Configure Semgrep CI by passing these environment variables in your CI job.
While environment variables are the preferred way to configure Semgrep CI, any of these options can be passed as command line options as well. Refer to the output of
semgrep-agent --help to find the corresponding flags.
Select rules to scan with (
Diff-aware scanning (
For diff-aware scans, set this variable
to the git ref (branch name, tag, or commit hash) to use as a baseline.
For example, to report findings newly added
since branching off from your
main branch, set
Connect to Semgrep App (
SEMGREP_RULES, you can use rules set in Semgrep App.
Get your credentials from Semgrep App > Settings.
Set these variables to hyperlink to the correct repositories, files, and PRs in the Semgrep App UI & notifications.
Collect findings silently (
Set this to never fail the build due to findings when scanning. Instead, just collect findings for Semgrep App > Findings.
Configure a job timeout (
To change the job timeout from the default of 1800 seconds. Set to 0 to disable job timeout.
Find what you needed in this doc? Join the Slack group to ask the maintainers and the community if you need help.