Skip to main content

Run scans on pre-commit

The pre-commit framework can run semgrep when you commit changes. This is helpful in preventing secrets and security issues from leaking into your Git history.

Prerequisites

The pre-commit framework.

pre-commit with Semgrep CE (no login)

Use these instructions to run pre-commit without logging in. You can still use custom rules or rules from the Semgrep Registry.

Add the following to your .pre-commit-config.yaml file:

repos:
- repo: https://github.com/semgrep/pre-commit
  rev: 'SEMGREP_VERSION_LATEST'
  hooks:
    - id: semgrep
      entry: semgrep
      # Replace <SEMGREP_RULESET_URL> with your custom rule source
      # or see https://semgrep.dev/explore to select a ruleset and copy its URL
      args: ['--config', '<SEMGREP_RULESET_URL>', '--error', '--skip-unknown-extensions']

pre-commit with your Semgrep AppSec Platform configuration

You can also run custom rules and rulesets from Semgrep AppSec Platform, similar to running semgrep ci.

Ensure that you are logged in:

  1. Log in to your Semgrep account. Running this command launches a browser window, but you can also use the link that's returned in the CLI to proceed:

    semgrep login

  2. In the Semgrep CLI login, click Activate to proceed.

Add the following to your .pre-commit-config.yaml file:

repos:
- repo: https://github.com/semgrep/pre-commit
  rev: 'SEMGREP_VERSION_LATEST'
  hooks:
    - id:  semgrep-ci

For guidance on customizing Semgrep's behavior in pre-commit, see Customize Semgrep in pre-commit.

Not finding what you need in this doc? Ask questions in our Community Slack group, or see Support for other ways to get help.