Security scanning with Semgrep in CI

Introduction

Semgrep is improving every day; whether it's pushing new features to the Semgrep App, writing rules to support new languages, or cutting down our scan runtimes, engineers at r2c, spend every day looking for and implementing changes that make Semgrep faster, more effective, and easier to use. This post focuses on an aspect of Semgrep that I've been spending some time on: the integration of Semgrep security scanning into CI/CD. After all, what good is a great tool if you can't easily add it to your workflow?

Why support CI?

CI/CD tools allow you to streamline your build process by leveraging automatic triggers from source control to build, deploy, and manage your applications continuously. Adding a tool like Semgrep into your CI workflow lets you keep constant tabs on the security of your code by making use of your existing infrastructure to find vulnerabilities, manage your findings in bulk, prevent vulnerable code from being merged, and show findings to developers through PR comments.

Building out Semgrep's CI support

Until recently, we only had official support for GitHub Actions and GitLab CI/CD. What if users wanted to integrate Semgrep security scanning with other CI/CD providers, such as Jenkins or Buildkite? How can we guarantee a painless setup process for getting Semgrep into the workflow?

For the past few months, I've been implementing Semgrep into various CI and CD tools that aren't as straightforward as something like GitHub Actions. Although all CI providers are similar in nature, some of them can be a bit... tricky to set up and add new tools to (looking at you, Jenkins), and, as a Customer Success Engineer, I have the opportunity of seeing firsthand where the pain points are with regards to adding Semgrep to CI. This is exactly why I went through the process of adding Semgrep to a workflow with some of our most commonly-seen CI providers (namely Jenkins, Buildkite, Bitbucket, and CircleCI). I configured each CI job to ensure that anyone using that same config can quickly and easily start scanning their code, recieving findings in the App, seeing comments on pull requests, and overall getting the most out of Semgrep.

In addition to the four CI providers mentioned above, we've also added support for GitHub Enterprise and GitLab Self-Managed. You can now get PR comments when using either via the 'SCM management' tab under the 'settings' sidebar; simply add your custom Git url along with an access token with permissions to leave PR comments and you'll be good to go.

Integrating Semgrep into CI

You can find the newly-added CI support on the project setup page of the Semgrep app. From the Projects tab, select "Scan new project" and choose "Run scan in CI" to see the list of officially supported CI providers.

Selecting any of these will take you to a config file that has been run and tested within that CI provider, along with some switches on the right that you can use to customize your config.

If you're not using one of the providers mentioned above, fret not; selecting "Other" from the dropdown list will show you how to pull down the Docker image into any provider that supports Docker. Alternatively, you can install Semgrep with the package manager of your choice. If you're doing things this way, see our docs on how to set up hyperlinks to the sources of findings in code and configure PR comments.

Conclusion

If you like Semgrep and all it has to offer, we highly recommend implementing our security scans into your CI/CD workflow, as it will make it easier for you to continuously manage the security of your applications. We're always thinking about ways to improve how Semgrep runs in CI, which is why we've added support for some of the most widely used CI providers and will continue to add more in the future.

If you have any questions, feel free to reach out to us in the community Slack. We're happy to answer any questions you might have.

Finally, please enjoy this extremely cute picture of a capybara.