Skip to content
Recued
Menu
← Back to packs

Semgrep Pack

by recued-core v1 app_pack

V3 static-analysis scan capability pack. By-value connector composition (service_kind=cli, no separate ingredient): one local semgrep CLI ingredient exposes bounded project operations for readiness and SAST scanning. Scans run from an explicit project directory cwd supplied at execution time, scan one trusted source directory with the fixed Semgrep Registry p/default ruleset, and return Semgrep JSON findings via the code.sast_scan catalog operation. Fixed-function and bounded: scan command only, JSON stdout, metrics disabled, version check disabled, OSS engine only, no autofix, no finding-based exit failure, no caller-supplied config/rule/pattern, no remote repository clone, no CI/login/publish/LSP/MCP/server command, no Pro engine, no secrets validation, no output-file write, no SARIF/GitLab/JUnit sidecar, no arbitrary semgrep flags, and no shell wrapper. Approval is ask because fetching Registry rules contacts semgrep.dev. Requires semgrep on PATH. Network egress to Semgrep Registry for the fixed ruleset.

What this pack installs

  • semgrep Ingredient

Trust & control

What installing this whole pack would let it do. Recued grants these permissions at install — review them there before approving.

Where it runs

Server only Runs on your server.

What it's allowed to do

Read Local CLI semgrep read-only
Read: semgrep.version · No approvalRead: code.sast_scan · Asks approval

Data it touches

SurfacesLocal CLI

About

Tags

pack:semgrepsemgrepsaststatic-analysissecuritycode-qualityjsondeveloper-toolsdeterministicv3composition