semgrep
Lightweight static analysis for many languages. Find bug variants with patterns that look like source code. (https://semgrep.dev/)
Pants automatically finds config files (.semgrep.yml, .semgrep.yaml, and .yml or .yaml files within .semgrep/ directories), and runs semgrep against all targets known to Pants.
Backend: pants.backend.experimental.tools.semgrep
Config section: [semgrep]
Basic options
args
--semgrep-args="[<shell_str>, <shell_str>, ...]"PANTS_SEMGREP_ARGS["--quiet"]Arguments to pass directly to Semgrep, e.g. --semgrep-args='--verbose'.
This includes --quiet by default to reduce the volume of output.
skip
--[no-]semgrep-skipPANTS_SEMGREP_SKIPFalseIf true, don't use Semgrep when running scie-pants-linux-x86_64 lint.
Advanced options
install_from_resolve
--semgrep-install-from-resolve=<str>PANTS_SEMGREP_INSTALL_FROM_RESOLVENoneIf specified, install the tool using the lockfile for this named resolve.
This resolve must be defined in [python].resolves, as described in https://www.pantsbuild.org/v2.19/docs/python-third-party-dependencies#user-lockfiles.
The resolve's entire lockfile will be installed, unless specific requirements are listed via the requirements option, in which case only those requirements will be installed. This is useful if you don't want to invalidate the tool's outputs when the resolve incurs changes to unrelated requirements.
If unspecified, and the lockfile option is unset, the tool will be installed using the default lockfile shipped with Pants.
If unspecified, and the lockfile option is set, the tool will use the custom semgrep "tool lockfile" generated from the version and extra_requirements options. But note that this mechanism is deprecated.
requirements
--semgrep-requirements="['<str>', '<str>', ...]"PANTS_SEMGREP_REQUIREMENTS[]If install_from_resolve is specified, install these requirements, at the versions provided by the specified resolve's lockfile.
Values can be pip-style requirements (e.g., tool or tool==1.2.3 or tool>=1.2.3), or addresses of python_requirement targets (or targets that generate or depend on python_requirement targets).
The lockfile will be validated against the requirements - if a lockfile doesn't provide the requirement (at a suitable version, if the requirement specifies version constraints) Pants will error.
If unspecified, install the entire lockfile.
interpreter_constraints
--semgrep-interpreter-constraints="['<str>', '<str>', ...]"PANTS_SEMGREP_INTERPRETER_CONSTRAINTS["CPython>=3.7,<4"]Python interpreter constraints for this tool.
console_script
--semgrep-console-script=<str>PANTS_SEMGREP_CONSOLE_SCRIPTsemgrepThe console script for the tool. Using this option is generally preferable to (and mutually exclusive with) specifying an --entry-point since console script names have a higher expectation of staying stable across releases of the tool. Usually, you will not want to change this from the default.
entry_point
--semgrep-entry-point=<str>PANTS_SEMGREP_ENTRY_POINTNoneThe entry point for the tool. Generally you only want to use this option if the tool does not offer a --console-script (which this option is mutually exclusive with). Usually, you will not want to change this from the default.
force
--[no-]semgrep-forcePANTS_SEMGREP_FORCEFalseIf true, semgrep is always run, even if the input files haven't changed. This can be used to run cloud rulesets like pants lint --semgrep-force --semgrep-args='--config=p/python' ::. Without --semgrep-force, using the cloud rulesets may give inconsistent results on different machines, due to caching, because the rulesets may change.
Deprecated options
None