Semgrep Pack
V3 static-analysis scan capability pack. By-value connector composition (service_kind=cli, no separate ingredient): one local semgrep CLI ingredient exposes bounded project operations for readiness and SAST scanning. Scans run from an explicit project directory cwd supplied at execution time, scan one trusted source directory with the fixed Semgrep Registry p/default ruleset, and return Semgrep JSON findings via the code.sast_scan catalog operation. Fixed-function and bounded: scan command only, JSON stdout, metrics disabled, version check disabled, OSS engine only, no autofix, no finding-based exit failure, no caller-supplied config/rule/pattern, no remote repository clone, no CI/login/publish/LSP/MCP/server command, no Pro engine, no secrets validation, no output-file write, no SARIF/GitLab/JUnit sidecar, no arbitrary semgrep flags, and no shell wrapper. Approval is ask because fetching Registry rules contacts semgrep.dev. Requires semgrep on PATH. Network egress to Semgrep Registry for the fixed ruleset.
What this pack installs
- semgrep Ingredient
Trust & control
What installing this whole pack would let it do. Recued grants these permissions at install — review them there before approving.