- Semgrep in CI
- Team & Enterprise Tier
Sample continuous integration (CI) configurations
This document provides sample configuration snippets to run Semgrep CI on various continuous integration (CI) providers.
Feature support
Support for certain features of Semgrep Cloud Platform depend on your CI provider or source code management tool (SCM). The following table breaks down the features and their availability:
Integrations with source code providers, dependent on CI provider:
Feature | GitHub with GitHub Actions | GitLab with GL CI/CD | GitHub, GitLab, or BitBucket with other CI providers |
---|---|---|---|
Diff-aware scanning | ✅ | ✅ | ✅ (May need additional set up) |
Hyperlinks | ✅ | ✅ | ✅ (May need additional set up) |
PR or MR comments | ✅ | ✅ | ✅ (May need additional set up) |
SCM security dashboard | ✅ GitHub Advanced Security Dashboard | ✅ GitLab Security Dashboard | ❌ No |
For example, if you use CircleCI as your CI provider on a GitHub repository, SCP does not have any support for GitHub Advanced Security Dashboard.
The following list defines the above features.
- Diff-aware scanning
- Semgrep Cloud Platform can scan only changes in files when running on a pull or merge request (PR or MR). This keeps the scan fast and reduces finding duplication.
- Hyperlinks to code
- Semgrep Cloud Platform collects findings in a Findings page. In this page, you can click on a finding to return to your SCM (Github, GitLab, or Bitbucket) to view the lines of code in your repository that generated the finding.
- Receiving results (findings) as PR or MR comments
- This feature enables you to receive PR or MR comments from Semgrep Cloud Platform on the lines of code that generated a finding.
- SCM security dashboard
- Send Semgrep findings to your SCM's security dashboard.
GitHub Actions
To add a Semgrep configuration file in your GitHub Actions pipeline:
- Create a
semgrep.yml
file in.github/workflows
in the repository you want to scan. - Copy the relevant code snippet provided in Sample GitHub Actions configuration file.
- Paste the relevant code snippet to
semgrep.yml
file. This is your Semgrep configuration file for GitHub Actions. - Commit the configuration file under
/REPOSITORY-ROOT-DIRECTORY/.github/workflows/semgrep.yml
. - The Semgrep job starts automatically upon detecting the committed
semgrep.yml
file.
If you are self-hosting your repository, you must use a self-hosted runner.
Sample GitHub Actions configuration file
- Default
- Stand-alone SAST
- Semgrep Supply Chain
The following configuration creates a CI job that runs a SAST and SCA scan using both Semgrep Code and Semgrep Supply Chain.
# Name of this GitHub Actions workflow.
name: Semgrep
on:
# Scan changed files in PRs (diff-aware scanning):
pull_request: {}
# Scan on-demand through GitHub Actions interface:
workflow_dispatch: {}
# Scan mainline branches and report all findings:
push:
branches: ["master", "main"]
# Schedule the CI job (this method uses cron syntax):
schedule:
- cron: '20 17 * * *' # Sets Semgrep to scan every day at 17:20 UTC.
# It is recommended to change the schedule to a random time.
jobs:
semgrep:
# User definable name of this GitHub Actions job.
name: semgrep/ci
# If you are self-hosting, change the following `runs-on` value:
runs-on: ubuntu-latest
container:
# A Docker image with Semgrep installed. Do not change this.
image: returntocorp/semgrep
# Skip any PR created by dependabot to avoid permission issues:
if: (github.actor != 'dependabot[bot]')
steps:
# Fetch project source with GitHub Actions Checkout.
- uses: actions/checkout@v3
# Run the "semgrep ci" command on the command line of the docker image.
- run: semgrep ci
env:
# Connect to Semgrep Cloud Platform through your SEMGREP_APP_TOKEN.
# Generate a token from Semgrep Cloud Platform > Settings
# and add it to your GitHub secrets.
SEMGREP_APP_TOKEN: ${{ secrets.SEMGREP_APP_TOKEN }}
The following configuration creates a CI job that runs a SAST scan using Semgrep Code.
# Name of this GitHub Actions workflow.
name: Semgrep
on:
# Scan changed files in PRs (diff-aware scanning):
pull_request: {}
# Scan on-demand through GitHub Actions interface:
workflow_dispatch: {}
# Scan mainline branches and report all findings:
push:
branches: ["master", "main"]
# Schedule the CI job (this method uses cron syntax):
schedule:
- cron: '20 17 * * *' # Sets Semgrep to scan every day at 17:20 UTC.
# It is recommended to change the schedule to a random time.
jobs:
semgrep:
# User-definable name of this GitHub Actions job:
name: semgrep/ci
# If you are self-hosting, change the following `runs-on` value:
runs-on: ubuntu-latest
container:
# A Docker image with Semgrep installed. Do not change this.
image: returntocorp/semgrep
# Skip any PR created by dependabot to avoid permission issues:
if: (github.actor != 'dependabot[bot]')
steps:
# Fetch project source with GitHub Actions Checkout.
- uses: actions/checkout@v3
# Run the "semgrep ci" command on the command line of the docker image.
- run: semgrep ci
env:
# Add the rules that Semgrep uses by setting the SEMGREP_RULES environment variable.
SEMGREP_RULES: p/default # more at semgrep.dev/explore
The following configuration creates a CI job that runs an SCA scan using Semgrep Supply Chain.
# Name of this GitHub Actions workflow.
name: Semgrep
on:
# Scan changed files in PRs (diff-aware scanning):
pull_request: {}
# Scan on-demand through GitHub Actions interface:
workflow_dispatch: {}
# Scan mainline branches and report all findings:
push:
branches: ["master", "main"]
# Schedule the CI job (this method uses cron syntax):
schedule:
- cron: '20 17 * * *' # Sets Semgrep to scan every day at 17:20 UTC.
# It is recommended to change the schedule to a random time.
jobs:
semgrep:
# User definable name of this GitHub Actions job.
name: semgrep/ci
# If you are self-hosting, change the following `runs-on` value:
runs-on: ubuntu-latest
container:
# A Docker image with Semgrep installed. Do not change this.
image: returntocorp/semgrep
# Skip any PR created by dependabot to avoid permission issues:
if: (github.actor != 'dependabot[bot]')
steps:
# Fetch project source with GitHub Actions Checkout.
- uses: actions/checkout@v3
# Run the "semgrep ci" command on the command line of the docker image.
- run: semgrep ci --supply-chain
env:
# Connect to Semgrep Cloud Platform through your SEMGREP_APP_TOKEN.
# Generate a token from Semgrep Cloud Platform > Settings
# and add it to your GitHub secrets.
SEMGREP_APP_TOKEN: ${{ secrets.SEMGREP_APP_TOKEN }}
Alternate job that uploads findings to GitHub Advanced Security Dashboard
- Default
- Stand-alone SAST
# Name of this GitHub Actions workflow.
name: Semgrep
on:
# Scan changed files in PRs (diff-aware scanning):
pull_request: {}
# Scan on-demand through GitHub Actions interface:
workflow_dispatch: {}
# Scan mainline branches and report all findings:
push:
branches: ["master", "main"]
# Schedule the CI job (this method uses cron syntax):
schedule:
- cron: '20 17 * * *' # Sets Semgrep to scan every day at 17:20 UTC.
# It is recommended to change the schedule to a random time.
jobs:
semgrep:
# User definable name of this GitHub Actions job.
name: semgrep/ci
# If you are self-hosting, change the following `runs-on` value:
runs-on: ubuntu-latest
container:
# A Docker image with Semgrep installed. Do not change this.
image: returntocorp/semgrep
# Skip any PR created by dependabot to avoid permission issues:
if: (github.actor != 'dependabot[bot]')
steps:
# Fetch project source with GitHub Actions Checkout.
- uses: actions/checkout@v3
# Run the "semgrep ci" command on the command line of the docker image.
- run: semgrep ci --sarif --output=semgrep.sarif
env:
# Connect to Semgrep Cloud Platform through your SEMGREP_APP_TOKEN.
# Generate a token from Semgrep Cloud Platform > Settings
# and add it to your GitHub secrets.
SEMGREP_APP_TOKEN: ${{ secrets.SEMGREP_APP_TOKEN }}
- name: Upload SARIF file for GitHub Advanced Security Dashboard
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: semgrep.sarif
if: always()
# Name of this GitHub Actions workflow.
name: Semgrep
on:
# Scan changed files in PRs (diff-aware scanning):
pull_request: {}
# Scan on-demand through GitHub Actions interface:
workflow_dispatch: {}
# Scan mainline branches and report all findings:
push:
branches: ["master", "main"]
# Schedule the CI job (this method uses cron syntax):
schedule:
- cron: '20 17 * * *' # Sets Semgrep to scan every day at 17:20 UTC.
# It is recommended to change the schedule to a random time.
jobs:
semgrep:
# User-definable name of this GitHub Actions job:
name: semgrep/ci
# If you are self-hosting, change the following `runs-on` value:
runs-on: ubuntu-latest
container:
# A Docker image with Semgrep installed. Do not change this.
image: returntocorp/semgrep
# Skip any PR created by dependabot to avoid permission issues:
if: (github.actor != 'dependabot[bot]')
steps:
# Fetch project source with GitHub Actions Checkout.
- uses: actions/checkout@v3
# Run the "semgrep ci" command on the command line of the docker image.
- run: semgrep ci --sarif --output=semgrep.sarif
env:
# Add the rules that Semgrep uses by setting the SEMGREP_RULES environment variable.
SEMGREP_RULES: p/default # more at semgrep.dev/explore
- name: Upload SARIF file for GitHub Advanced Security Dashboard
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: semgrep.sarif
if: always()
GitLab CI/CD
To add a Semgrep configuration snippet in your GitLab CI/CD pipeline:
- Create or edit your
.gitlab-ci.yml
file in the repository you want to scan. - Copy the relevant code snippet provided in Sample GitLab CI/CD configuration snippet, and then paste it to your
.gitlab-ci.yml
file. - Commit the updated
.gitlab-ci.yml
file. - The Semgrep job starts automatically upon detecting the committed
.gitlab-ci.yml
file. You can also view the job from your GitLab project's CI/CD > Pipelines page.
Sample GitLab CI/CD configuration snippet
- Default
- Stand-alone SAST
- Semgrep Supply Chain
The following configuration creates a CI job that runs a SAST and SCA scan using both Semgrep Code and Semgrep Supply Chain.
semgrep:
# A Docker image with Semgrep installed.
image: returntocorp/semgrep
# Run the "semgrep ci" command on the command line of the docker image.
script: semgrep ci
rules:
# Scan changed files in MRs, (diff-aware scanning):
- if: $CI_MERGE_REQUEST_IID
# Scan mainline (default) branches and report all findings.
- if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
variables:
# Connect to Semgrep Cloud Platform through your SEMGREP_APP_TOKEN.
# Generate a token from Semgrep Cloud Platform > Settings
# and add it as a variable in your GitLab CI/CD project settings.
SEMGREP_APP_TOKEN: $SEMGREP_APP_TOKEN
# Other optional settings in the `variables` block:
# Receive inline MR comments (requires Semgrep Cloud Platform account)
# Setup instructions:
# https://semgrep.dev/docs/semgrep-code/notifications/#gitlab-merge-request-comments
# GITLAB_TOKEN: $PAT
The following configuration creates a CI job that runs a SAST scan using Semgrep Code.
semgrep:
# A Docker image with Semgrep installed.
image: returntocorp/semgrep
# Run the "semgrep ci" command on the command line of the docker image.
script: semgrep ci
rules:
# Scan changed files in MRs, (diff-aware scanning):
- if: $CI_MERGE_REQUEST_IID
# Scan mainline (default) branches and report all findings.
- if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
variables:
# Add the rules that Semgrep uses by setting the SEMGREP_RULES environment variable.
SEMGREP_RULES: p/default # See more at semgrep.dev/explore.
The following configuration creates a CI job that runs an SCA scan using Semgrep Supply Chain.
semgrep:
# A Docker image with Semgrep installed.
image: returntocorp/semgrep
# Run the "semgrep ci" command on the command line of the docker image.
script: semgrep ci --supply-chain
rules:
# Scan changed files in MRs, (diff-aware scanning):
- if: $CI_MERGE_REQUEST_IID
# Scan mainline (default) branches and report all findings.
- if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
variables:
# Connect to Semgrep Cloud Platform through your SEMGREP_APP_TOKEN.
# Generate a token from Semgrep Cloud Platform > Settings
# and add it as a variable in your GitLab CI/CD project settings.
SEMGREP_APP_TOKEN: $SEMGREP_APP_TOKEN
# Other optional settings in the `variables` block:
# Receive inline MR comments (requires Semgrep Cloud Platform account)
# Setup instructions:
# https://semgrep.dev/docs/semgrep-code/notifications/#gitlab-merge-request-comments
# GITLAB_TOKEN: $PAT
Alternate job that uploads findings to GitLab SAST Dashboard
- Default
- Stand-alone SAST
semgrep:
# A Docker image with Semgrep installed.
image: returntocorp/semgrep
rules:
# Scan changed files in MRs, (diff-aware scanning):
- if: $CI_MERGE_REQUEST_IID
# Scan mainline (default) branches and report all findings.
- if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
variables:
# Connect to Semgrep Cloud Platform through your SEMGREP_APP_TOKEN.
# Generate a token from Semgrep Cloud Platform > Settings
# and add it as a variable in your GitLab CI/CD project settings.
SEMGREP_APP_TOKEN: $SEMGREP_APP_TOKEN
# Upload findings to GitLab SAST Dashboard:
SEMGREP_GITLAB_JSON: "1"
# Other optional settings in the `variables` block:
# Receive inline MR comments (requires Semgrep Cloud Platform account)
# Setup instructions:
# https://semgrep.dev/docs/semgrep-code/notifications/#gitlab-merge-request-comments
# GITLAB_TOKEN: $PAT
# Run the "semgrep ci" command on the command line of the docker image and send findings
# to GitLab SAST.
script: semgrep ci --gitlab-sast > gl-sast-report.json || true
artifacts:
reports:
sast: gl-sast-report.json
semgrep:
# A Docker image with Semgrep installed.
image: returntocorp/semgrep
rules:
# Scan changed files in MRs, (diff-aware scanning):
- if: $CI_MERGE_REQUEST_IID
# Scan mainline (default) branches and report all findings.
- if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
variables:
# Add the rules that Semgrep uses by setting the SEMGREP_RULES environment variable.
SEMGREP_RULES: p/default # See more at semgrep.dev/explore.
# Upload findings to GitLab SAST Dashboard:
SEMGREP_GITLAB_JSON: "1"
# Other optional settings in the `variables` block:
# Run the "semgrep ci" command on the command line of the docker image and send findings
# to GitLab SAST.
script: semgrep ci --gitlab-sast > gl-sast-report.json || true
artifacts:
reports:
sast: gl-sast-report.json
Jenkins
Your UI (user interface) may vary depending on your Jenkins installation. These steps use a Classic UI Jenkins interface.
To add a Semgrep configuration snippet in your Jenkins pipeline:
- Create or edit your
Jenkinsfile
configuration file in the repository you want to scan. You can also edit yourJenkinsfile
from Jenkins's interface. - Copy the relevant code snippet provided in Sample Jenkins configuration snippet.
- Paste the code to your
Jenkinsfile
, and then commit the file. - The Semgrep job starts automatically upon detecting the
Jenkinsfile
update. - Optional: Create a separate CI job for diff-aware scanning, which scans only changed files in PRs or MRs, by repeating steps 1-3 and uncommenting the
SEMGREP_BASELINE_REF
definition provided within the code snippet.
Sample Jenkins configuration snippet
- Default
- Stand-alone SAST
- Semgrep Supply Chain
- Default (Docker)
The following configuration creates a CI job that runs a SAST and SCA scan using both Semgrep Code and Semgrep Supply Chain.
This code snippet uses Jenkins declarative syntax.
pipeline {
agent any
environment {
// The following variable is required for a Semgrep Cloud Platform-connected scan:
SEMGREP_APP_TOKEN = credentials('SEMGREP_APP_TOKEN')
// Uncomment the following line to scan changed
// files in PRs or MRs (diff-aware scanning):
// SEMGREP_BASELINE_REF = "main"
// Troubleshooting:
// Uncomment the following lines if Semgrep Cloud Platform > Findings Page does not create links
// to the code that generated a finding or if you are not receiving PR or MR comments.
// SEMGREP_JOB_URL = "${BUILD_URL}"
// SEMGREP_COMMIT = "${GIT_COMMIT}"
// SEMGREP_BRANCH = "${GIT_BRANCH}"
// SEMGREP_REPO_NAME = env.GIT_URL.replaceFirst(/^https:\/\/github.com\/(.*).git$/, '$1')
// SEMGREP_REPO_URL = env.GIT_URL.replaceFirst(/^(.*).git$/,'$1')
// SEMGREP_PR_ID = "${env.CHANGE_ID}"
}
stages {
stage('Semgrep-Scan') {
steps {
sh 'pip3 install semgrep'
sh 'semgrep ci'
}
}
}
}
The following configuration creates a CI job that runs a SAST scan using Semgrep Code.
This code snippet uses Jenkins declarative syntax.
pipeline {
agent any
environment {
SEMGREP_RULES = "p/default"
SEMGREP_BRANCH = "${GIT_BRANCH}"
// Uncomment the following line to scan changed
// files in PRs or MRs (diff-aware scanning):
// SEMGREP_BASELINE_REF = "main"
}
stages {
stage('Semgrep-Scan') {
steps {
sh 'pip3 install semgrep'
sh 'semgrep ci'
}
}
}
}
The following configuration creates a CI job that runs an SCA scan using Semgrep Supply Chain.
This code snippet uses Jenkins declarative syntax.
pipeline {
agent any
environment {
// The following variable is required to set up a scan connected to Semgrep Cloud Platform:
SEMGREP_APP_TOKEN = credentials('SEMGREP_APP_TOKEN')
// Uncomment the following line to scan changed
// files in PRs or MRs (diff-aware scanning):
// SEMGREP_BASELINE_REF = "main"
// Troubleshooting:
// Uncomment the following lines if Semgrep Cloud Platform > Findings Page does not create links
// to the code that generated a finding or if you are not receiving PR or MR comments.
// SEMGREP_JOB_URL = "${BUILD_URL}"
// SEMGREP_COMMIT = "${GIT_COMMIT}"
// SEMGREP_BRANCH = "${GIT_BRANCH}"
// SEMGREP_REPO_NAME = env.GIT_URL.replaceFirst(/^https:\/\/github.com\/(.*).git$/, '$1')
// SEMGREP_REPO_URL = env.GIT_URL.replaceFirst(/^(.*).git$/,'$1')
// SEMGREP_PR_ID = "${env.CHANGE_ID}"
}
stages {
stage('Semgrep-Scan') {
steps {
sh 'pip3 install semgrep'
sh 'semgrep ci --supply-chain'
}
}
}
}
This code snippet uses Jenkins declarative syntax.
pipeline {
agent any
environment {
// The following variable is required for a Semgrep Cloud Platform-connected scan:
SEMGREP_APP_TOKEN = credentials('SEMGREP_APP_TOKEN')
// Uncomment the following line to scan changed
// files in PRs or MRs (diff-aware scanning):
// SEMGREP_BASELINE_REF = "main"
// Troubleshooting:
// Uncomment the following lines if Semgrep Cloud Platform > Findings Page does not create links
// to the code that generated a finding or if you are not receiving PR or MR comments.
// SEMGREP_JOB_URL = "${BUILD_URL}"
// SEMGREP_COMMIT = "${GIT_COMMIT}"
// SEMGREP_BRANCH = "${GIT_BRANCH}"
// SEMGREP_REPO_NAME = env.GIT_URL.replaceFirst(/^https:\/\/github.com\/(.*).git$/, '$1')
// SEMGREP_REPO_URL = env.GIT_URL.replaceFirst(/^(.*).git$/,'$1')
// SEMGREP_PR_ID = "${env.CHANGE_ID}"
}
stages {
stage('Semgrep-Scan') {
steps {
sh '''docker pull returntocorp/semgrep && \
docker run \
-e SEMGREP_APP_TOKEN=$SEMGREP_APP_TOKEN \
-e SEMGREP_REPO_URL=$SEMGREP_REPO_URL \
-e SEMGREP_BRANCH=$SEMGREP_BRANCH \
-e SEMGREP_REPO_NAME=$SEMGREP_REPO_NAME \
-e SEMGREP_BRANCH=$SEMGREP_BRANCH \
-e SEMGREP_COMMIT=$SEMGREP_COMMIT \
-e SEMGREP_PR_ID=$SEMGREP_PR_ID \
-v "$(pwd):$(pwd)" --workdir $(pwd) \
returntocorp/semgrep semgrep ci '''
}
}
}
}
Bitbucket Pipelines
To add a Semgrep configuration snippet into BitBucket Pipelines:
- Create or edit your
bitbucket-pipelines.yml
file in the repository you want to scan. - Copy the relevant code snippet provided in Sample BitBucket Pipelines configuration snippet, and then paste it to your
bitbucket-pipelines.yml
. - Commit the updated
bitbucket-pipelines.yml
configuration file. - The Semgrep job starts automatically upon detecting the committed
bitbucket-pipelines.yml
file. You can also view the job through BitBucket's interface, by clicking your repository > Pipelines. - Optional: Create a separate CI job for diff-aware scanning, which scans only changed files in PRs or MRs, by repeating steps 1-3 and uncommenting the
SEMGREP_BASELINE_REF
definition provided within the code snippet.
These steps can also be performed through BitBucket's UI wizard. This UI wizard can be accessed through BitBucket > your repository > Pipelines > Create your first pipeline.
Sample BitBucket Pipelines configuration snippet
- Default
- Stand-alone SAST
- Semgrep Supply Chain
The following configuration creates a CI job that runs a SAST and SCA scan using both Semgrep Code and Semgrep Supply Chain.
image: atlassian/default-image:latest
pipelines:
default:
- parallel:
- step:
name: 'Run Semgrep scan with current branch'
deployment: dev # https://support.atlassian.com/bitbucket-cloud/docs/set-up-and-monitor-deployments/
image: returntocorp/semgrep
script:
# The following variables are required to set up a scan connected to Semgrep Cloud Platform:
- export SEMGREP_APP_TOKEN=$SEMGREP_APP_TOKEN
# Uncomment the following line to scan changed
# files in PRs or MRs (diff-aware scanning):
# - export SEMGREP_BASELINE_REF = "origin/main"
# - git fetch origin "+refs/heads/*:refs/remotes/origin/*"
# Troubleshooting:
# Uncomment the following lines if Semgrep Cloud Platform > Findings Page does not create links
# to the code that generated a finding or if you are not receiving PR or MR comments.
# - export SEMGREP_JOB_URL="${SEMGREP_REPO_URL}/addon/pipelines/home#!/results/${BITBUCKET_PIPELINE_UUID}"
# - export SEMGREP_COMMIT=$BITBUCKET_COMMIT
# - export SEMGREP_PR_ID=$BITBUCKET_PR_ID
# - export SEMGREP_BRANCH=$BITBUCKET_BRANCH
# - export SEMGREP_REPO_URL=$BITBUCKET_GIT_HTTP_ORIGIN
# - export SEMGREP_REPO_NAME=$BITBUCKET_REPO_FULL_NAME
- semgrep ci
The following configuration creates a CI job that runs a SAST scan using Semgrep Code.
image: atlassian/default-image:latest
pipelines:
default:
- parallel:
- step:
name: 'Run Semgrep scan with current branch'
deployment: dev
image: returntocorp/semgrep
script:
- export SEMGREP_RULES = "p/default"
# Uncomment the following line to scan changed
# files in PRs or MRs (diff-aware scanning):
# - export SEMGREP_BASELINE_REF = "main"
- semgrep ci
The following configuration creates a CI job that runs an SCA scan using Semgrep Supply Chain.
image: atlassian/default-image:latest
pipelines:
default:
- parallel:
- step:
name: 'Run Semgrep scan with current branch'
deployment: dev # https://support.atlassian.com/bitbucket-cloud/docs/set-up-and-monitor-deployments/
image: returntocorp/semgrep
script:
# The following variables are required to set up a scan connected to Semgrep Cloud Platform:
- export SEMGREP_APP_TOKEN=$SEMGREP_APP_TOKEN
# Uncomment the following line to scan changed
# files in PRs or MRs (diff-aware scanning):
# - export SEMGREP_BASELINE_REF = "origin/main"
# - git fetch origin "+refs/heads/*:refs/remotes/origin/*"
# Troubleshooting:
# Uncomment the following lines if Semgrep Cloud Platform > Findings Page does not create links
# to the code that generated a finding or if you are not receiving PR or MR comments.
# - export SEMGREP_JOB_URL="${SEMGREP_REPO_URL}/addon/pipelines/home#!/results/${BITBUCKET_PIPELINE_UUID}"
# - export SEMGREP_COMMIT=$BITBUCKET_COMMIT
# - export SEMGREP_PR_ID=$BITBUCKET_PR_ID
# - export SEMGREP_BRANCH=$BITBUCKET_BRANCH
# - export SEMGREP_REPO_URL=$BITBUCKET_GIT_HTTP_ORIGIN
# - export SEMGREP_REPO_NAME=$BITBUCKET_REPO_FULL_NAME
- semgrep ci --supply-chain
Buildkite
To add Semgrep into your Buildkite pipeline:
- Create or edit a
pipeline.yml
configuration file to add a Semgrep command as part of your pipeline. Refer to the BuildKite code snippet. This configuration file can also be stored within Buildkite. - Copy the relevant code snippet provided in Sample Buildkite configuration snippet.
- If you are using Buildkite to store the configuration, save the updated file. Otherwise, commit the updated configuration file into the
/.buildkite
folder within the target repository. - The Semgrep job starts automatically upon detecting the committed
pipeline.yml
file. You can also view the job through Buildkite's interface, by clicking your repository > Pipelines. - Optional: Create a separate CI job for diff-aware scanning, which scans only changed files in PRs or MRs, by repeating steps 1-3 and uncommenting the
SEMGREP_BASELINE_REF
definition provided within the code snippet.
These steps can be performed from within Buildkite's interface. From Buildkite's main page, click Pipelines > ➕ button to perform these steps within Buildkite's UI.
Sample Buildkite configuration snippet
- Default
- Stand-alone SAST
- Semgrep Supply Chain
The following configuration creates a CI job that runs a SAST and SCA scan using both Semgrep Code and Semgrep Supply Chain.
- label: ":semgrep: Semgrep"
commands:
# Uncomment the following line to scan changed
# files in PRs or MRs (diff-aware scanning):
# - export SEMGREP_BASELINE_REF = "main"
# Troubleshooting:
# Uncomment the following lines if Semgrep Cloud Platform > Findings Page does not create links
# to the code that generated a finding or if you are not receiving PR or MR comments.
# - export SEMGREP_COMMIT=${BUILDKITE_COMMIT}
# - export SEMGREP_PR_ID=${BUILDKITE_PULL_REQUEST}
# - export SEMGREP_BRANCH=${BUILDKITE_BRANCH}
# - export SEMGREP_REPO_URL="$(echo "$BUILDKITE_REPO" | sed -e 's#.\{4\}$##')"
# - echo "$BUILDKITE_REPO" | sed 's#https://github.com/##' | sed 's#.git##'
# - export SEMGREP_REPO_NAME="$(echo "$BUILDKITE_REPO" | sed -e 's#https://github.com/##' | sed -e 's#.git##')"
- semgrep ci
plugins:
- docker#v3.7.0:
image: returntocorp/semgrep
environment:
# The following variable is required to set up a scan connected to Semgrep Cloud Platform:
- "SEMGREP_APP_TOKEN"
The following configuration creates a CI job that runs a SAST scan using Semgrep Code.
- label: ":semgrep: Semgrep"
commands:
# Define rules to scan with by setting the SEMGREP_RULES environment variable.
- export SEMGREP_RULES="p/default"
# To scan changed files in PRs or MRs (diff-aware scanning):
# - export SEMGREP_BASELINE_REF=${BUILDKITE_BRANCH}
- semgrep ci
plugins:
- docker#v3.7.0:
image: returntocorp/semgrep
The following configuration creates a CI job that runs an SCA scan using Semgrep Supply Chain.
- label: ":semgrep: Semgrep"
commands:
# Uncomment the following line to scan changed
# files in PRs or MRs (diff-aware scanning):
# - export SEMGREP_BASELINE_REF = "main"
# Troubleshooting:
# Uncomment the following lines if Semgrep Cloud Platform > Findings Page does not create links
# to the code that generated a finding or if you are not receiving PR or MR comments.
# - export SEMGREP_COMMIT=${BUILDKITE_COMMIT}
# - export SEMGREP_PR_ID=${BUILDKITE_PULL_REQUEST}
# - export SEMGREP_BRANCH=${BUILDKITE_BRANCH}
# - export SEMGREP_REPO_URL="$(echo "$BUILDKITE_REPO" | sed -e 's#.\{4\}$##')"
# - echo "$BUILDKITE_REPO" | sed 's#https://github.com/##' | sed 's#.git##'
# - export SEMGREP_REPO_NAME="$(echo "$BUILDKITE_REPO" | sed -e 's#https://github.com/##' | sed -e 's#.git##')"
- semgrep ci --supply-chain
plugins:
- docker#v3.7.0:
image: returntocorp/semgrep
environment:
# The following variable is required to set up a scan connected to Semgrep Cloud Platform:
- "SEMGREP_APP_TOKEN"
CircleCI
To add Semgrep into your CircleCI pipeline:
- Create a context:
- In CircleCI web app, click Organization Settings > Contexts.
- Click Create Context.
- Enter
dev
as the name for the context. - Click Add Environment Variable and enter your
SEMGREP_APP_TOKEN
.
- Create or edit your
config.yml
configuration file in the repository you want to scan. - Copy the relevant code snippet provided in Sample CircleCI configuration snippet.
- Commit the updated
config.yml
configuration file into the/.circleci
folder in the target repository. - The Semgrep job starts automatically upon detecting the
config.yml
update. - Optional: Create a separate CI job for diff-aware scanning, which scans only changed files in PRs or MRs, by repeating steps 1-3 and uncommenting the
SEMGREP_BASELINE_REF
definition provided in the code snippet.
Sample CircleCI configuration snippet
- Default
- Stand-alone SAST
- Semgrep Supply Chain
The following configuration creates a CI job that runs a SAST and SCA scan using both Semgrep Code and Semgrep Supply Chain.
version: 2.1
jobs:
semgrep-scan:
parameters:
default_branch:
type: string
default: main
environment:
# Uncomment the following line to scan changed
# files in PRs or MRs (diff-aware scanning):
# - export SEMGREP_BASELINE_REF = "origin/main"
# - git fetch origin "+refs/heads/*:refs/remotes/origin/*"
# SEMGREP_BASELINE_REF: << parameters.default_branch >>
# Troubleshooting:
# Uncomment the following lines if Semgrep Cloud Platform > Findings Page does not create links
# to the code that generated a finding or if you are not receiving PR or MR comments.
# SEMGREP_REPO_NAME: '$CIRCLE_PROJECT_USERNAME/$CIRCLE_PROJECT_REPONAME'
# SEMGREP_REPO_URL: << pipeline.project.git_url >>
# SEMGREP_BRANCH: << pipeline.git.branch >>
docker:
- image: returntocorp/semgrep
steps:
- checkout
# Uncomment the following lines if Semgrep Cloud Platform > Findings Page does not create links
# to the code that generated a finding or if you are not receiving PR or MR comments.
# - run:
# name: "Manually set environment variables"
# command: |
# echo 'export SEMGREP_COMMIT=$CIRCLE_SHA1' >> $BASH_ENV
# echo 'export SEMGREP_PR_ID=${CIRCLE_PULL_REQUEST##*/}' >> $BASH_ENV
# echo 'export SEMGREP_JOB_URL=$CIRCLE_BUILD_URL' >> $BASH_ENV
- run:
name: "Semgrep scan"
command: semgrep ci
workflows:
main:
jobs:
- semgrep-scan:
context:
- dev
The following configuration creates a CI job that runs a SAST scan using Semgrep Code.
version: 2.1
jobs:
semgrep-scan:
parameters:
default_branch:
type: string
default: main
environment:
SEMGREP_RULES: p/default
# Uncomment the following line to scan changed
# files in PRs or MRs (diff-aware scanning):
# - export SEMGREP_BASELINE_REF = "origin/main"
# - git fetch origin "+refs/heads/*:refs/remotes/origin/*"
# SEMGREP_BASELINE_REF: << parameters.default_branch >>
docker:
- image: returntocorp/semgrep
steps:
- checkout
- run:
name: "Semgrep scan"
command: semgrep ci --supply-chain
workflows:
main:
jobs:
- semgrep-scan:
context:
- dev
The following configuration creates a CI job that runs an SCA scan using Semgrep Supply Chain.
version: 2.1
jobs:
semgrep-scan:
parameters:
default_branch:
type: string
default: main
environment:
# Uncomment the following line to scan changed
# files in PRs or MRs (diff-aware scanning):
# - export SEMGREP_BASELINE_REF = "origin/main"
# - git fetch origin "+refs/heads/*:refs/remotes/origin/*"
# SEMGREP_BASELINE_REF: << parameters.default_branch >>
# Troubleshooting:
# Uncomment the following lines if Semgrep Cloud Platform > Findings Page does not create links
# to the code that generated a finding or if you are not receiving PR or MR comments.
# SEMGREP_REPO_NAME: '$CIRCLE_PROJECT_USERNAME/$CIRCLE_PROJECT_REPONAME'
# SEMGREP_REPO_URL: << pipeline.project.git_url >>
# SEMGREP_BRANCH: << pipeline.git.branch >>
docker:
- image: returntocorp/semgrep
steps:
- checkout
# Uncomment the following lines if Semgrep Cloud Platform > Findings Page does not create links
# to the code that generated a finding or if you are not receiving PR or MR comments.
# - run:
# name: "Manually set environment variables"
# command: |
# echo 'export SEMGREP_COMMIT=$CIRCLE_SHA1' >> $BASH_ENV
# echo 'export SEMGREP_PR_ID=${CIRCLE_PULL_REQUEST##*/}' >> $BASH_ENV
# echo 'export SEMGREP_JOB_URL=$CIRCLE_BUILD_URL' >> $BASH_ENV
- run:
name: "Semgrep scan"
command: semgrep ci --supply-chain
workflows:
main:
jobs:
- semgrep-scan:
context:
- dev
Azure Pipelines
To add Semgrep into Azure Pipelines:
- Access the YAML pipeline editor within Azure Pipelines by following the YAML pipeline editor guide.
- Copy the relevant code snippet provided in Sample Azure Pipelines configuration snippet into the Azure Pipelines YAML editor.
- Save the code snippet.
- Set environment variables.
- Group the environment variables as a variable group.
- Optional: Create a separate CI job for diff-aware scanning, which scans only changed files in PRs or MRs, by repeating steps 1-4 and and adding
SEMGREP_BASELINE_REF
as an environment variable.
Sample Azure Pipelines configuration snippet
- Default
- Stand-alone SAST
- Semgrep Supply Chain
The following configuration creates a CI job that runs a SAST and SCA scan using both Semgrep Code and Semgrep Supply Chain.
# trigger:
# - master
pool:
vmImage: ubuntu-latest
variables:
- group: Semgrep Cloud Platform token group
steps:
- script: |
python -m pip install --upgrade pip
pip install semgrep
semgrep ci
env:
SEMGREP_PR_ID: $(System.PullRequest.PullRequestNumber)
Setting environment variables in Azure Pipelines
Set these variables within Azure Pipelines UI following the steps in Environment variables:
SEMGREP_APP_TOKEN
Set these environment variables to troubleshoot the links to the code that generated a finding or if you are not receiving PR or MR comments:
SEMGREP_JOB_URL
SEMGREP_COMMIT
SEMGREP_BRANCH
SEMGREP_REPO_URL
SEMGREP_REPO_NAME
Set this environment variable for diff-aware scanning:
SEMGREP_BASELINE_REF
. Its value is typically your trunkline branch, such asmain
ormaster
.
The following configuration creates a CI job that runs a SAST scan using Semgrep Code.
# trigger:
# - master
pool:
vmImage: ubuntu-latest
steps:
- script: |
python -m pip install --upgrade pip
pip install semgrep
semgrep ci
env:
SEMGREP_RULES: p/default
The following configuration creates a CI job that runs an SCA scan using Semgrep Supply Chain.
# trigger:
# - master
pool:
vmImage: ubuntu-latest
variables:
- group: Semgrep Cloud Platform token group
steps:
- script: |
python -m pip install --upgrade pip
pip install semgrep
semgrep ci --supply-chain
env:
SEMGREP_PR_ID: $(System.PullRequest.PullRequestNumber)
Setting environment variables in Azure Pipelines
Set these variables within Azure Pipelines UI following the steps in Environment variables:
SEMGREP_APP_TOKEN
Set these environment variables to troubleshoot the links to the code that generated a finding or if you are not receiving PR or MR comments:
SEMGREP_JOB_URL
SEMGREP_COMMIT
SEMGREP_BRANCH
SEMGREP_REPO_URL
SEMGREP_REPO_NAME
Set this environment variable for diff-aware scanning:
SEMGREP_BASELINE_REF
. Its value is typically your trunkline branch, such asmain
ormaster
.
Other providers
To run Semgrep CI on any other provider, use the returntocorp/semgrep
image, and run the semgrep ci
command with SEMGREP_BASELINE_REF
set for diff-aware scanning.
Note: If you need to use a different image than docker, install Semgrep CI by pip install semgrep
.
By setting various CI environment variables, you can run Semgrep in the following CI providers:
- AppVeyor
- Bamboo
- Bitrise
- Buildbot
- Codeship
- Codefresh
- Drone CI
- TeamCity CI
- Travis CI
Is your CI provider missing? Let us know by filing an issue.
Find what you needed in this doc? Join the Semgrep Community Slack group to ask the maintainers and the community if you need help.