[underyx]

Heya, Semgrep maintainer here. Just wanted to ask you about an idea I had before, how would you feel about specifying the language parameter in the binary name, making the invocation look like this?

    semgrep.py search 'myfunc(..., needle_arg=..., ...)'

And then the other subcommands would remain

    semgrep scan --config auto

to scan with all recommended rules and

    semgrep ci

to scan in CI jobs.

[leipert]

I feel like the „semgrep.py“ idea is not that good, because someone could legitimately have a semgrep.py or semgrep.js or similar file which wraps semgrep.

Edit: thanks for maintaining semgrep, started using it heavily in day job and the team started writing Frontends for it.

[underyx]

If someone had such a wrapper, I'd expect if it's globally available in $PATH then it'd have a more descriptive name, and if it's not in $PATH, then you'd likely run it as `python semgrep.py` or `./semgrep.py`. Does that sound right to you?

[neura]

Why not `semgrep-py`?

Though, as I tried to type that, I typed semgrep.py twice. The dot name really seems like a file extension, though. I'm torn.

Also, first time trying the tool and I love it!

[underyx]

Yeah, I don't really have a good reason, it just feels like the wrong call :/

Maybe it's that the dot makes it feel like 'variants' of 'semgrep' (even if for the wrong reason) but semgrep-py feels like an entirely distinct binary from semgrep or any other variants.

[O_H_E]

>> Their docs and website try very hard to suggest you should use it for some kind of CI process...

Just a piece of feedback for the record: I have been stuck in exactly the same place the few times I was interested in trying out a ripgrep alternative that understood semantics, but didn't have such an urgent need to actually understand how to get things going.

[underyx]

Thanks! Could you let me know what you'd change on our Getting Started[0] page to explain the CLI usage better?

[0]: https://semgrep.dev/docs/getting-started/

[craigds]

I'd suggest adding at least one example of using `semgrep --pattern <pattern>`. That seems pretty well hidden in the docs, and for me it's the most useful option.

I wasn't trying to search for things that other people thought were interesting; I wanted a tool that would search for some pattern I thought of - and preferably without having to write a yaml file.

[underyx]

Thanks a lot! I opened a pull request with your suggestion here: https://github.com/returntocorp/semgrep-docs/pull/744

Edit: It's approved but that's just our CEO :D I'll wait for an approval from our tech writers who are in non-US time zones, so your suggestion will likely land tomorrow. Thank you!

[lbhdc]

I really wish it could infer the language from the file type. One of the things that prevents me from reaching for semgrep as often as I want to is the complexity, and having it infer language from filetype would be nice.

[underyx]

Good idea! I opened an issue here: https://github.com/returntocorp/semgrep/issues/6331

[lbhdc]

I love it, thank you!