CI Integrations

Semgrep CI provides integrations with 3rd party services like Slack and GitHub. When integrations are configured, you can receive notifications about Semgrep CI findings and failures. To configure these and learn more, visit Dashboard > Integrations.

Slack

To receive Slack notifications about Semgrep findings on pull requests and code pushes, visit Dashboard > Integrations and select 'Add integration' or 'Setup First Integration' and then choose 'Slack'. Give your channel a name, and then follow the setup instructions on the page to retrieve your Webhook URL.

An empty Slack channel integration that still needs to be filled in

Use the 'Test' button to send a test notification and ensure that your channel is configured properly.

A correctly configured Slack webhook will send a notification like this

Email

To receive email notifications about Semgrep findings on pull requests and code pushes, visit Dashboard > Integrations and select 'Add integration' or 'Setup First Integration,' and then choose 'Email'. Enter your email address, give the channel a name of your choosing, and then click 'Save'.

On each scan that has at least one finding, you will receive one email from Semgrep with a summary of all of the findings from that scan.

Pull request comments

Info

This feature is currently only available for GitHub.

Pull request comments are left when

  1. Semgrep finds a result in CI, and
  2. the CI policy has pull request comments enabled

Automated comments on GitHub pull requests look like this:

GitHub Pull Request Comment

Note that Semgrep App uses the permissions requested by https://github.com/apps/semgrep-dev to leave PR comments.

If you are using Github Actions to run Semgrep, no extra changes are needed to get PR comments. If you are using another CI provider, in addition to the environment variables you set after following sample CI configurations you need to ensure that the following environment variables are correctly defined: - SEMGREP_COMMIT is set to the full commit hash of the code being scanned (e.g. d8875d6a63bba2b377a57232e404d2e367dce82d) - SEMGREP_PR_ID is set to the PR number of the pull request on Github (e.g. 2900) - SEMGREP_REPO_NAME is set to the repo name (e.g. returntocorp/semgrep)