Ignoring files, folders, or parts of code
Exclude specific files, folders or parts of code from results of Semgrep scans in your repository or working directory. Semgrep will not generate findings for the ignored items.
This is separate from ignoring a finding, which is a triage operation after a Semgrep scan has found a match.
All Semgrep environments (CLI, CI, and App) adhere to user-defined or Semgrep-defined ignore patterns.
|To ignore blocks of code: ||Create a comment, followed by a space (|
|To ignore files and folders: ||Create a |
Understanding Semgrep defaults
Without user customization, Semgrep refers to the following to define ignored files and folders:
- Semgrep's default
- Your repository's
.gitignorefile (if it exists)
In the absence of a user-generated
.semgrepignore, Semgrep will refer to its repository's default template:
# Common large paths
# Common test paths
# Semgrep rules folder
# Semgrep-action log folder
.semgrepignore file is opinionated and causes Semgrep to skip these folders:
To include the above folders, create a
.semgrepignore file without those paths.
Files, folders, and code beyond Semgrep's scope
Semgrep will ignore files beyond the scope of Semgrep's use.
- Large files (maximum file size defaults to 1MB)
- Binary files
- Unknown file extensions (file extensions not matched with any supported programming language)
Large files and unknown file extensions are included or excluded through command line flags (See CLI reference). Binary files are never scanned.
This document defines files, folders and code as those that are relevant to a Semgrep scan. For example,
.jpg files are not a part of Semgrep's scope and therefore are not part of the scope of this document.
Customizing ignore behavior
Semgrep provides several methods to customize ignore behavior. Refer to the following table to see which method suits your goal:
|To scan all files within Semgrep's scope each time you run Semgrep (only files within ||Create an empty |
|To ignore files and folders in ||Add |
|To ignore custom files and folders each time you run a scan.||Add these files to your |
|To ignore specific code blocks each time you run a scan.||Create a comment with the word |
|To ignore files or folders for a particular scan.||Run Semgrep with the flag |
|To include files or folders for a particular scan.||Run Semgrep with the flag |
|To include files or folders defined within a ||Run Semgrep with the flag |
|To ignore files or folders for a particular rule.||Edit the rule to set the |
Defining files and folders in
.semgrepignore syntax mirrors
.gitignore syntax, with the following modifications:
- "Include" patterns (lines starting with
!) are unsupported.
- "Character range" patterns (lines including a collection of characters inside brackets) are unsupported.
:include ...directive is added, which allows another file to be included in the ignore pattern list; typically this included file would be the project
.gitignore. No attempt at cycle detection is made.
- Any line beginning with a colon, but not
:include, will raise an error.
\:is added to escape leading colons.
Unsupported patterns are silently removed from the pattern list (this is done so that
.gitignore files may be included without raising errors). The removal will be logged.
For a description of
.gitignore syntax, see .gitignore documentation.
Defining files and folders in Semgrep App
Another method for users to define ignore patterns is through a Project in Semgrep App. These patterns follow the same syntax as
.semgrepignore in the preceding section.
To define files and folders in Semgrep App:
- Sign into Semgrep App.
- From the Dashboard Sidebar, select Projects > [Project name].
- Enter files and folders to ignore in the Path Ignores box.
Including files and folders through this method is additive. When Semgrep App makes a scan, it will look for a
.semgrepignore within the repository. If no
.semgrepignore file is found, it will temporarily create one and add items from Semgrep App's Path Ignores. Adding items to the Path Ignores box will not override default Semgrep ignore patterns.
Ignoring code through nosemgrep
To ignore blocks of code, define an inline comment, followed by a space (
nosemgrep at either the first line or the line preceding the potential match. Semgrep will ignore all rule pattern matches. This functionality works across all supported languages.
nosemgrep in Python:
bad_func1() # nosemgrep
bad_func2(); // nosemgrep
bad_func3( // nosemgrep
The space (
nosemgrep is required for Semgrep to detect this annotation.
To ignore blocks of code for a particular rule, enter its
rule-id as follows:
nosemgrep: RULE_ID. To ignore multiple rules, use a comma-delimited list.
rule-ids must be referenced with their namespace.
bad_func1() # nosemgrep: rule-id-1
# nosemgrep: rule-id-1, rule-id-2
// nosemgrep: configs.rule-id-3
bad_func2(); // nosemgrep: configs.rule-id-3
bad_func3( // nosemgrep: configs.rule-id-3, configs.rule-id-4
Previous annotations for ignoring code inline, such as
nosem, are deprecated.
Disabling rules on Semgrep App
Semgrep App users can disable rules and rulesets through the Rule Board. See Removing rules or rulesets.
To fix this, create an empty .semgrepignore file. If the scan is a one-off event, delete the .semgrepignore file to restore default ignore patterns.
Find what you needed in this doc? Join the Slack group to ask the maintainers and the community if you need help.