Skip to main content

Troubleshooting Semgrep AppSec Platform

If a project reports the last scan 'never started'

This status means that your CI job never authenticated to Semgrep AppSec Platform.

Check your CI provider (such as GitHub Actions) for the latest Semgrep job execution.

…and you can’t find a Semgrep CI job

The issue is likely with the CI configuration.

  • Make sure that the branch you committed a CI job to is included in the list of branches the job is triggered on.
  • Make sure that the CI configuration file has valid syntax. Most providers have a tool for checking the syntax of configuration files.

…and a Semgrep CI job exists

Check the log output for any hints about what the issue is.

  • If the logs mention a missing token or an authentication failure, you can get a new token from the Settings page of Semgrep AppSec Platform, and set it as SEMGREP_APP_TOKEN in your CI provider's secret management UI.
  • Alternatively, if this is the first scan after adding a new GitHub repository, and the repository is a fork, check your Actions tab to see if workflows are enabled:

Screenshot of GitHub's Actions tab with workflows disabled

  • Enable workflows to allow Semgrep to scan.

If a project reports the last scan 'never finished'

This status means that your CI jobs start and authenticate correctly, but fail before completion.

Check your CI provider (such as GitHub Actions) for the log output of the latest Semgrep job execution. In most cases you will see an error message with detailed instructions on what to do.

…and the job is aborted due to taking too long

Many CI providers have a time limit for how long a job can run. Semgrep CI also aborts itself if it runs for too long. If your CI scans regularly take too long and fail to complete:

  • Please reach out to the Semgrep maintainers for help with tracking down the cause. Semgrep scans most large projects with hundreds of rules within a few minutes, and long run times are typically caused by just one rule or source code file taking too long.
  • To drastically cut run times, you can use Semgrep's diff-aware scanning to skip scanning unchanged files. For more details, see Semgrep's behavior.
  • You can skip scanning large and complex source code files (such as minified JS or generated code) if you know their path by adding a .semgrepignore file. See how to ignore files & directories in Semgrep CI.
  • You can increase Semgrep's own run time limit by setting a semgrep ci --timeout <seconds> flag, or by setting a SEMGREP_TIMEOUT=<seconds> environment variable. To fully disable the time limit, set this value to 0.

If you're unable to comment on Semgrep Registry pages

Our comments are powered by an external service called If you aren't able to authenticate to leave comments, please make sure you don't have an ad blocker interrupting requests to their domain.

Not finding what you need in this doc? Ask questions in our Community Slack group, or see Support for other ways to get help.