the GitLab SAST docs or see the Troubleshooting GitLab SAST page in the Semgrep docs.

Edited by Taylor McCaslin