Tool integration

Semgrep Integration Guide

Lightweight static analysis for 35+ languages with pattern-based and taint-tracking rules

Get a Free API Key

Integrate Semgrep with Vulnetix. Run SAST scans across 35+ languages using community and custom rules, produce SARIF output, and upload for centralized vulnerability management.

Python, JavaScript, Go, Java, Ruby, and 30+ languagesCLI toolSARIFCycloneDX

Install & scan

$ # Recommended - run without global install
uv run --with semgrep semgrep --version

# Or install globally
pip install semgrep

# Or via Homebrew
brew install semgrep
$ uv run --with semgrep semgrep scan \
  --config auto \
  --sarif --sarif-output=semgrep.sarif .

Run Semgrep in CI

Scan on every push and upload the results to Vulnetix:

- name: Run Semgrep
  run: |
    pip install semgrep
    semgrep scan --config auto --sarif --sarif-output=semgrep.sarif .

- name: Upload to Vulnetix
  run: vulnetix upload --file semgrep.sarif

How Vulnetix compares — better together

Vulnetix does not replace Semgrep. Keep running it. Vulnetix sits on top of Semgrep — and every other scanner you already own — turning disconnected tool outputs into one prioritised, fixable queue.

Semgrep is strongest at its core category and also carries features in Secret Scanning, SCA — just like Vulnetix spans categories.

CapabilityVulnetixSemgrep
Security coverage
SAST (static code analysis)Built-in rules + Semgrep augmentation35+ languages; pattern + taint, cross-file in Pro
SCA / dependencies40+ ecosystems, transitive graph~ Semgrep Supply Chain (Pro) — reachable dependency findings
DAST (dynamic testing)~ Ingests DAST results; no native dynamic engine
Container & imageImage CVEs, base image, Dockerfile
IaC / misconfigurationTerraform, k8s, CloudFormation~ Community rules for k8s / Terraform
Secret scanning1,000+ rules, source + binary + git history~ p/secrets ruleset (validation via Pro)
Cloud / CSPMCloud-posture findings, compliance tab
Mobile (MAST)~ Ingests mobile scanner output; no native mobile engine
License complianceSPDX, copyleft/AGPL/SSPL policy
SBOM generationCycloneDX 1.7 + SPDX 2.3, cosign-signable
Malware / supply-chainDe-duplicated corpus + install-time firewall (25+ registries)
Network / infra vuln~ Ingests network scanner output; no native network scanner
FuzzingIngests fuzzing crashes; no native fuzzer
Pentest / bug bountyIngests pentest/bug-bounty findings; not a testing service
The Vulnetix orchestration layer
Cross-scanner dedup & one queue (ASPM)Correlates every scanner into one prioritised queue with ownership routing
Exploit-intel prioritisationEPSS, CISA KEV, Coalition ESS, CWSS, Vulnetix LEV
Reachability analysisTree-sitter + CVEAffected; direct/transitive/semantic
Versioned VEX + audit trailImmutable OpenVEX/CycloneDX, cosign-signable
Safe Harbour autofixResolves + applies the nearest safe version
End-of-life policyFlags/blocks past-EOL runtimes & packages
SSVC / risk-based policySSVC v2 + CISA/FedRAMP/Essential-8 presets

✓ full · ~ partial · ✗ not covered

What Semgrep does well

Where Vulnetix adds to it: Vulnetix ingests Semgrep SARIF and keeps it as your SAST engine, then deduplicates it against every other scanner, prioritises with EPSS/CISA KEV/Coalition ESS, adds reachability, versioned VEX and Safe Harbour autofix — the cross-tool layer a single SAST engine does not provide.

No migration, no rip-and-replace. Semgrep keeps doing what it does best; Vulnetix adds the orchestration, exploit-intelligence prioritisation and remediation layer built for the way AppSec works today.

Centralise Semgrep results in Vulnetix

Upload Semgrep SARIF, CycloneDX output to the Vulnetix platform to deduplicate findings, prioritise them with EPSS, CISA KEV and Coalition ESS exploit intelligence, and track remediation across every scanner in a single queue.

Semgrep documentation ↗  ·  Source repository ↗

Wire Semgrep into your CI/CD pipeline →