Skip to main content

CI configuration reference

Configure Semgrep CI by passing these environment variables in your CI job.


While environment variables are the preferred way to configure Semgrep CI, any of these options can be passed as command line options as well. Refer to the output of semgrep-agent --help to find the corresponding flags.

Select rules to scan with (SEMGREP_RULES)#

SEMGREP_RULES="p/security-audit p/secrets"

Diff-aware scanning (SEMGREP_BASELINE_REF)#

For diff-aware scans, set this variable to the git ref (branch name, tag, or commit hash) to use as a baseline. For example, to report findings newly added since branching off from your main branch, set


Connect to Semgrep App (SEMGREP_APP_TOKEN)#

Instead of SEMGREP_RULES, you can use rules set in Semgrep App. Get your credentials from Semgrep App > Settings.


Get hyperlinks in Semgrep App#

Set these variables to hyperlink to the correct repositories, files, and PRs in the Semgrep App UI & notifications.


Collect findings silently (SEMGREP_AUDIT_ON)#

Set this to never fail the build due to findings when scanning. Instead, just collect findings for Semgrep App > Findings.


Configure a job timeout (SEMGREP_TIMEOUT)#

To change the job timeout from the default of 1800 seconds. Set to 0 to disable job timeout.


Find what you needed in this doc? Join the Slack group to ask the maintainers and the community if you need help.