Skip to main content

Why aren't findings populating in the GitHub Advanced Security Dashboard after running Semgrep in CI?

When scanning with Semgrep in CI, findings automatically populate in Semgrep AppSec Platform. To show findings in the GitHub Advanced Security Dashboard, run an alternate job that uploads findings to the dashboard in the form of a SARIF file. See Sample GitHub Actions configuration file for an example.

If you run the alternate job and it fails with a "resource not accessible by integration" error, there are two possible causes.

Your repository's workflow permissions are set to read-only

Repository-level workflow permissions are set to read-only (default) unless they've previously been changed. Use of the permissions key within the workflow file does not override this setting.

To update this setting:

  1. Navigate to your organization or repository in GitHub.
  2. Click Settings > Actions > General > Workflow permissions.

image info Target permissions


Changing the repository's default workflow permissions changes the permissions for all workflows in that repository. Use of the permissions key will not override this setting, so updating it is a required step. Learn more about the permissions key at Assigning permissions to jobs, or review the example workflow-level permissions below.

The workflow or job does not have the correct permissions in a private repository

In order for Semgrep findings in a private repository to appear on the GitHub Advanced Security Dashboard, you must ensure that the appropriate permissions are configured at the workflow level using the permissions key. See the following example.

Example job configuration with permissions key

This job only requires write permissions for security-events.

# Name of this GitHub Actions workflow.
name: Semgrep

pull_request: {}
workflow_dispatch: {}
branches: ["master", "main"]
- cron: '20 17 * * *' # Sets Semgrep to scan every day at 17:20 UTC.

name: semgrep/ci
runs-on: ubuntu-latest

# A Docker image with Semgrep installed. Do not change this.
image: semgrep/semgrep

if: ( != 'dependabot[bot]')
# required for all workflows
security-events: write
# for workflows in private repos
actions: read
contents: read
- uses: actions/checkout@v4
- run: semgrep ci --sarif > semgrep.sarif
- name: Upload SARIF file for GitHub Advanced Security Dashboard
uses: github/codeql-action/upload-sarif@v2
sarif_file: semgrep.sarif
if: always()

Not finding what you need in this doc? Ask questions in our Community Slack group, or see Support for other ways to get help.