Skip to main content

Set up reusable GitHub workflows for Semgrep scans

Reusable workflows allow you to simplify the process of configuring .github/workflows/semgrep.yml files for each of your repositories. You define a workflow once, then reuse it in other workflows. In addition to having a single, centralized Semgrep configuration that makes maintenance easier, you also avoid duplication.

Reusable workflows can be triggered by several types of events, including push, pull request, and schedule. This makes them relatively flexible compared to repository rulesets. Repository rulesets or branch protection rules can only be triggered by pull request event types.

Set up a reusable workflow

  1. Create a new repository to hold your reusable workflow, and add a .github/workflows/semgrep.yml file. image info
  2. Add the job configuration to semgrep.yml under jobs:. You can use either the job definition from the recommended snippet or your current job configuration.
  3. Under the on: key, add workflow_call. This defines the condition to trigger the job described in the reusable workflow: when another repository calls it. image info
  4. In each repository where you want your reusable workflow called, create or update the semgrep.yml file to call the reusable workflow. To do this, modify the jobs: key.

Configure the SEMGREP_APP_TOKEN secret in the reusable workflow, then add it to the calling workflow under the secrets: inherit key:

image info

Here is a sample YAML file for the calling workflows. When using this sample file, be sure to update the schedule under on and the repository details and path for the reusable workflow under jobs.

name: Semgrep
on:
  # Scan changed files in PRs (diff-aware scanning):
  pull_request: {}
  # Scan on-demand through GitHub Actions interface:
  workflow_dispatch: {}
  # Schedule the CI job (this method uses cron syntax):
  schedule:
    # Please change the cron schedule to a random time to avoid load spikes on GHA.
    - cron: '20 17 * * *' # Sets Semgrep to scan every day at 17:20 UTC.
jobs:
  call-semgrep:
    uses: {ORG}/{REPO}/.github/workflows/semgrep.yml@main
    secrets: inherit

Run a scan

Once you've configured the workflows for your repositories, the reusable workflow is called whenever a triggering event occurs, such as when a developer opens a pull request or commits a change.

image info

Limitations

As described in Set up a reusable workflow, you still need to create a .github/workflows/semgrep.yml file for each repository to call the reusable workflow. This is in contrast to repository rulesets, which only require the central workflow file to be added.

Not finding what you need in this doc? Ask questions in our Community Slack group, or see Support for other ways to get help.