Semgrep Managed Scans doesn't run for pull requests in GitHub merge queues

Documentation Index

Fetch the complete documentation index at: https://docs.semgrep.dev/llms.txt

Use this file to discover all available pages before exploring further.

• Use Semgrep Managed Scans to automatically scan your projects
• Use GitHub merge queues to automate pull request merges
• Have made the Semgrep scan a required check

​

Why Semgrep doesn’t run in merge queues

• Diff-aware scans during a merge queue check aren’t meaningful. The purpose of a diff-aware scan is to catch issues before code is merged. Pull requests in a merge queue are already approved for merged.
• Full scans take a long time, significantly delaying merges for larger repositories.

​

Workaround

1. Pull request ruleset for the main branch: requires the Semgrep check to pass before merging
2. Merge queue ruleset for the main branch: does not require the Semgrep check. Instead, this uses a placeholder check that runs on merge_group.

​

Define your rulesets

​

Create a placeholder workflow

# .github/workflows/semgrep-mq-placeholder.yml
name: Semgrep - merge queue placeholder

on:
   merge_group: {}
   workflow_dispatch: {}
   pull_request: {}

jobs:
   semgrep-mq-placeholder:
      name: semgrep-cloud-platform/scan   # this is the name required in the MQ ruleset
      runs-on: ubuntu-latest
      timeout-minutes: 3
      steps:
         - run: echo "OK – Semgrep already ran on the PR; MQ can proceed."

​

Example walkthrough