whatisgithub

What is semhound?

salecharohit/semhound — explained in plain English

Analysis updated 2026-05-18

7PythonAudience · ops devopsComplexity · 3/5LicenseSetup · moderate

In one sentence

A command-line tool that runs Semgrep security scans across every repo in a GitHub org or account, with optional AI triage of findings.

Mindmap

mindmap
  root((semhound))
    What it does
      Scans whole GitHub orgs
      Uses Semgrep rules
      AI triage of findings
    Workflow
      Discover repos
      Shallow clone
      Run Semgrep scan
      Write CSV report
    Tech stack
      Python
      Semgrep
      GitHub CLI
      SSH
    Use cases
      Bug bounty sweeps
      Zero day version checks
      Org wide SAST
    Audience
      AppSec teams
      DevOps engineers

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

What do people build with it?

USE CASE 1

Sweep every repo in a GitHub org for a specific vulnerability pattern found in a bug bounty report.

USE CASE 2

Find every repo still using a vulnerable version of a library after a zero-day disclosure.

USE CASE 3

Use AI triage to filter Semgrep findings down to likely true positives.

What is it built with?

PythonSemgrepGitHub CLIGitSSH

How does it compare?

salecharohit/semhoundcaptaingrock/krea2trainercodenamekt/hexus
Stars777
LanguagePythonPythonPython
Setup difficultymoderatehardmoderate
Complexity3/54/53/5
Audienceops devopsdesignerdeveloper

Figures from each repo's GitHub metadata at analysis time.

How do you get it running?

Difficulty · moderate Time to first run · 30min

Requires GitHub CLI, git, Semgrep, and OpenSSH installed, plus an SSH key registered with GitHub.

Use freely for any purpose, including commercial use, as long as you keep the copyright notice (MIT license).

So what is it?

Semhound is a command line tool that runs Semgrep code scans across every repository in one or more GitHub organizations or user accounts at once. Semgrep is a static analysis tool, meaning it reads source code to spot patterns without running the program, and its rules are written in simple YAML files. Semhound automates what would otherwise be a manual, one repo at a time process, turning it into a single command that sweeps an entire org. The workflow has four steps. Discover uses the GitHub command line tool to list every repository under a target org or user. Clone shallow clones each repo in parallel over SSH, skipping large files to save bandwidth. Scan runs your Semgrep rules against every cloned repo. Report writes a combined CSV file for each target, with direct links back to GitHub for every match found, plus an optional SARIF report for tools that expect that format. An optional AI triage step sends each finding to a language model, choosing between Claude, OpenAI, Gemini, or AWS Bedrock, and gets back a confidence score from 0 to 100 along with a true positive or false positive verdict. You can supply a custom system prompt so the model's judgment fits your specific situation. The tool is meant for targeted, on demand scanning rather than continuous monitoring. A typical use is writing one precise rule, for example a SQL injection pattern flagged in a bug bounty report or a vulnerable library version named in a new security disclosure, then sweeping every repo you own to find every other place the same problem exists. Before running it you need the GitHub CLI, git, Semgrep, and OpenSSH installed and an SSH key registered with GitHub. It is written in Python, released under the MIT license, and installable through pip or pipx.

Copy-paste prompts

Prompt 1
Write a Semgrep rule that matches the SQL injection pattern described in this bug report, then explain how to run semhound with it.
Prompt 2
Help me set up an ai.config file for semhound using the Claude provider.
Prompt 3
Walk me through the prerequisites I need installed before running semhound against my GitHub org.
Prompt 4
Explain the difference between semhound's CSV report and its optional SARIF report.

Frequently asked questions

What is semhound?

A command-line tool that runs Semgrep security scans across every repo in a GitHub org or account, with optional AI triage of findings.

What language is semhound written in?

Mainly Python. The stack also includes Python, Semgrep, GitHub CLI.

What license does semhound use?

Use freely for any purpose, including commercial use, as long as you keep the copyright notice (MIT license).

How hard is semhound to set up?

Setup difficulty is rated moderate, with roughly 30min to a first successful run.

Who is semhound for?

Mainly ops devops.

Open on GitHub → Ask about another repo

This repo across BitVibe Labs

Verify against the repo before relying on details.