# Semgrep baseline

Deterministic baseline runner that executes Semgrep against a single benchmark case and emits a submission payload in the benchmark schema.

## Usage
```bash
# Run for one case
SEMGREP_SEND_TELEMETRY=0 SEMGREP_ENABLE_VERSION_CHECK=0 \
  baselines/semgrep/run_case.sh cases/js/unsafe-eval /tmp/semgrep-out

# Run for all cases under a root
SEMGREP_SEND_TELEMETRY=0 SEMGREP_ENABLE_VERSION_CHECK=0 \
  baselines/semgrep/run_all.sh cases /tmp/semgrep-all
```

Outputs:
- Per-case: `<out>/submission.json`
- All cases: `<out>/submission.json` (merged, deterministic ordering)

## Requirements
- Semgrep CLI available on PATH. Tested with `semgrep >= 1.72`. Telemetry/version checks must be disabled for offline/deterministic runs.
- Python 3.11+ for normalization script.

## Determinism posture
- Telemetry/version checks disabled by default via env (see scripts).
- Stable ordering of cases and sinks.
- No network access.
- If Semgrep is missing, runner still produces a valid submission marking all sinks as `unreachable`, preserving schema validity.