Why are duplicate findings appearing after running Semgrep in CI?
When scanning with Semgrep in CI, there are two types of scans you can perform: full scans and diff-aware scans.
For full scans, the same rule and code produces a finding for every branch it is found on. If you are performing full scans on all branches, the same finding appears for each branch.
To prevent duplication, Semgrep recommends performing full scans only on the main branch of your repository and performing diff-aware scans on other branches in PRs or MRs. Diff-aware scans compare findings on the current Git ref to findings on the base branch, allowing deduplication of findings not introduced in the PR/MR branch.
For more on setting up diff-aware scanning, see: