# 用于静态分析和策略检查的 Semgrep CLI
运行代码模式检查和策略扫描，并输出 Agent 可总结的 JSON 或 SARIF 报告。
Agent Readiness Score: 82/100
Semgrep CLI is useful for security-oriented agent workflows when scans stay report-first and remediation requires approval.
## Install

- pipx: `pipx install semgrep`
- Homebrew: `brew install semgrep`

## Structured output

Supported output formats: json, sarif, text.
Prefer structured output flags such as `--json`, `--format json`, or equivalent when available.

## Safe commands

- Run default scan: `semgrep scan --config auto --json --output semgrep.json` — Creates a JSON report of code findings.
- Run local rules: `semgrep scan --config .semgrep/ --sarif --output semgrep.sarif` — Runs repository-specific rules.

## Commands requiring approval

- Change rules: `${EDITOR:-vi} .semgrep/` — requires-review; require explicit user approval.

## Agent instructions

- Claude Code / Codex CLI: Use Semgrep CLI to scan and summarize findings. Prefer JSON/SARIF output. Do not edit ignore rules, update dependencies, or delete files without approval.

## Safety notes

- Run scans in read-only/report mode before allowing an agent to modify files or suppress findings.
- Treat ignore-file edits, policy changes, dependency updates, and destructive cleanup as approval-required.
- Prefer JSON or SARIF output so the agent can cite exact findings instead of paraphrasing terminal text.

## Metadata

Official URL: https://semgrep.dev/docs/cli-reference/
GitHub: https://github.com/semgrep/semgrep
Docs: https://semgrep.dev/docs/cli-reference/