@mondoohq/xgrep

A fast, Semgrep-compatible code scanner written in Go.

xgrep scans codebases using Semgrep YAML rule syntax and tree-sitter for language-aware, AST-based pattern matching. It optimizes for accuracy — when it reports a vulnerability, it should be real and exploitable — and adds code-intelligence and AI-agent features on top of scanning.

This npm package ships prebuilt xgrep binaries for Linux, macOS, and Windows (amd64 and arm64; the macOS binaries are signed and notarized).

Quick start

xgrep ships with a built-in rule corpus, so no rules file is needed to get started — run it straight from npx:

# Scan the current directory with the built-in rules (defaults to security)
npx @mondoohq/xgrep scan .

# Choose a category (default: security)
npx @mondoohq/xgrep scan --category correctness .

# Machine-readable output
npx @mondoohq/xgrep scan --json .
npx @mondoohq/xgrep scan --sarif .                          # GitHub Code Scanning
npx @mondoohq/xgrep scan --gitlab -o gl-sast-report.json .  # GitLab SAST

# Bring your own rules: point -f at a rule file or a directory of rules
npx @mondoohq/xgrep scan -f rules.yaml src/

A scan target can also be a remote git repository — xgrep clones it (shallow, default branch) into a temp directory and scans it, no manual clone needed:

npx @mondoohq/xgrep scan github.com/mondoohq/xgrep            # host/owner/repo shorthand
npx @mondoohq/xgrep scan https://github.com/mondoohq/xgrep    # or a full HTTPS/SSH URL
npx @mondoohq/xgrep scan github.com/mondoohq/xgrep --ref v1.2.0   # a branch, tag, or commit

Install

To add the xgrep command to your PATH instead of using npx:

# Global install
npm install -g @mondoohq/xgrep
xgrep scan .

# Or as a project dev dependency
npm install --save-dev @mondoohq/xgrep