Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.semgrep.dev/llms.txt

Use this file to discover all available pages before exploring further.

YOUR DEPLOYMENT JOURNEY
Customize your CI job to achieve the following goals:
  • Run Semgrep on a schedule. Run full scans on main or trunk branches at the least intrusive time on developer teams.
  • Run Semgrep when an event triggers. Run Semgrep when a pull request or merge request (PR or MR) is created.
  • Set a timeout to increase or decrease Semgrep’s overall runtime. If scans are taking too long, or rules aren’t running, customize your per-rule timeout.

Set up diff-aware scans

INFOFollow the steps in this section only for the following CI providers:
  • Jenkins
  • CI providers without guidance from Semgrep AppSec Platform
Some Semgrep CI jobs require manual configuration of , which scan pull requests or merge requests in feature branches. For the CI providers outlined in the preceding list, you can configure a diff-aware job by performing the following steps:
  1. Create a separate CI job following the steps in Add Semgrep to CI through Semgrep AppSec Platform.
  2. Set the SEMGREP_BASELINE_REF variable in your CI configuration file. The value of this environment variable is typically your trunk branch, such as main or master.

Set a scan schedule

The following table is a summary of methods and resources to set up schedules for different CI providers.
CI providerWhere to set schedule
GitHub ActionsSee Sample CI configs for information on how to modify your semgrep.yml file
GitLab CI/CDRefer to GitLab documentation
JenkinsRefer to Jenkins documentation
Bitbucket PipelinesRefer to Bitbucket documentation
CircleCIRefer to CircleCI documentation
BuildkiteRefer to Buildkite documentation
Azure PipelinesRefer to Azure documentation
SemaphoreRefer to Semaphore documentation

Set a custom timeout

By default, Semgrep spends a maximum of 5 seconds to scan with each rule on each %%targeted|scan_target%% file. To set a different timeout, set the SEMGREP_TIMEOUT environment variable (the value is in seconds). Decreasing this value speeds up your scans, but with the possibility of skipping some rules. Alternatively, increasing this value ensures that your most complex rules finish running. For example: 
SEMGREP_TIMEOUT="3" # Sets the per-rule timeout to 3 seconds.
CAUTIONSetting this variable to 0 removes the time limit, meaning that rules can take any amount of time to run. This is not recommended.