formatoutputsemgrep

semgrep - any way to strip out terminal codes in its default output?


If I run semgrep on the command line, I get a very nice output.

enter image description here

However, if I save to a file, I get all sorts of terminal ANSI escape sequences when I open it in a text editor:

Findings:

[36m[22m[24m  ....lib/_baseutils.py [0m
     [1m[24mpython.flask.security.xss.audit.direct-use-of-jinja2.direct-use-of-jinja2[0m
        Detected direct use of jinja2. If not done properly, this may bypass HTML escaping which
        opens up the application to cross-site scripting (XSS) vulnerabilities. Prefer using the
        Flask method 'render_template()' and templates with a '.html' extension in order to
        prevent XSS.
        Details: https://sg.run/RoKe

       2252┆ templateEnv = [1m[24mEnvironment(loader=templateLoader)[0m
          ⋮┆----------------------------------------

Yes, I know I can cat out.txt and it looks beautiful again. But how do I get a format that looks ok in a text editor? (Actually, the best would be a markdown, since the urls would work).

Now, I've tested --json flag, but that's over complicated for human readability. --vim, --emacs was ok, but a bit terse, like missing the rules urls. And too long being in a single line. The rest of the output formats like --junit look even lesss promising.

I guess I could sed the output to strip out those terminal characters. Any other ideas to look at?


Solution

  • If the normal terminal printout is what you want you can use the fact that semgrep supports the somewhat standard NO_COLOR environment variable. So running:

    env NO_COLOR=1 semgrep <command> > <file>
    

    should get you a file sans-ANSI escape sequences.