Customize your CI job
- You have gained the necessary resource access and permissions required for deployment.
- You have created a Semgrep account and organization.
- For GitHub and GitLab users: You have connected your source code manager.
- Optionally, you have set up SSO.
- You have successfully added a Semgrep job to your CI workflow.
Customize your CI job to achieve the following goals:
- Run Semgrep on a schedule. Run full scans on main or trunk branches at the least intrusive time on developer teams.
- Run Semgrep when an event triggers. Run Semgrep when a pull or merge request (PR or MR) is created.
- Set a timeout to increase or decrease Semgrep's overall runtime. If scans are taking too long, or rules aren't running, customize your per-rule timeout.
Set up diff-aware scans
Follow the steps in this section only for the following CI providers:
- Jenkins
- CI providers without guidance from Semgrep AppSec Platform
Some Semgrep CI jobs require manual configuration of diff-aware scans, which scan pull or merge requests in feature branches. For the CI providers outlined in the preceding list, you can configure a diff-aware job by performing the following steps:
- Create a separate CI job following the steps in Add Semgrep to CI through Semgrep AppSec Platform.
- Set the
SEMGREP_BASELINE_REFvariable in your CI configuration file. The value of this environment variable is typically your trunk branch, such asmainormaster.
Set a scan schedule
The following table is a summary of methods and resources to set up schedules for different CI providers.
| CI provider | Where to set schedule |
|---|---|
| GitHub Actions | See Sample CI configs for information on how to modify your semgrep.yml file |
| GitLab CI/CD | Refer to GitLab documentation |
| Jenkins | Refer to Jenkins documentation |
| Bitbucket Pipelines | Refer to Bitbucket documentation |
| CircleCI | Refer to CircleCI documentation |
| Buildkite | Refer to Buildkite documentation |
| Azure Pipelines | Refer to Azure documentation |
Set a custom timeout
By default, Semgrep spends 5 seconds to run per rule. To set a custom timeout for the Semgrep job, set the SEMGREP_TIMEOUT environment variable in seconds. Decreasing this value speeds up your scans, but with the possibility of skipping some rules. Alternatively, increasing this value ensures that your most complex rules finish running. For example:
SEMGREP_TIMEOUT="3" # Sets the per-rule timeout to 3 seconds.
Setting this variable to 0 removes the time limit, meaning that rules can take any amount of time to run.
Not finding what you need in this doc? Ask questions in our Community Slack group, or see Support for other ways to get help.