Semgrep CLI is useful for security-oriented agent workflows when scans stay report-first and remediation requires approval.
Supports machine-readable scan output suitable for agent summaries and CI reports.
Can run in shell, CI, or agent sessions without prompts for common scanning tasks.
Scanning is generally safe, but remediation, ignore rules, and policy changes require review.
Help output and documented examples are sufficient for building AGENTS.md command rules.
Install options
$ pipx install semgrep $ brew install semgrep Common commands
$ semgrep scan --config auto --json --output semgrep.json Creates a JSON report of code findings.
$ semgrep scan --config .semgrep/ --sarif --output semgrep.sarif Runs repository-specific rules.
$ ${EDITOR:-vi} .semgrep/ Rule changes can suppress findings and require review.
Agent usage examples
Use Semgrep CLI to scan and summarize findings. Prefer JSON/SARIF output. Do not edit ignore rules, update dependencies, or delete files without approval. Safety notes
- Run scans in read-only/report mode before allowing an agent to modify files or suppress findings.
- Treat ignore-file edits, policy changes, dependency updates, and destructive cleanup as approval-required.
- Prefer JSON or SARIF output so the agent can cite exact findings instead of paraphrasing terminal text.
Agent workflow
Use Semgrep to scan code before large refactors or security-sensitive PRs. Summarize findings with rule ID, file path, severity, and suggested remediation.
Approval boundary
Changing rules, ignoring findings, or applying broad automated rewrites should require user review.