> ## Documentation Index
> Fetch the complete documentation index at: https://docs.scanoss.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Semgrep API

> Detect security, quality, and compliance issues in software components using Semgrep static analysis.

## ComponentsIssues

Runs Semgrep-based static analysis on software components to detect security vulnerabilities, insecure patterns, and code quality issues.

### HTTP Request Example

```bash theme={null}
curl -X POST 'https://api.scanoss.com/v2/semgrep/issues/components' \
  -H 'Content-Type: application/json' \
  -H "X-Api-Key: $SC_API_KEY" \
  -d '{
    "components": [
      {
        "purl": "pkg:maven/org.apache.commons/commons-lang3",
        "requirement": "3.12.0"
      }
    ]
  }' | jq
```

### Response Format

Returns Semgrep findings grouped by component.

* `components`: List of analysed components with detected issues
* `status`: Request execution result

Each component includes:

* `purl`: Component Package URL
* `version`: Resolved component version
* `requirement`: Version constraint used for analysis
* `files`: Files containing detected issues

Each file includes:

* `fileMD5`: File hash for integrity tracking
* `path`: File path within the component
* `issues`: Detected Semgrep findings

Each issue includes:

* `ruleID`: Semgrep rule identifier
* `from`: Starting line number
* `to`: Ending line number
* `severity`: Issue severity (ERROR, WARNING, INFO)

### Response Examples

#### Component with Security Issues

```json theme={null}
{
  "components": [
    {
      "purl": "pkg:maven/org.apache.commons/commons-lang3",
      "version": "3.12.0",
      "requirement": "3.12.0",
      "files": [
        {
          "fileMD5": "a1b2c3d4e5f6",
          "path": "src/main/java/org/apache/commons/lang3/StringUtils.java",
          "issues": [
            {
              "ruleID": "java.lang.security.audit.crypto.weak-hash",
              "from": "156",
              "to": "159",
              "severity": "WARNING"
            },
            {
              "ruleID": "java.lang.security.audit.sql-injection.sql-injection",
              "from": "284",
              "to": "286",
              "severity": "ERROR"
            }
          ]
        },
        {
          "fileMD5": "b2c3d4e5f6a1",
          "path": "src/main/java/org/apache/commons/lang3/Validate.java",
          "issues": [
            {
              "ruleID": "java.lang.security.audit.hardcoded-secret",
              "from": "95",
              "to": "95",
              "severity": "ERROR"
            }
          ]
        }
      ]
    }
  ],
  "status": {
    "status": "SUCCESS",
    "message": "Security analysis completed successfully"
  }
}
```

#### Component with No Issues Found

```json theme={null}
{
  "components": [
    {
      "purl": "pkg:maven/org.springframework/spring-core",
      "version": "5.3.21",
      "requirement": "5.3.21",
      "files": []
    }
  ],
  "status": {
    "status": "SUCCESS",
    "message": "Security analysis completed successfully"
  }
}
```

## ComponentIssues

Runs Semgrep analysis on a single software component to identify security, quality, and compliance issues.

### HTTP Request Example

```bash theme={null}
curl -X GET 'https://api.scanoss.com/v2/semgrep/issues/component?purl=pkg:maven/org.apache.commons/commons-lang3&requirement=3.12.0' \
  -H "X-Api-Key: $SC_API_KEY" | jq
```

### Response Format

Returns Semgrep findings for a single component.

* `component`: Analysed component result
* `status`: Request execution result

Component fields:

* `purl`: Component Package URL
* `version`: Resolved version
* `requirement`: Version constraint used for analysis
* `files`: Files containing detected issues

### Response Examples

#### Component with Security Issues

```json theme={null}
{
  "component": {
    "purl": "pkg:maven/org.apache.commons/commons-lang3",
    "version": "3.12.0",
    "requirement": "3.12.0",
    "files": [
      {
        "fileMD5": "a1b2c3d4e5f6",
        "path": "src/main/java/org/apache/commons/lang3/StringUtils.java",
        "issues": [
          {
            "ruleID": "java.lang.security.audit.sql-injection.sql-injection",
            "from": "284",
            "to": "286",
            "severity": "ERROR"
          }
        ]
      }
    ]
  },
  "status": {
    "status": "SUCCESS",
    "message": "Security analysis completed successfully"
  }
}
```

#### Component with No Issues Found

```json theme={null}
{
  "component": {
    "purl": "pkg:maven/org.springframework/spring-core",
    "version": "5.3.21",
    "requirement": "5.3.21",
    "files": []
  },
  "status": {
    "status": "SUCCESS",
    "message": "Security analysis completed successfully"
  }
}
```

## Security Analysis Coverage

Semgrep rules evaluate components across three areas:

### Security Vulnerabilities

* SQL injection patterns
* Cross-site scripting (XSS) vulnerabilities
* Command injection flaws
* Path traversal vulnerabilities
* Authentication and authorization bypasses

### Code Quality Issues

* Hardcoded secrets and credentials
* Unsafe cryptographic practices
* Insecure random number generation
* Improper input validation
* Resource leaks and memory management issues

### Compliance Rules

* OWASP Top 10 security risks
* CWE (Common Weakness Enumeration) categories
* Language-specific security anti-patterns
* Framework-specific security misconfigurations

### Supported Languages

* Java