Why am I getting findings in files that should be ignored?
If you don't have already a .semgrepignore file, refer to our
guide on how to exclude files from Semgrep
scans. Otherwise, if
you already have a .semgrepignore file, read on.
Starting with Semgrep CE 1.112.0, the Semgrepignore specification has
changed slightly to better align with Git and Gitignore and to offer
more flexibility.
The new specification is referred to as
Semgrepignore v2.
If you're getting findings in files that should have been
ignored according to your .semgrepignore file, check the
following:
- If you're using Git, check that the
.semgrepignorefile is at the root of the Git project or at least is within the project..semgrepignorefiles can be placed in any folder in the project and follow the same specification as.gitignorefiles, which they extend. - If you're not using Git, check that the
.semgrepignorefile is in the folder passed on thesemgrep scancommand line. For example, if the command issemgrep scan foo/, you must move the.semgrepignorefile from the current folder tofoo/.semgrepignore.
To ensure you're using Semgrepignore v2, pass the flag
--semgrepignore-v2 to semgrep scan or to semgrep ci. To use the legacy Semgrepignore v1 implementation, use
--no-semgrepignore-v2. These options are for troubleshooting the
migration from v1 to v2. These flags will be removed when v2 becomes
only implementation available.
Best practices
- When scanning a whole project, run
semgrepfrom the project root. - Place a
.semgrepignorefile at the project root. - Optionally, place
.semgrepignorefiles in subfolders so as to keep the exclusion patterns simple and to allow moving these subfolders around without having to edit the file exclusion patterns. - Refer to the Gitignore
specification
for the precise syntax and usage of
.semgrepignorefiles.
Not finding what you need in this doc? Ask questions in our Community Slack group, or see Support for other ways to get help.