> ## Documentation Index
> Fetch the complete documentation index at: https://docs.semgrep.dev/llms.txt
> Use this file to discover all available pages before exploring further.

# Ignore files, folders, and code

This document describes two types of ignore operations:

* **Ignoring as exclusion.** Exclude or skip specific **files and folders** from the scope of Semgrep scans in your repository or working directory. Ignoring in this context means that Semgrep does not generate findings for the ignored files and folders.
* **Ignoring as triage action**. Ignore specific parts of code that would have generated a finding. Ignoring in this context means that Semgrep generates a finding record and automatically triages it as **Ignored**, a triage state.

All Semgrep environments (CLI, CI, and Semgrep AppSec Platform) adhere to user-defined or Semgrep-defined ignore patterns.

## Reference summary

| Method                                                                                                                                                                                                                                                    | Usage                                                                                                                                                                                                                                                                                                                                 |                                                                                                                                    |
| :-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | :------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ---------------------------------------------------------------------------------------------------------------------------------- |
| To ignore blocks of code: Add a `nosemgrep` annotation                                                                                                                                                                                                    | Create a comment, followed by `nosemgrep`, at the first line or preceding line of the pattern match. This generates a finding that is automatically ignored. <br /><br />For example:<br /><br />` // nosemgrep`      <br />`// nosemgrep: rule-id` <br /> `# nosemgrep`                                                              |                                                                                                                                    |
| For Semgrep AppSec Platform users: <br /><br /><ul><li>Ignore files and folders through the use of Semgrep AppSec Platform's **Project or Global ignores**</li><li>Override the implicit ignorelist through the use of a `.semgrepignore` file.</li></ul> | Navigate to **Projects >** ***PROJECT\_NAME*** **> Settings > Path ignores**.<br /><br />                                                                                                                                                                                                                                             |                                                                                                                                    |
| For Semgrep Community Edition (CE) users:<br /><br />Ignore files and folders through a `.semgrepignore` file                                                                                                                                             | Create a `.semgrepignore` file in your **repository's root directory** or your **project's working directory** and add patterns for files and folders there. Patterns follow `.gitignore` syntax with some caveats. See [Defining ignored files and folders in `.semgrepignore`](#define-ignored-files-and-folders-in-semgrepignore). | [`.semgrepignore` sample file](https://raw.githubusercontent.com/semgrep/semgrep/develop/cli/src/semgrep/templates/.semgrepignore) |

## Understand Semgrep defaults

Without user customization, Semgrep refers to the following to define ignored files and folders:

* Semgrep's default `.semgrepignore` file
* Your repository's `.gitignore` file (if it exists)
* For Semgrep AppSec Platform users: each project (repository or subfolder in monorepo) in Semgrep has a list of ignored files and folders in its project details page.

In the absence of a user-generated `.semgrepignore`, Semgrep refers to [its repository's default template](https://github.com/semgrep/semgrep/blob/develop/cli/src/semgrep/templates/.semgrepignore):

```text theme={null}
# Administrative folder or file used by popular version control systems
.git
.svn
.hg
_darcs
CVS

# Paths to files and folders that are typically large and ignorable
build/
vendor/
dist/
*.min.js
.env/
.tox/

# Package managers
node_modules/
.npm/
.yarn/
.venv/
_opam/
_build/
_cargo/
# Note that PHP composer uses vendor/ and C++ conan uses build/
# .venv is used both by Go and Python.

# Common test paths
test/
tests/
testsuite/
*_test.go

```

## Override defaults

The default `.semgrepignore` file causes Semgrep to skip these folders:

* `/tests`, `/test`
* `/vendors`

To include these folders:

<Steps>
  <Step>
    Create a `.semgrepignore` file at the repository root without those paths.
  </Step>

  <Step>
    For Platform users: remove the folders from the project ignore list in **Projects >** ***PROJECT\_NAME*** **> Details page > Settings > Path ignores > Code (SAST) & Supply Chain (SCA)**.
  </Step>
</Steps>

## Files, folders, and code beyond Semgrep's scope

There are files that Semgrep ignores even without `.semgrepignore`:

* Large files (maximum file size defaults to 1 MB)
* Binary files
* Unknown file extensions (file extensions not matched with any supported programming language)

Large files and unknown file extensions are included or excluded through command line flags (See [CLI reference](/cli-reference)). Binary files are never scanned.

This document defines **files, folders and code** as those that are **relevant to a Semgrep scan**. For example, `.jpg` files are not a part of Semgrep's scope and therefore are not part of the scope of this document.

## Customize ignore behavior

Semgrep provides several methods to customize ignore behavior. Refer to the following table to see which method suits your goal:

| Goal                                                                                                   | Method                                                                                                                                                                                                                                                                                            |
| :----------------------------------------------------------------------------------------------------- | :------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
| To ignore custom files and folders each time you run a Code or Supply Chain scan.                      | Add these files to your `.semgrepignore` file or [define them through Semgrep AppSec Platform](#define-ignored-files-and-folders-in-semgrep-appsec-platform).                                                                                                                                     |
| To ignore specific code blocks each time you run a scan.                                               | Create a comment with the word `nosemgrep`.                                                                                                                                                                                                                                                       |
| To ignore files or folders for a particular scan.                                                      | Run Semgrep with the flag `--exclude` followed by the pattern or file to be excluded. See [CLI reference](/cli-reference).                                                                                                                                                                        |
| To include files or folders for a particular scan.                                                     | Run Semgrep with the flag `--include` followed by the pattern or file to be included. Any file that isn't matched is excluded. See CLI reference. When including a pattern from a `.gitignore` or `.semgrepignore` file, `--include` does not override either, resulting in the file's exclusion. |
| To scan all files within Semgrep's scope each time you run Semgrep (only files in `.git` are ignored). | Create an empty `.semgrepignore` file in your repository root directory, and for `semgrep ci` scans, [remove any entries listed in your **Path Ignores** list](#define-ignored-files-and-folders-in-semgrep-appsec-platform) in Semgrep AppSec Platform.                                          |
| To include files or folders defined within a `.gitignore` for a particular scan.                       | Run Semgrep with the flag `--no-git-ignore`.                                                                                                                                                                                                                                                      |
| To ignore files or folders for a particular rule.                                                      | Edit the rule to set the `paths` key with one or more patterns. See [Rule syntax](/writing-rules/rule-syntax#paths).                                                                                                                                                                              |

## Define ignored files and folders in `.semgrepignore`

Configure a `.semgrepignore` file to ignore files and folders each time you run a Code or Supply Chain scan.

<Warning>
  **CAUTION**

  For Secrets scans, Semgrep ignores both the default and user-defined `.semgrepignore` files. You can still configure secrets-specific ignores in [Semgrep AppSec Platform](#define-ignored-files-and-folders-in-semgrep-appsec-platform) or use the `--exclude` flag to ignore files or folders for a particular scan.
</Warning>

`.semgrepignore` syntax mirrors `.gitignore` syntax, with the following modifications:

* "Character range" patterns (lines including a collection of characters inside brackets) are unsupported.
* An `:include ...` directive is added, which allows another file to be included in the ignore pattern list; typically this included file would be the project `.gitignore`. No attempt at cycle detection is made.
* Any line that begins with a colon, but not `:include`, raises an error.
* `\:` is added to escape leading colons.

Unsupported patterns are silently removed from the pattern list (this is done so that `.gitignore` files may be included without raising errors). The removal is logged.

For a description of `.gitignore` syntax, see [.gitignore documentation](https://git-scm.com/gitignore).

## Define ignored files and folders in Semgrep AppSec Platform

Another method for users to define ignore patterns is through Semgrep AppSec Platform. These patterns follow the same syntax as `.semgrepignore` in the preceding section. You can either define patterns at the individual-project level or at the organization level, so they're applied to all projects owned by that organization.

Ignoring files and folders through this method is **additive**.

Adding items to Semgrep AppSec Platform's **Path Ignores** box **doesn't** override default Semgrep ignore patterns included with its CLI tool, since the patterns are additive. To override a Semgrep default, both an existing local `.semgrepignore` file and the **Path ignores** box must be configured. See [Override defaults](#override-defaults).

All files and folders defined using Semgrep AppSec Platform's **Path Ignores** feature, both for a specific project and globally, are additive.

<Tip>
  **TIP**

  This method is used by the `semgrep ci` command. For `semgrep scan`, you can only define ignored files and folders through `.semgrepignore`.
</Tip>

### Define files and folders for a specific project

<Steps>
  <Step>
    Sign in to [<Icon icon="external-link" iconType="solid" /> Semgrep AppSec Platform](https://semgrep.dev/login).
  </Step>

  <Step>
    From the sidebar, click **[Projects](https://semgrep.dev/orgs/-/projects)**.
  </Step>

  <Step>
    Find the project you want to modify, then click its **<Icon icon="window-restore" iconType="regular" /> icon** under **Details**.
  </Step>

  <Step>
    Click the **Settings** tab.
  </Step>

  <Step>
    To define files and folders that Semgrep can ignore:

    i. Click **Code (SAST) & Supply Chain (SCA)** or **Secrets** to expand and display the **Path Ignores** box.

    ii. Enter files and folders to ignore in the relevant **Path Ignores** box.

    iii. Click **Save changes**.
  </Step>
</Steps>

### Define files and folders for all projects of an organization

<Steps>
  <Step>
    Sign in to [<Icon icon="external-link" iconType="solid" /> Semgrep AppSec Platform](https://semgrep.dev/login).
  </Step>

  <Step>
    Click **Settings**. This takes you to the **General > Global** settings tab.
  </Step>

  <Step>
    Expand the **Path ignores** section. Enter the file and folder paths you want Code and Supply Chain to ignore in **For Code and Supply Chain**. Enter the file and folder paths you want Secrets to ignore in **For Secrets**.
  </Step>

  <Step>
    Click **Save changes**.
  </Step>
</Steps>

### Add items to `.semgrepignore` during findings triage

You can also add files to `.semgrepignore` while triaging individual findings using Semgrep AppSec Platform:

<Steps>
  <Step>
    On the Semgrep Code [Findings](https://semgrep.dev/orgs/-/findings?tab=open) page, click the **Status** filter, and then select the **Open** status to see all open findings.
  </Step>

  <Step>
    Click the finding you want ignored to open its **Details** page.
  </Step>

  <Step>
    Select **Ignored**, and optionally, select an **Ignore reason**.
  </Step>

  <Step>
    Click to expand **Ignore files in future scans...**.
  </Step>

  <Step>
    Select the files you want ignored in future scans.
  </Step>

  <Step>
    Click **Change status** to save.
  </Step>
</Steps>

## Ignore code through nosemgrep

To ignore blocks of code, define an **inline comment**, followed by the word `nosemgrep`, at either the **first line** or **the line preceding** the potential match. Semgrep ignores all rule pattern matches. This functionality works across all supported languages.

<Warning>
  **CAUTION**

  Ignoring code through this method still generates a finding. The finding is automatically set to the **Ignored** triage state.
</Warning>

`nosemgrep` in Python:

```python theme={null}

bad_func1()  # nosemgrep

# nosemgrep
bad_func2()

```

`nosemgrep` in JavaScript:

```javascript theme={null}

// nosemgrep
bad_func1()

bad_func2(); // nosemgrep

bad_func3(   // nosemgrep
    arg
);

```

To ignore blocks of code for a **particular rule**, enter its `rule-id` as follows: `nosemgrep: RULE_ID`. To ignore **multiple rules**, use a comma-delimited list. `rule-ids` must be referenced with their namespace.

Python examples:

```python theme={null}

bad_func1()  # nosemgrep: rule-id-1

# nosemgrep: rule-id-1, rule-id-2
bad_func2()

```

JavaScript examples wherein rules are stored in a `configs` subdirectory:

```javascript theme={null}

// nosemgrep: configs.rule-id-3
bad_func1()

bad_func2(); // nosemgrep: configs.rule-id-3

bad_func3(   // nosemgrep: configs.rule-id-3, configs.rule-id-4
    arg
);

```

<Info>
  **NOTE**

  Previous annotations for ignoring code inline, such as `nosem`, are deprecated.
</Info>

## Disable rules on Semgrep AppSec Platform

Semgrep AppSec Platform users can disable rules and rulesets through the Policies page. See [Disable rules](/semgrep-code/policies#disable-rules) and [Disable rulesets](/semgrep-code/triage-remediation/#disable-a-ruleset-or-a-rule).

## Ignore findings

**Ignoring** can also be a triage action. In this case, the code is scanned rather than excluded, and if a pattern match occurs, a finding record is generated that you can then triage as **Ignored**. See [Triage and remediate Semgrep Code findings in Semgrep AppSec Platform](/semgrep-code/triage-remediation/#ignore-findings) to learn how to:

<CardGroup>
  <Card title="Manage findings" icon="check-circle" href="/semgrep-code/triage-remediation#triage-and-remediation" horizontal />

  <Card title="Ignore findings through PR and MR comments" icon="message" href="/semgrep-code/triage-remediation#triage-findings-through-pr-and-mr-comments" horizontal />
</CardGroup>

## Troubleshooting

### Tips to prevent unexpected ignore behavior

<Tip>
  **TIP**

  This section focuses on ignoring as excluding or skipping files, not as a triage action.
</Tip>

Because Semgrep ignore logic is configured at the file, repository, and platform level, you may sometimes encounter unexpected behavior.

* If possible, only create a custom, user-defined `.semgrepignore` file if you are **overriding** Semgrep defaults. This means defining all other items to ignore through the global or project path ignores.
  * This method works well if your organization primarily scans using the `semgrep ci` command.
* Be aware that creating a user-defined `.semgrepignore` file enables developers to edit it.
* Include the `.semgrepignore` file in Git tracking to keep a log of changes and ensure it's applied consistently.
* To **include** a file or folder for scanning, ensure it's not in any of the following places:
  * Global path ignores
  * Project path ignores
  * User-defined `.semgrepignore`
  * Semgrep defaults (implicit) `.semgrepignore`

### `SAST_EXCLUDED_PATHS`

**For GitLab users**: if you use [the `SAST_EXCLUDED_PATHS` variable](https://docs.gitlab.com/ee/user/application_security/sast/#vulnerability-filters) to specify paths excluded from analysis, you may find that Semgrep doesn't honor these items. This is due to default Semgrep behavior. To explicitly exclude files, you must do one of the following steps:

<Steps>
  <Step>
    Create a `.semgrepignore` file that lists the files you want excluded.
  </Step>

  <Step>
    [Update the **Path Ignores** box](#define-ignored-files-and-folders-in-semgrep-appsec-platform) in Semgrep AppSec Platform.
  </Step>
</Steps>
