xgrep
xgrep is a fast, Semgrep-compatible code scanner with AST-based matching, taint analysis, and code intelligence built for AI agents.
xgrep is a fast, Semgrep-compatible code scanner written in Go. It scans codebases using Semgrep YAML rule syntax and tree-sitter for language-aware, AST-based pattern matching. Beyond scanning, xgrep provides code intelligence and a queryable code graph that power both human workflows and AI agents.
xgrep is built to cut the noise. It focuses on real, exploitable vulnerabilities and verified secrets, so the findings you act on are the ones that matter.
Where xgrep fits in Mondoo
xgrep secures the code you write. cnspec secures the infrastructure you run. Together they cover both sides of your stack with one consistent approach to security.
You can use xgrep three ways:
- On its own. Run xgrep from the command line or in CI to scan any repository. No account, no setup.
- In your editor. The Mondoo VS Code extension runs xgrep as you type, so issues are gone before they reach code review.
- With Mondoo Platform. Publish xgrep findings to Mondoo Platform to track code risk alongside your infrastructure risk in one prioritized view, and drive it to a fix.
For how all the Mondoo tools fit together, see Core Concepts.
Explore the documentation
- Getting Started: What xgrep is, how to install it, and how to run your first scan
- Code Scanning: The SAST engine — CLI reference, output formats, supported languages, Semgrep compatibility, and writing your own rules
- Secrets: Find committed credentials, across git history and encoded payloads, with live-credential validation
- Dependencies: Generate an SBOM and query your project's dependencies
- Code Intelligence: Navigating source code with inspect and the code graph
- IDE Integration: xgrep in your editor — zero-config in VS Code, and over LSP everywhere else
- Integrations: The MCP server and CI setups
- AI Agents: Agent workflows and the packaged Claude Code skills