Tamp.OpenGrep
1.11.2
Prefix Reserved
dotnet add package Tamp.OpenGrep --version 1.11.2
NuGet\Install-Package Tamp.OpenGrep -Version 1.11.2
<PackageReference Include="Tamp.OpenGrep" Version="1.11.2" />
<PackageVersion Include="Tamp.OpenGrep" Version="1.11.2" />
<PackageReference Include="Tamp.OpenGrep" />
paket add Tamp.OpenGrep --version 1.11.2
#r "nuget: Tamp.OpenGrep, 1.11.2"
#:package Tamp.OpenGrep@1.11.2
#addin nuget:?package=Tamp.OpenGrep&version=1.11.2
#tool nuget:?package=Tamp.OpenGrep&version=1.11.2
Tamp.OpenGrep
Tamp wrapper for the
opengrepSAST CLI. Pattern-matching analyzer forked from Semgrep with multi-vendor governance (no Pro paywall). Emits SARIF by default so downstream sinks likeTamp.DefectDojo.V2consume it directly.
| Package | Status |
|---|---|
Tamp.OpenGrep |
Wave 1 |
Install
opengrep is not in any of the usual package-manager registries — no winget manifest, no scoop bucket, no Homebrew formula, no PyPI package, no NuGet tool. The only supported install path is downloading the high-level CLI from the project's GitHub Releases.
Picking the right asset
The release artifacts split into two binary families. You want the opengrep_* family (the high-level CLI), not opengrep-core_* (the low-level OCaml engine). Tamp.OpenGrep wraps the high-level CLI.
| Platform | Asset |
|---|---|
| Linux x86_64 (glibc) | opengrep_manylinux_x86 |
| Linux aarch64 (glibc) | opengrep_manylinux_aarch64 |
| Linux x86_64 (musl) | opengrep_musllinux_x86 |
| Linux aarch64 (musl) | opengrep_musllinux_aarch64 |
| macOS x86_64 | opengrep_osx_x86 |
| macOS arm64 (Apple Silicon) | opengrep_osx_arm64 |
| Windows x64 | opengrep_windows_x86.exe |
Each artifact ships with a matching .sig (Sigstore signature) and .cert (signing certificate) for verification — see Verifying signatures below.
Linux / macOS — one-liner
# Adjust ASSET for your platform from the table above.
ASSET=opengrep_osx_arm64
curl -L -o /usr/local/bin/opengrep \
"https://github.com/opengrep/opengrep/releases/latest/download/${ASSET}"
chmod +x /usr/local/bin/opengrep
opengrep --version
Windows — one-liner (PowerShell)
$dest = "$env:LOCALAPPDATA\opengrep\opengrep.exe"
New-Item -ItemType Directory -Force (Split-Path $dest) | Out-Null
Invoke-WebRequest `
-Uri "https://github.com/opengrep/opengrep/releases/latest/download/opengrep_windows_x86.exe" `
-OutFile $dest
# Add the install dir to PATH for the current user (one-time).
[Environment]::SetEnvironmentVariable(
"PATH",
[Environment]::GetEnvironmentVariable("PATH","User") + ";$(Split-Path $dest)",
"User")
# Open a new shell, then:
opengrep --version
Tamp.OpenGrep emits CommandPlan { Executable = "opengrep", ... } — the binary must be on PATH or invoked via a wrapping Tool injected by the adopter.
Verifying signatures (optional)
Releases are signed with Sigstore. To verify the binary you downloaded:
# Install cosign (https://docs.sigstore.dev/system_config/installation/).
ASSET=opengrep_osx_arm64
curl -L -o "${ASSET}" "https://github.com/opengrep/opengrep/releases/latest/download/${ASSET}"
curl -L -o "${ASSET}.sig" "https://github.com/opengrep/opengrep/releases/latest/download/${ASSET}.sig"
curl -L -o "${ASSET}.cert" "https://github.com/opengrep/opengrep/releases/latest/download/${ASSET}.cert"
cosign verify-blob \
--certificate "${ASSET}.cert" \
--signature "${ASSET}.sig" \
--certificate-identity-regexp 'https://github.com/opengrep/opengrep/.*' \
--certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
"${ASSET}"
Quick start
using Tamp;
using Tamp.OpenGrep;
class Build : TampBuild
{
public static int Main(string[] args) => Execute<Build>(args);
[FromPath("opengrep")] readonly Tool OpenGrep = null!;
Target Sast => _ => _.Executes(() => OpenGrep.Scan(s => s
.AddRulePack("auto")
.AddTarget("src")
.EmitSarif("artifacts/opengrep.sarif")
.DisableVersionCheck()
.Quiet()));
}
Why no auto-bootstrap
Tamp's install-source attributes ([FromPath], [FromNodeModules], [NuGetPackage]) cover the registries adopters typically reach for. opengrep doesn't currently distribute through any of them — it ships exclusively as signed binaries on GitHub Releases. If opengrep later publishes to winget / scoop / Homebrew / PyPI / NuGet, this README will be updated and (optionally) the wrapper can grow a matching install attribute.
License
MIT — see the LICENSE at the repo root.
| Product | Versions Compatible and additional computed target framework versions. |
|---|---|
| .NET | net8.0 is compatible. net8.0-android was computed. net8.0-browser was computed. net8.0-ios was computed. net8.0-maccatalyst was computed. net8.0-macos was computed. net8.0-tvos was computed. net8.0-windows was computed. net9.0 is compatible. net9.0-android was computed. net9.0-browser was computed. net9.0-ios was computed. net9.0-maccatalyst was computed. net9.0-macos was computed. net9.0-tvos was computed. net9.0-windows was computed. net10.0 is compatible. net10.0-android was computed. net10.0-browser was computed. net10.0-ios was computed. net10.0-maccatalyst was computed. net10.0-macos was computed. net10.0-tvos was computed. net10.0-windows was computed. |
NuGet packages (1)
Showing the top 1 NuGet packages that depend on Tamp.OpenGrep:
| Package | Downloads |
|---|---|
|
Tamp.Security.Pipeline
Tamp meta-package — one PackageReference, one base-class inheritance, get the whole Wave 1+2 security chain: CycloneDX SBOM → SAST (OpenGrep + Roslyn) → SCA (osv-scanner + Dependency-Track) → Trivy secrets+misconfig → DefectDojo reimport. Adopters override `SecurityProductName` + `SecuritySolutionPath` and run `tamp Security`. DT and DD legs are env-var-gated; producer half runs unconditionally. .NET-focused for v0 — non-.NET adopters override Sbom to use Tamp.Syft instead. |
GitHub repositories
This package is not used by any popular GitHub repositories.