Sample CI configurations
The sample configuration files below run Semgrep CI on various continuous integration providers.
GitHub Actionsโ
# Name of this GitHub Actions workflow.
name: Semgrep
on:
# Determine when you want Semgrep to scan your code.
# Use as many of the following options as you want.
# (Currently Options 1 and 3 are active).
#
# Option 1: Scan changed files in PRs, only report new findings (existing
# findings in the repository are ignored).
# To run on specific types of PR states (opened, reopened, etc) or particular
# paths or branches, see the following GitHub documentation:
# https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#pull_request
pull_request: {}
# Option 2: Scan all files on branches, report any findings.
# push:
# branches: ["master", "main"]
# Option 3: Schedule CI job to run at a certain time, using cron syntax.
# Note: the asterisk sign * is a special character in YAML so you have to quote this string
schedule:
- cron: '30 0 1,15 * *' # scheduled for 00:30 UTC on both the 1st and 15th of the month
jobs:
semgrep:
# User definable name of this GitHub Actions job.
name: Scan
# Only change the if you are self-hosting. See also:
# https://docs.github.com/en/actions/using-jobs/choosing-the-runner-for-a-job#choosing-self-hosted-runners
runs-on: ubuntu-latest
container:
# A Docker image with Semgrep installed. Don't change this.
image: returntocorp/semgrep
# Skip any PR created by dependabot to avoid permission issues
if: (github.actor != 'dependabot[bot]')
steps:
# Fetch project source with GitHub Actions Checkout.
- uses: actions/checkout@v3
# Run the "semgrep ci" command on the command line of the docker image.
- run: semgrep ci
env:
# Select rules for your scan with one of these two options.
# Option 1: Scan with rules set in Semgrep App's rule board
# Make a token at semgrep.dev/orgs/-/settings/tokens, and then
# save it in your GitHub Secrets.
SEMGREP_APP_TOKEN: ${{ secrets.SEMGREP_APP_TOKEN }}
# Option 2: Set hard-coded rulesets, viewable in logs.
# SEMGREP_RULES: p/default # more at semgrep.dev/explore
Alternate job that uploads findings to GitHub Advanced Security Dashboard
name: Semgrep
on:
pull_request: {}
jobs:
semgrep:
# User definable name of this GitHub Actions job.
name: Scan
# Only change the if you are self-hosting. See also:
# https://docs.github.com/en/actions/using-jobs/choosing-the-runner-for-a-job#choosing-self-hosted-runners
runs-on: ubuntu-latest
container:
# A Docker image with Semgrep installed. Don't change this.
image: returntocorp/semgrep
steps:
- uses: actions/checkout@v3
# Select rules for your scan with one of these two options:
#
# Option 1: Scan with rules set in Semgrep App's rule board.
# Make a token at semgrep.dev/orgs/-/settings/tokens, and then
# save it in your GitHub Secrets.
- run: semgrep scan --sarif --output=semgrep.sarif --config=policy
env:
SEMGREP_APP_TOKEN: ${{ secrets.SEMGREP_APP_TOKEN }}
# Option 2: Set hard-coded rulesets, viewable in logs.
# - run: semgrep scan --sarif --output=semgrep.sarif
# env:
# SEMGREP_RULES: p/default # See more at semgrep.dev/explore.
- name: Upload SARIF file for GitHub Advanced Security Dashboard
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: semgrep.sarif
if: always()
Feature supportโ
Feature | Status |
---|---|
diff-aware scanning | โ automatic |
hyperlinks in Semgrep App | โ automatic |
results in native dashboard GitHub Advanced Security Dashboard | โ available |
results in pull request comments | โ sign up for Semgrep App free |
automatic CI setup | โ sign up for Semgrep App free |
GitLab CIโ
semgrep:
# A Docker image with Semgrep installed.
image: returntocorp/semgrep
# Run the "semgrep ci" command on the command line of the docker image.
script: semgrep ci
rules:
# Determine when you want Semgrep to scan your code.
# Use as many of the following options as you want.
#
# Option 1: Scan changed files in MRs, only report new findings (existing
# findings ignored).
- if: $CI_MERGE_REQUEST_IID
# Option 2: Scan all files on the default branch, report any findings.
# - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
# Option 3: Schedule CI job to run at a certain time, using cron syntax.
# Instructions for setting this up are here:
# https://docs.gitlab.com/ee/ci/pipelines/schedules.html
# As an initial setup, we recommend scanning your whole project on 1st and
# 15th of the month, in addition to running Option 1.
variables:
# Select rules for your scan with one of these two options:
#
# Option 1: Scan with rules set in Semgrep App's rule board
# Get your token at semgrep.dev/orgs/-/settings/tokens.
SEMGREP_APP_TOKEN: $SEMGREP_APP_TOKEN
# Option 2: set hard-coded rulesets, viewable in logs.
# SEMGREP_RULES: p/default # See more at semgrep.dev/explore.
# == Other optional settings in the `variables:` block
# Receive inline MR comments (requires Semgrep App account)
# Setup instructions: https://semgrep.dev/docs/notifications/#gitlab-merge-request-comments
# GITLAB_TOKEN: $PAT
# Never fail the build due to findings on pushes.
# Instead, just collect findings for semgrep.dev/manage/findings
# SEMGREP_AUDIT_ON: push
# Upload findings to GitLab SAST Dashboard [step 1/2]
# See also the next step.
# SEMGREP_GITLAB_JSON: "1"
# Change job timeout (default is 1800 seconds; set to 0 to disable)
# SEMGREP_TIMEOUT: 300
# Upload findings to GitLab SAST Dashboard (remove `script:` line above) [step 2/2]
# script: semgrep ci --gitlab-sast > gl-sast-report.json || true
# artifacts:
# reports:
# sast: gl-sast-report.json
Feature supportโ
Feature | Status |
---|---|
diff-aware scanning | โ automatic |
hyperlinks in Semgrep App | โ automatic |
results in native dashboard GitLab SAST Dashboard | โ available |
results in merge request comments | โ sign up for Semgrep App free |
automatic CI setup | โ not available |
Jenkinsโ
Use webhooks and the below snippet to integrate with GitHub.
pipeline {
agent any
// environment {
// SEMGREP_BASELINE_REF = "main"
// SEMGREP_APP_TOKEN = credentials('SEMGREP_APP_TOKEN')
// SEMGREP_REPO_URL = env.GIT_URL.replaceFirst(/^(.*).git$/,'$1')
// SEMGREP_BRANCH = "${GIT_BRANCH}"
// SEMGREP_JOB_URL = "${BUILD_URL}"
// SEMGREP_REPO_NAME = env.GIT_URL.replaceFirst(/^https:\/\/github.com\/(.*).git$/, '$1')
// SEMGREP_COMMIT = "${GIT_COMMIT}"
// SEMGREP_PR_ID = "${env.CHANGE_ID}"
// SEMGREP_TIMEOUT = "300"
// }
stages {
stage('Semgrep-Scan') {
steps {
sh 'pip3 install semgrep'
sh 'semgrep ci --config auto'
}
}
}
}
note
--config auto
sends your repository's project URL to Semgrep Registry to find rules configured for your repository and as a key for cached rule recommendations.
Feature supportโ
Feature | Status |
---|---|
diff-aware scanning | โ configure manually |
hyperlinks in Semgrep App | โ configure manually |
results in native dashboard | ๐ข not applicable |
results in pull request comments | โ sign up for Semgrep App free |
automatic CI setup | โ not available |
Buildkiteโ
- label: ":semgrep: Semgrep"
commands:
- export SEMGREP_BASELINE_REF=""
- export SEMGREP_REPO_URL="$(echo "$BUILDKITE_REPO" | sed -e 's#.\{4\}$##')"
- export SEMGREP_BRANCH=${BUILDKITE_BRANCH}
- export SEMGREP_COMMIT=${BUILDKITE_COMMIT}
- export SEMGREP_PR_ID=${BUILDKITE_PULL_REQUEST}
- echo "$BUILDKITE_REPO" | sed 's#https://github.com/##' | sed 's#.git##'
- export SEMGREP_REPO_NAME="$(echo "$BUILDKITE_REPO" | sed -e 's#https://github.com/##' | sed -e 's#.git##')"
- semgrep ci
plugins:
- docker#v3.7.0:
image: returntocorp/semgrep
environment:
# Scan with rules set in Semgrep App's rule board
# Make a token at semgrep.dev/orgs/-/settings/tokens
- "SEMGREP_APP_TOKEN"
Feature supportโ
Feature | Status |
---|---|
diff-aware scanning | โ configure manually |
hyperlinks in Semgrep App | โ configure manually |
results in native dashboard | ๐ข not applicable |
results in pull request comments | โ sign up for Semgrep App free |
automatic CI setup | โ not available |
CircleCIโ
version: 2.1
jobs:
semgrep-scan:
parameters:
repo_path:
type: string
default: myorg/semgrep-test-repo
default_branch:
type: string
default: main
environment:
# Scan with rules set in Semgrep App's rule board.
# Get your token at semgrep.dev/orgs/-/settings/tokens
SEMGREP_APP_TOKEN: $SEMGREP_APP_TOKEN
# Scan changed files in PRs, only report new findings (existing findings ignored)
SEMGREP_BASELINE_REF: << parameters.default_branch >>
# == Optional settings in the `environment:` block
# Instead of `SEMGREP_APP_TOKEN:`, set hard-coded rulesets,
# viewable in logs.
# SEMGREP_RULES: p/default # See more at semgrep.dev/explore.
# SEMGREP_REPO_NAME: << parameters.repo_path >>
# SEMGREP_REPO_URL: << pipeline.project.git_url >>
# SEMGREP_BRANCH: << pipeline.git.branch >>
# Never fail the build due to findings.
# Instead, just collect findings for semgrep.dev/manage/findings
# SEMGREP_AUDIT_ON: unknown
# Change job timeout (default is 1800 seconds; set to 0 to disable)
# SEMGREP_TIMEOUT: 300
docker:
- image: returntocorp/semgrep
steps:
- checkout
- run:
name: "Semgrep scan"
command: semgrep ci
workflows:
main:
jobs:
- semgrep-scan
Feature supportโ
Feature | Status |
---|---|
diff-aware scanning | โ configure manually |
hyperlinks in Semgrep App | โ configure manually |
results in native dashboard | ๐ข not applicable |
results in pull request comments | โ sign up for Semgrep App free |
automatic CI setup | โ not available |
Bitbucketโ
image: atlassian/default-image:latest
pipelines:
default:
- parallel:
- step:
name: 'Run Semgrep scan with current branch'
deployment: dev
image: returntocorp/semgrep
script:
# Set SEMGREP Variables
# - export SEMGREP_REPO_URL=$BITBUCKET_GIT_HTTP_ORIGIN
# - export SEMGREP_REPO_NAME=$BITBUCKET_REPO_FULL_NAME
# - export SEMGREP_BRANCH=$BITBUCKET_BRANCH
# - export SEMGREP_JOB_URL="${SEMGREP_REPO_URL}/addon/pipelines/home#!/results/${BITBUCKET_PIPELINE_UUID}"
# - export SEMGREP_COMMIT=$BITBUCKET_COMMIT
# - export SEMGREP_PR_ID=$BITBUCKET_PR_ID
# - export $SEMGREP_APP_TOKEN
- semgrep ci --config auto
note
--config auto
sends your repository's project URL to Semgrep Registry to find rules configured for your repository and as a key for cached rule recommendations.
Feature supportโ
Feature | Status |
---|---|
diff-aware scanning | โ configure manually |
hyperlinks in Semgrep App | โ configure manually |
results in native dashboard | ๐ข not applicable |
results in pull request comments | โ sign up for Semgrep App free |
automatic CI setup | โ not available |
Other providersโ
To run Semgrep CI on any other provider, use the returntocorp/semgrep
image, and run the semgrep ci
command.
Note: If you need to use a different image than docker, install Semgrep CI by pip install semgrep
.
Using the configuration reference, you can run Semgrep in the following CI providers:
- AppVeyor
- Bamboo
- Bitbucket Pipelines (sample configuration)
- Bitrise
- Buildbot
- Buildkite (sample configuration)
- CircleCI (sample configuration)
- Codeship
- Codefresh
- Jenkins (sample configuration)
- TeamCity CI
- Travis CI
Is your CI provider missing? Let us know by filing an issue.
Find what you needed in this doc? Join the Slack group to ask the maintainers and the community if you need help.