Set up reusable GitHub workflows for Semgrep scans
Reusable workflows allow you to simplify the process of configuring .github/workflows/semgrep.yml files for each of your repositories. You define a workflow once, then reuse it in other workflows. In addition to having a single, centralized Semgrep configuration that makes maintenance easier, you also avoid duplication.
Reusable workflows can be triggered by several types of events, including push, pull request, and schedule. This makes them relatively flexible compared to repository rulesets. Repository rulesets or branch protection rules can only be triggered by pull request event types.
Set up a reusable workflow
- Create a new repository to hold your reusable workflow, and add a
.github/workflows/semgrep.ymlfile.
- Add the job configuration to
semgrep.ymlunderjobs:. You can use either the recommended snippet or your current job configuration. - Under the
on:key, addworkflow_call. This defines the condition to trigger the job described in the reusable workflow: when another repository calls it.
- In each repository where you want your reusable workflow called, create or update the
semgrep.ymlfile to call the reusable workflow. To do this, modify thejobs:key.
Configure the SEMGREP_APP_TOKEN secret in the reusable workflow, then add it to the calling workflow under the secrets: inherit key:
Run a scan
Once you've configured the workflows for your repositories, the reusable workflow is called whenever a triggering event occurs, such as when a developer opens a pull request or commits a change.
Limitations
As described in Set up a reusable workflow, you still need to create a .github/workflows/semgrep.yml file for each repository to call the reusable workflow. This is in contrast to repository rulesets, which only require the central workflow file to be added.
Not finding what you need in this doc? Ask questions in our Community Slack group, or see Support for other ways to get help.