Skip to main content

Sample CI configurations

The sample configuration files below run Semgrep CI on various continuous integration providers.

GitHub Actions#

name: Semgrep
on:  # Scan changed files in PRs, block on new issues only (existing issues ignored)  pull_request: {}
  # Scan all files on branches, block on any issues  # push:  #   branches: ["master", "main"]
jobs:  semgrep:    name: Scan    runs-on: ubuntu-latest    # Skip any PR created by dependabot to avoid permission issues    if: (github.actor != 'dependabot[bot]')    steps:      # Fetch project source      - uses: actions/checkout@v2
      - uses: returntocorp/semgrep-action@v1        with:          config: >- # more at semgrep.dev/explore            p/security-audit            p/secrets
        # == Optional settings in the `with:` block
        # Instead of `config:`, use rules set in Semgrep App.        # Get your credentials from semgrep.dev/manage/settings.        #   publishDeployment: ${{ secrets.SEMGREP_DEPLOYMENT_ID }}        #   publishToken: ${{ secrets.SEMGREP_APP_TOKEN }}
        # Never fail the build due to findings on pushes.        # Instead, just collect findings for semgrep.dev/manage/findings        #   auditOn: push
        # Upload findings to GitHub Advanced Security Dashboard [step 1/2]        # See also the next step.        #   generateSarif: "1"
        # Change job timeout (default is 1800 seconds; set to 0 to disable)        # env:        #   SEMGREP_TIMEOUT: 300
      # Upload findings to GitHub Advanced Security Dashboard [step 2/2]      # - name: Upload SARIF file for GitHub Advanced Security Dashboard      #   uses: github/codeql-action/upload-sarif@v1      #   with:      #     sarif_file: semgrep.sarif      #   if: always()

Feature support

FeatureStatus
diff-aware scanningโœ… automatic
hyperlinks in Semgrep Appโœ… automatic
results in native dashboard
GitHub Advanced Security Dashboard
โœ… available
results in pull request commentsโœ… sign up for Semgrep App free
automatic CI setupโœ… sign up for Semgrep App free

GitLab CI#

semgrep:  image: returntocorp/semgrep-agent:v1  script: semgrep-agent
  rules:  # Scan changed files in MRs, block on new issues only (existing issues ignored)  - if: $CI_MERGE_REQUEST_IID  # Scan all files on default branch, block on any issues  # - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
  variables:    SEMGREP_RULES: >- # more at semgrep.dev/explore      p/security-audit      p/secrets
  # == Optional settings in the `variables:` block
  # Instead of `SEMGREP_RULES:`, use rules set in Semgrep App.  # Get your credentials from semgrep.dev/manage/settings.  #   SEMGREP_APP_DEPLOYMENT_ID: $SEMGREP_APP_DEPLOYMENT_ID  #   SEMGREP_APP_TOKEN: $SEMGREP_APP_TOKEN
  # Receive inline MR comments (requires Semgrep App account)  # Setup instructions: https://semgrep.dev/docs/notifications/#gitlab-merge-request-comments  #   GITLAB_TOKEN: $PAT
  # Never fail the build due to findings on pushes.  # Instead, just collect findings for semgrep.dev/manage/findings  #   SEMGREP_AUDIT_ON: push
  # Upload findings to GitLab SAST Dashboard [step 1/2]  # See also the next step.  #   SEMGREP_GITLAB_JSON: "1"
  # Change job timeout (default is 1800 seconds; set to 0 to disable)  #   SEMGREP_TIMEOUT: 300
  # Upload findings to GitLab SAST Dashboard (remove `script:` line above) [step 2/2]  # script: semgrep-agent --gitlab-json > gl-sast-report.json || true  # artifacts:  #   reports:  #     sast: gl-sast-report.json

Feature support

FeatureStatus
diff-aware scanningโœ… automatic
hyperlinks in Semgrep Appโœ… automatic
results in native dashboard
GitLab SAST Dashboard
โœ… available
results in merge request commentsโœ… sign up for Semgrep App free
automatic CI setupโŒ not available

Jenkins#

Use webhooks and the below snippet to integrate with GitHub.

pipeline {  agent {    kubernetes {      yaml """        apiVersion: v1        kind: Pod        spec:          containers:          - name: semgrep            image: 'returntocorp/semgrep-agent:v1'            command:            - cat            tty: true        """      defaultContainer 'semgrep'    }  }
environment {    SEMGREP_RULES = "p/security-audit p/secrets" // more at semgrep.dev/explore    SEMGREP_BASELINE_REF = "origin/${env.CHANGE_TARGET}"
    // == Optional settings in the `environment {}` block
    // Instead of `SEMGREP_RULES:`, use rules set in Semgrep App.    // Get your credentials from semgrep.dev/manage/settings.    //   SEMGREP_APP_DEPLOYMENT_ID: credentials('SEMGREP_APP_DEPLOYMENT_ID')    //   SEMGREP_APP_TOKEN: credentials('SEMGREP_APP_TOKEN')    //   SEMGREP_REPO_URL = env.GIT_URL.replaceFirst(/^(.*).git$/,'$1')    //   SEMGREP_BRANCH = "${CHANGE_BRANCH}"    //   SEMGREP_JOB_URL = "${BUILD_URL}"    //   SEMGREP_REPO_NAME = env.GIT_URL.replaceFirst(/^https:\/\/github.com\/(.*).git$/, '$1')    //   SEMGREP_COMMIT = "${GIT_COMMIT}"    //   SEMGREP_PR_ID = "${env.CHANGE_ID}"
    // Never fail the build due to findings.    // Instead, just collect findings for semgrep.dev/manage/findings    //   SEMGREP_AUDIT_ON = "unknown"
    // Change job timeout (default is 1800 seconds; set to 0 to disable)    //   SEMGREP_TIMEOUT = "300"  }
  stages {    stage('Semgrep_agent') {      when {        // Scan changed files in PRs, block on new issues only (existing issues ignored)        expression { env.CHANGE_ID && env.BRANCH_NAME.startsWith("PR-") }      }      steps {        sh 'git fetch origin ${SEMGREP_BASELINE_REF#origin/} && semgrep-agent'      }    }  }}

Feature support

FeatureStatus
diff-aware scanningโœ… configure manually
hyperlinks in Semgrep Appโœ… configure manually
results in native dashboard๐Ÿ’ข not applicable
results in pull request commentsโœ… sign up for Semgrep App free
automatic CI setupโŒ not available

Buildkite#

- label: ":semgrep: Semgrep"  command: semgrep-agent  plugins:    - docker#v3.7.0:        image: returntocorp/semgrep-agent:v1        workdir: /<org_name>/<repo_name>        environment:          - "SEMGREP_RULES=p/security-audit p/secrets" # more at semgrep.dev/explore
        # == Optional settings in the `environment:` block
        # Instead of `SEMGREP_RULES:`, use rules set in Semgrep App.        # Get your credentials from semgrep.dev/manage/settings.        #   - "SEMGREP_APP_DEPLOYMENT_ID=${SEMGREP_APP_DEPLOYMENT_ID}"        #   - "SEMGREP_APP_TOKEN=${SEMGREP_APP_TOKEN}"        #   - "SEMGREP_JOB_URL=${BUILDKITE_BUILD_URL}"        #   - "SEMGREP_BRANCH=${BUILDKITE_BRANCH}"        #   - "SEMGREP_REPO_NAME=<org_name>/<repo_name>"        #   - "SEMGREP_REPO_URL=<github_url>"
        # Never fail the build due to findings.        # Instead, just collect findings for semgrep.dev/manage/findings        #   - "SEMGREP_AUDIT_ON=unknown"
        # Change job timeout (default is 1800 seconds; set to 0 to disable)        #   - "SEMGREP_TIMEOUT=300"

Feature support

FeatureStatus
diff-aware scanningโœ… configure manually
hyperlinks in Semgrep Appโœ… configure manually
results in native dashboard๐Ÿ’ข not applicable
results in pull request commentsโœ… sign up for Semgrep App free
automatic CI setupโŒ not available

CircleCI#

version: 2.1jobs:  semgrep-scan:    parameters:      repo_path:        type: string        default: myorg/semgrep-test-repo      default_branch:        type: string        default: main      semgrep_deployment_id:        type: integer        default: <my-deployment-id>    environment:      SEMGREP_RULES: >- # more at semgrep.dev/explore        p/security-audit        p/secrets
      # Scan changed files in PRs, block on new issues only (existing issues ignored)      SEMGREP_BASELINE_REF: << parameters.default_branch >>
    # == Optional settings in the `environment:` block
    # Instead of `SEMGREP_RULES:`, use rules set in Semgrep App.    # Get your credentials from semgrep.dev/manage/settings.    #   SEMGREP_APP_DEPLOYMENT_ID: << parameters.semgrep_deployment_id >>    #   SEMGREP_APP_TOKEN: $SEMGREP_APP_TOKEN    #   SEMGREP_REPO_NAME: << parameters.repo_path >>    #   SEMGREP_REPO_URL: << pipeline.project.git_url >>    #   SEMGREP_BRANCH: << pipeline.git.branch >>
    # Never fail the build due to findings.    # Instead, just collect findings for semgrep.dev/manage/findings    #   SEMGREP_AUDIT_ON: unknown
    # Change job timeout (default is 1800 seconds; set to 0 to disable)    #   SEMGREP_TIMEOUT: 300
    docker:      - image: returntocorp/semgrep-agent:v1    steps:      - checkout      - run:          name: "Semgrep scan"          command: semgrep-agentworkflows:  main:    jobs:      - semgrep-scan

Feature support

FeatureStatus
diff-aware scanningโœ… configure manually
hyperlinks in Semgrep Appโœ… configure manually
results in native dashboard๐Ÿ’ข not applicable
results in pull request commentsโœ… sign up for Semgrep App free
automatic CI setupโŒ not available

Other providers#

To run Semgrep CI on any other provider, use the returntocorp/semgrep-agent:v1 Docker image, and run the semgrep-agent command.

Using the configuration reference, you can run Semgrep in the following CI providers:

Is your CI provider missing? Let us know by filing an issue.


Find what you needed in this doc? Join the Slack group to ask the maintainers and the community if you need help.