Continuous Integration #
CI/CD integration #
In this chapter, we will walk you through the process of integrating Semgrep into your GitHub repository as part of your continuous integration (CI) and continuous deployment (CD) pipeline.
Recommended Semgrep GitHub integration approach #
We recommend integrating Semgrep with GitHub Actions using the following approach:
- Schedule a full Semgrep scan on the main branch with a broad set of Semgrep rules (e.g.,
- Implement a diff-aware scanning approach for pull requests, using a fine-tuned set of rules that yield high confidence and true positive results.
- Once your Semgrep implementation is mature, configure Semgrep to block the PR pipeline if there are unresolved Semgrep findings.
Understanding Semgrep CI configuration options #
Familiarize yourself with the available environment variables and their default values by reviewing the Configuration reference. The following are key points to note:
- Semgrep checks for new versions by default, as controlled by the
- By default, Semgrep sets a five-minute timeout for each individual Git command that Semgrep runs (
- Semgrep attempts to scan each file with a 30-second timeout (
SEMGREP_TIMEOUT) and retries up to three times (
SEMGREP_RULESenvironment variable defines the rules used by Semgrep. You can specify multiple rule sources by separating them with a space.
- By default, the CI process fails if findings are detected but passes if internal errors occur. For more information, see Passing or failing the CI job.
GitHub integration steps #
Follow these steps to integrate Semgrep with your GitHub repository:
- Create a
semgrep.ymlfile in the
.github/workflowsdirectory of the repository you want to scan.
- Copy the code snippet below into the
semgrep.ymlfile. This workflow is based on two jobs:
- The first job:
- Runs on a schedule basis (once per month).
- Runs when a pull request is merged.
- Runs when there is a direct push on the main/master branch.
- Uses the broad
- The second job:
- Runs specifically for pull requests.
- Uses multiple security-related rules.
- The first job:
This configuration ensures that your codebase is scanned regularly for potential issues and that new code introduced through pull requests is thoroughly checked for security vulnerabilities.