diff --git a/py/plugins/semgrep.py b/py/plugins/semgrep.py
index 7f165d4..fb358aa 100644
--- a/py/plugins/semgrep.py
+++ b/py/plugins/semgrep.py
@@ -20,6 +20,9 @@
 """
 import os
 
+from csmock.common.util import sanitize_opts_arg
+
+
 # disable metrics to be sent to semgrep cloud
 DEFAULT_SEMGREP_SEND_METRICS = "off"
 
@@ -96,6 +99,9 @@ def handle_args(self, parser, args, props):  # pylint: disable=too-many-statemen
         if not args.semgrep_rules_repo:
             parser.error("'--semgrep-rules-repo' is required to run semgrep scan")
 
+        # sanitize options passed to --semgrep-scan-opts to avoid shell injection
+        self.semgrep_scan_opts = sanitize_opts_arg(parser, args, "--semgrep-scan-opts")
+
         # install semgrep cli and download semgrep rules
         def prepare_semgrep_runtime_hook(results, props):
             # target dir where semgrep cli and its dependencies are installed
@@ -164,8 +170,8 @@ def scan_hook(results, mock, props):  # pylint: disable=unused-argument
                 semgrep_scan_cmd += " --verbose"
 
             # append additional options passed to the 'semgrep scan' command
-            if args.semgrep_scan_opts:
-                semgrep_scan_cmd += f" {args.semgrep_scan_opts}"
+            if self.semgrep_scan_opts:
+                semgrep_scan_cmd += f" {self.semgrep_scan_opts}"
 
             # eventually append the target directory to be scanned
             semgrep_scan_cmd += (