- Ignoring as exclusion. Exclude or skip specific files and folders from the scope of Semgrep scans in your repository or working directory. Ignoring in this context means that Semgrep does not generate findings for the ignored files and folders.
- Ignoring as triage action. Ignore specific parts of code that would have generated a finding. Ignoring in this context means that Semgrep generates a finding record and automatically triages it as Ignored, a triage state.
Reference summary
Understand Semgrep defaults
Without user customization, Semgrep refers to the following to define ignored files and folders:- Semgrep’s default
.semgrepignorefile - Your repository’s
.gitignorefile (if it exists) - For Semgrep AppSec Platform users: each project (repository or subfolder in monorepo) in Semgrep has a list of ignored files and folders in its project details page.
.semgrepignore, Semgrep refers to its repository’s default template:
Override defaults
The default.semgrepignore file causes Semgrep to skip these folders:
/tests,/test/vendors
1
Create a
.semgrepignore file at the repository root without those paths.2
For Platform users: remove the folders from the project ignore list in Projects > PROJECT_NAME > Details page > Settings > Path ignores > Code (SAST) & Supply Chain (SCA).
Files, folders, and code beyond Semgrep’s scope
There are files that Semgrep ignores even without.semgrepignore:
- Large files (maximum file size defaults to 1 MB)
- Binary files
- Unknown file extensions (file extensions not matched with any supported programming language)
.jpg files are not a part of Semgrep’s scope and therefore are not part of the scope of this document.
Customize ignore behavior
Semgrep provides several methods to customize ignore behavior. Refer to the following table to see which method suits your goal:Define ignored files and folders in .semgrepignore
Configure a .semgrepignore file to ignore files and folders each time you run a Code or Supply Chain scan.
.semgrepignore syntax mirrors .gitignore syntax, with the following modifications:
- “Character range” patterns (lines including a collection of characters inside brackets) are unsupported.
- An
:include ...directive is added, which allows another file to be included in the ignore pattern list; typically this included file would be the project.gitignore. No attempt at cycle detection is made. - Any line that begins with a colon, but not
:include, raises an error. \:is added to escape leading colons.
.gitignore files may be included without raising errors). The removal is logged.
For a description of .gitignore syntax, see .gitignore documentation.
Define ignored files and folders in Semgrep AppSec Platform
Another method for users to define ignore patterns is through Semgrep AppSec Platform. These patterns follow the same syntax as.semgrepignore in the preceding section. You can either define patterns at the individual-project level or at the organization level, so they’re applied to all projects owned by that organization.
Ignoring files and folders through this method is additive.
Adding items to Semgrep AppSec Platform’s Path Ignores box doesn’t override default Semgrep ignore patterns included with its CLI tool, since the patterns are additive. To override a Semgrep default, both an existing local .semgrepignore file and the Path ignores box must be configured. See Override defaults.
All files and folders defined using Semgrep AppSec Platform’s Path Ignores feature, both for a specific project and globally, are additive.
Define files and folders for a specific project
1
Sign in to Semgrep AppSec Platform.
2
From the sidebar, click Projects.
3
Find the project you want to modify, then click its icon under Details.
4
Click the Settings tab.
5
To define files and folders that Semgrep can ignore:i. Click Code (SAST) & Supply Chain (SCA) or Secrets to expand and display the Path Ignores box.ii. Enter files and folders to ignore in the relevant Path Ignores box.iii. Click Save changes.
Define files and folders for all projects of an organization
1
Sign in to Semgrep AppSec Platform.
2
Click Settings. This takes you to the General > Global settings tab.
3
Expand the Path ignores section. Enter the file and folder paths you want Code and Supply Chain to ignore in For Code and Supply Chain. Enter the file and folder paths you want Secrets to ignore in For Secrets.
4
Click Save changes.
Add items to .semgrepignore during findings triage
You can also add files to .semgrepignore while triaging individual findings using Semgrep AppSec Platform:
1
On the Semgrep Code Findings page, click the Status filter, and then select the Open status to see all open findings.
2
Click the finding you want ignored to open its Details page.
3
Select Ignored, and optionally, select an Ignore reason.
4
Click to expand Ignore files in future scans….
5
Select the files you want ignored in future scans.
6
Click Change status to save.
Ignore code through nosemgrep
To ignore blocks of code, define an inline comment, followed by the wordnosemgrep, at either the first line or the line preceding the potential match. Semgrep ignores all rule pattern matches. This functionality works across all supported languages.
nosemgrep in Python:
nosemgrep in JavaScript:
rule-id as follows: nosemgrep: RULE_ID. To ignore multiple rules, use a comma-delimited list. rule-ids must be referenced with their namespace.
Python examples:
configs subdirectory:
NOTEPrevious annotations for ignoring code inline, such as
nosem, are deprecated.Disable rules on Semgrep AppSec Platform
Semgrep AppSec Platform users can disable rules and rulesets through the Policies page. See Disable rules and Disable rulesets.Ignore findings
Ignoring can also be a triage action. In this case, the code is scanned rather than excluded, and if a pattern match occurs, a finding record is generated that you can then triage as Ignored. See Triage and remediate Semgrep Code findings in Semgrep AppSec Platform to learn how to:Manage findings
Ignore findings through PR and MR comments
Troubleshooting
Tips to prevent unexpected ignore behavior
Because Semgrep ignore logic is configured at the file, repository, and platform level, you may sometimes encounter unexpected behavior.- If possible, only create a custom, user-defined
.semgrepignorefile if you are overriding Semgrep defaults. This means defining all other items to ignore through the global or project path ignores.- This method works well if your organization primarily scans using the
semgrep cicommand.
- This method works well if your organization primarily scans using the
- Be aware that creating a user-defined
.semgrepignorefile enables developers to edit it. - Include the
.semgrepignorefile in Git tracking to keep a log of changes and ensure it’s applied consistently. - To include a file or folder for scanning, ensure it’s not in any of the following places:
- Global path ignores
- Project path ignores
- User-defined
.semgrepignore - Semgrep defaults (implicit)
.semgrepignore
SAST_EXCLUDED_PATHS
For GitLab users: if you use the SAST_EXCLUDED_PATHS variable to specify paths excluded from analysis, you may find that Semgrep doesn’t honor these items. This is due to default Semgrep behavior. To explicitly exclude files, you must do one of the following steps:
1
Create a
.semgrepignore file that lists the files you want excluded.2
Update the Path Ignores box in Semgrep AppSec Platform.