Skip to main content

Scan languages with the Semgrep engine

Contrast provides, as a courtesy to those customers with Terraform, Rust, and Ruby 3.X source code elements, an optional way to scan their source code using the Semgrep open source SAST scanner and have results presented in the Contrast web interface along with other supported languages.

Steps

  1. Download the Semgrep engine from Semgrep.

  2. Place the Semgrep engine file in the same location as the Scan local engine JAR file.

  3. Run a scan with the Contrast Scan local engine.

    When the Contrast Scan local engine detects the presence of Terraform (TF) files, Rust (RS) files, or Ruby (RB) files, it passes the relevant files to the Semgrep engine. The Scan local engine uses the Semgrep rules for those languages (Terraform rules, Rust rules, or Ruby rules) and creates a SARIF file for the scanned languages.

    When scanning of the complete repo completes:

    1. The scan process combines the SARIF files that the Semgrep engine and the Contrast Scan local engine create.

    2. The scan process uploads the SARIF file to the Contrast web interface.

  4. View results as described in the Analyze scan results section.

Contrast support

Contrast provides support for Rust, Terraform, and Ruby on an as is basis. You are free to use the Semgrep engine to scan Rust, Terraform, and Ruby files (and any other language) without integration with the Contrast SAST platform. Contrast supports this functionality for convenience purposes only, where Rust, Terraform, or Ruby files are part of a larger repo.

In this section: