Semgrep now supports GitHub Actions natively! 🎉
Instead of using this Semgrep Action wrapper script,
we recommend running semgrep ci in the official Semgrep image.
You can do that by using this GitHub Actions config:
semgrep:
name: Scan
runs-on: ubuntu-20.04
container:
image: returntocorp/semgrep
steps:
- uses: actions/checkout@v3
- run: semgrep ciTo see all the configuration options, check Semgrep docs.
If you prefer to use the Semgrep Action,
it will remain maintained for the foreseeable future,
but the Semgrep team can provide better support and documentation for you
if you use the native semgrep ci command instead.
Semgrep Action runs Semgrep in CI environments. It can also connect to Semgrep App to configure rules and review findings on a web UI.
- Scan every commit. Semgrep CI rapidly scans modified files on pull and merge requests, protecting developer productivity. Longer full project scans are configurable on merges to specific branches.
- Block new bugs. You shouldn’t have to fix existing bugs just to adopt a tool. Semgrep CI reports newly introduced issues on pull and merge requests, scanning them at their base and HEAD commits to compare findings. Developers are signficantly more likely to fix the issues they introduced themselves on PRs and MRs.
- Get findings where you work. Semgrep CI can connect to Semgrep App to present findings in Slack, on PRs and MRs via inline comments, email, and through 3rd party services.
Semgrep runs fully in your build environment: code is never sent anywhere.
Semgrep behaves like other static analysis and linting tools: it runs a set of user-configured rules and returns a non-zero exit code if there are findings, resulting in its job showing a ✅ or ❌.
Find a relevant template for your CI provider through these links:
- GitHub Actions
- GitLab CI/CD
- Other CI providers (Buildkite, CircleCI, Jenkins, and more)
Read through the comments in the template to adjust when and what Semgrep CI scans, selecting pull and merge requests, merges to branches, or both.
Once Semgrep Action is running, explore the Semgrep Registry to find and add more project-specific rules.
See Advanced Configuration documentation for further customizations, such as scanning with custom rules, ignoring files, and tuning performance.
Semgrep collects opt-out non-identifiable aggregate metrics for improving the user experience, guiding Semgrep feature development, and identifying regressions.
The PRIVACY.md file describes the principles that guide our data-collection decisions, the breakdown of the data that are and are not collected, and how to opt-out of Semgrep CI’s metrics.
Semgrep never sends your source code anywhere.
The Semgrep Action GitHub Marketplace listing
runs the semgrep-agent Docker image.
New versions of Semgrep CI and the Docker image above are released by Semgrep maintainers on a regular basis.
To run all jobs with the latest releases, use the returntocorp/semgrep Docker image, or the returntocorp/semgrep-action@v1 action.
See CONTRIBUTING.md