Integrations

Semgrep integrates into the development flow end-to-end, from code conception in the IDE to code review and beyond in pull requests, Slack, over email, and more. Everyone's workflow is a little different and Semgrep is meant to adapt to yours.

Continuous integration (CI)

The following instructions use Semgrep CI and require a free Semgrep Community or paid Semgrep Team account. SEMGREP_DEPLOYMENT_ID and SEMGREP_APP_TOKEN information is available at Manage > Settings after login.

Danger

SEMGREP_APP_TOKEN is a secret value: DO NOT HARDCODE IT AND LEAK CREDENTIALS. Use your CI provider's secret or environment variable management feature to store it.

Supported integrations

Semgrep can seamlessly integrate into your CI pipeline using GitHub Actions or GitLab CI.

GitHub Actions

name: Semgrep

on: 
    # Run on all pull requests. Returns the results introduced by the PR.
    pull_request: {}

    # Run on merges. Returns all results.
    #push:
    #    branches: ["master", "main"]

jobs:
  semgrep:
    name: Scan
    runs-on: ubuntu-latest
    steps:
      # Checkout project source
      - uses: actions/checkout@v1

      # Scan code using project's configuration on https://semgrep.dev/manage
      - uses: returntocorp/semgrep-action@v1

        # Set GITHUB_TOKEN to leave inline comments on your pull requests.
        #env:
        #  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

        with:
          publishToken: ${{ secrets.SEMGREP_APP_TOKEN }}
          publishDeployment: ${{ secrets.SEMGREP_DEPLOYMENT_ID }}

          # Generate a SARIF file for GitHub's code scanning feature. See the next step.
          #generateSarif: "1"

      # Upload SARIF file generated in previous step          
      #- name: Upload SARIF file
      #  uses: github/codeql-action/upload-sarif@v1
      #  with:
      #    sarif_file: semgrep.sarif
      #  if: always()

GitLab CI

include:
  - template: 'Workflows/MergeRequest-Pipelines.gitlab-ci.yml'

semgrep:
  image: returntocorp/semgrep-agent:v1
  script:
    - python -m semgrep_agent --publish-deployment $SEMGREP_DEPLOYMENT_ID --publish-token $SEMGREP_APP_TOKEN


Standalone providers

Although not fully supported, these instructions are here to help you integrate with your CI provider of choice.

The following commands can be run by your CI provider (or on the commandline):

# Set additional environment variables
$ SEMGREP_JOB_URL=https://example.com/me/myjob 
$ SEMGREP_REPO_URL=https://gitwebsite.com/myrepository 
$ SEMGREP_BRANCH=mybranch
$ SEMGREP_REPO_NAME=myorg/myrepository

# Run semgrep_agent
$ python -m semgrep_agent --publish-deployment $SEMGREP_DEPLOYMENT_ID --publish-token $SEMGREP_APP_TOKEN

For diff-aware scans, include the flag --baseline-ref set to a git ref (branch name, tag, or commit hash) to use as a baseline. This will prompt Semgrep to ignore findings that were already present in the codebase, and only show findings that were introduced by modifications to the baseline.

Using the instructions above, Semgrep should be able to integrate into the following CI providers, with some limitations: - AppVeyor - Bamboo - Bitbucket Pipelines - Bitrise - Buildbot - Buildkite - CircleCI - Codeship - Codefresh - Jenkins - TeamCity CI - Travis CI

For example, Buildkite and CircleCI can be configured as follows, though some features such as deduplication of results may not work as expected:

Buildkite

- label: ":semgrep: Semgrep"
  command: python -m semgrep_agent --publish-deployment $SEMGREP_DEPLOYMENT_ID" --publish-token $SEMGREP_APP_TOKEN
  expeditor:
    executor:
      docker:
        image: returntocorp/semgrep-agent:v1
        workdir: /<repo_name>

CircleCI

version: 2
jobs:
    build:
        docker:
            - image: returntocorp/semgrep-agent:v1
        steps:
            - checkout
            - run: python -m semgrep_agent --publish-deployment $SEMGREP_DEPLOYMENT_ID --publish-token $SEMGREP_APP_TOKEN


Is your CI provider missing? Let us know by filing an issue here.

Inline PR Comments (beta)

Info

This feature is currently only available for GitHub.

To get inline PR comments on your pull requests, set the GITHUB_TOKEN environment variable in your workflow file to secrets.GITHUB_TOKEN, which is the GitHub app installation access token. You can see an example of this environment variable set (commented out) in the above example workflow file. There’s no need to create this secret yourself because it’s automatically set by GitHub. It only needs to be passed to the action via the workflow file.

Comments are left when Semgrep CI finds a result that blocks CI. Note that this feature is experimental; please reach out to support@r2c.dev to report any issues.

Editor

Semgrep supports Microsoft Visual Studio Code with the semgrep-vscode extension.

Git hook

The pre-commit framework can run semgrep at commit-time. Install pre-commit and add the following to .pre-commit-config.yaml:

repos:
- repo: https://github.com/returntocorp/semgrep
  rev: 'v0.32.0'
  hooks:
    - id: semgrep
      # See semgrep.dev/rulesets to select a ruleset and copy its URL
      args: ['--config', '<SEMGREP_RULESET_URL>', '--error']

Notifications

Semgrep provides integrations with 3rd party services like Slack, Jira, Defect Dojo, and others. To configure these and learn more, visit Manage > Notifications.