Run scans on pre-commit
The pre-commit framework can run semgrep
when you commit changes. This is helpful in preventing secrets and security issues from leaking into your Git history.
Prerequisites
pre-commit
with Semgrep CE (no login)
Use these instructions to run pre-commit
without logging in. You can still use custom rules or rules from the Semgrep Registry.
Add the following to your .pre-commit-config.yaml
file:
repos:
- repo: https://github.com/semgrep/pre-commit
rev: 'SEMGREP_VERSION_LATEST'
hooks:
- id: semgrep
entry: semgrep
# Replace <SEMGREP_RULESET_URL> with your custom rule source
# or see https://semgrep.dev/explore to select a ruleset and copy its URL
args: ['--config', '<SEMGREP_RULESET_URL>', '--error', '--skip-unknown-extensions']
pre-commit
with your Semgrep AppSec Platform configuration
You can also run custom rules and rulesets from Semgrep AppSec Platform, similar to running semgrep ci
.
Ensure that you are logged in:
-
Log in to your Semgrep account. Running this command launches a browser window, but you can also use the link that's returned in the CLI to proceed:
semgrep login
-
In the Semgrep CLI login, click Activate to proceed.
Add the following to your .pre-commit-config.yaml
file:
repos:
- repo: https://github.com/semgrep/pre-commit
rev: 'SEMGREP_VERSION_LATEST'
hooks:
- id: semgrep-ci
For guidance on customizing Semgrep's behavior in pre-commit, see Customize Semgrep in pre-commit.
Not finding what you need in this doc? Ask questions in our Community Slack group, or see Support for other ways to get help.