Scanning

Semgrep / OpenGrep Compatibility

Feature parity between xgrep's CLI and Semgrep / OpenGrep — subcommands, flags, output, and xgrep-only extras.

Semgrep / OpenGrep Compatibility

xgrep uses the Semgrep rule format and mirrors the Semgrep / OpenGrep CLI. OpenGrep is the open-source fork of Semgrep; it shares Semgrep's rule syntax and command surface, and is what xgrep tracks for parity, so the comparison columns below apply to both. File-selection behavior (git, ignore files, size limits) is covered in File filtering.

CLI subcommands

CommandSemgrep / OpenGrepxgrepStatus
scanscan <targets>xgrep scan <targets>✅ Implemented
Root scan<targets>xgrep <targets>✅ Implemented
--config / -f rulesYesYes✅ Implemented
--json outputYesYes✅ Implemented
--sarif outputYesYes✅ Implemented
test--testxgrep test <path>✅ Implemented
validate--validatexgrep validate <path>✅ Implemented
lspxgrep lspxgrep-only
mcpxgrep mcpxgrep-only
graphxgrep graphxgrep-only
ciciDiff-aware, CI-auto-detecting; no hosted-backend upload — see CI integration
login / publishloginNot planned (SaaS)

Output format

FeatureSemgrep / OpenGrepxgrepStatus
Banner with product infoYesYes (ASCII art)✅ Implemented
Scan status tablesLanguage/Rules/Files + OriginLanguage/Rules/Files + Origin✅ Implemented
Progress spinnerYesYes (bubbletea)✅ Implemented
Colored findingsYesYes (lipgloss)✅ Implemented
Severity markers❯❯❱ / ❯❱ / ❯❯❱ / ❯❱ / ✅ Implemented
Code snippets with line numbersYesYes✅ Implemented
Scan summaryYesYes✅ Implemented
TTY detection (plain fallback)YesYes✅ Implemented
--quiet flagYesYes✅ Implemented
--verbose flagYesYes✅ Implemented
--metrics reportingauto / on / offauto / on / off✅ Implemented
Warnings sectionYesYes (buffered during TUI)✅ Implemented

See Output formats for text/JSON/SARIF details.

Scanning features

FeatureSemgrep / OpenGrepxgrepStatus
Pattern matchingYesYes✅ Implemented
Taint analysisYesYes✅ Implemented
--severity filterYesYes✅ Implemented
--rule-id / --skip-ruleYesYes✅ Implemented
--autofixYesYes✅ Implemented
--baseline-commitYes (diff-aware, changed-file limited)Yes — accepts a ref or base..head range, limits the scan to changed files, line-level diffing✅ Implemented
--jobs parallelismYesYes✅ Implemented
Per-rule timeoutFixpoint timeout warningscontext.WithTimeout, 10 s + file-size scaling✅ Implemented
--timeout (per-file)YesYes✅ Implemented
--max-memoryYesYes✅ Implemented
Join modeYesYes✅ Implemented
Extract modeYesYes✅ Implemented
--lang overrideYesYes✅ Implemented
Remote repo scanning (scan <url>)Pro-only (--remote --pro)Yes — clones with built-in git client✨ xgrep extension

Target selection

How each tool decides which files to scan. xgrep favors completeness over speed-by-omission, with flags to opt into Semgrep-style filtering. See File filtering for the full behavior and rationale.

FeatureSemgrep / OpenGrepxgrepStatus
Git-tracked files (git ls-files)DefaultDefault✅ Implemented
.gitignore respectYesYes (via git)✅ Implemented
Ignore file (.xgrepignore/.semgrepignore)Default (auto-load)--xgrepignore flagBy design: opt-in
Default ignore patternsAlways on--xgrepignore flagBy design: opt-in
Max file size (1 MB default)--max-target-bytes (1 MB)--max-target-bytes (unlimited)By design: unlimited
Filesystem fallback (no git)YesYes✅ Implemented
--include / --exclude globsYesYes✅ Implemented

Rule compatibility

xgrep runs standard Semgrep / OpenGrep YAML rules unchanged. Rule-level test compliance against the OpenGrep suite is tracked internally.

xgrep-only features

FeatureDescription
mode: analysis + analyzer:Built-in native analyzers for checks too context-dependent for patterns (Semgrep treats it as an unknown mode) — see Analysis mode
xgrep lspLSP server for IDE integration
xgrep mcpMCP server for AI agent integration
xgrep graphCode graph extraction (callers, callees, paths)
context + remediation JSONAlways-on code context and fix guidance in JSON output
--cpuprofile / --memprofileBuilt-in profiling
OpenTelemetryXGREP_ENABLE_TELEMETRY=1 for tracing and metrics
Per-function taint scopingTaint analysis scoped to function boundaries
Comment-aware pre-checksSkip patterns whose literals only appear in comments

Secrets scanning

Find committed credentials — API keys, tokens, and private keys — across your code and its full git history. On by default.

Overview

xgrep's built-in rule corpus, how to filter it, and how to write your own rules.

On this page

Semgrep / OpenGrep CompatibilityCLI subcommandsOutput formatScanning featuresTarget selectionRule compatibilityxgrep-only features