> ## Documentation Index
> Fetch the complete documentation index at: https://docs.semgrep.dev/llms.txt
> Use this file to discover all available pages before exploring further.

# Set up reusable GitHub workflows for Semgrep scans

Reusable workflows allow you to simplify the process of configuring `.github/workflows/semgrep.yml` files for each of your repositories. You define a workflow once in a central repository, then reuse it in workflows in other repositories. This [avoids duplication](https://docs.github.com/en/actions/using-workflows/reusing-workflows#overview) and makes maintenance easier.

Reusable workflows can be triggered by several types of events, including push, pull request, and schedule. This makes them relatively flexible compared to repository rulesets. Repository rulesets or branch protection rules can only be triggered by pull request event types.

## Set up a reusable workflow

<Steps>
  <Step>
    Create a new repository to hold your reusable workflow, and add a `.github/workflows/semgrep.yml` file.

    <Frame>
      <img src="https://mintcdn.com/semgrep-ee9d73d8/dAOv4YoaZfaIbJZH/images/kb/semgrep-ci/github-reusable-workflows-semgrep/reusable-workflows-image-1.png?fit=max&auto=format&n=dAOv4YoaZfaIbJZH&q=85&s=48efd6d692ac3689ae5e0effc0fce7ef" alt="image info" width="1934" height="688" data-path="images/kb/semgrep-ci/github-reusable-workflows-semgrep/reusable-workflows-image-1.png" />
    </Frame>
  </Step>

  <Step>
    Add the job configuration to `semgrep.yml` under `jobs:`. You can use the job definition from the [recommended snippet](/semgrep-ci/sample-ci-configs#sample-github-actions-configuration-file) or your current job configuration.
  </Step>

  <Step>
    Under the `on:` key, add `workflow_call`. This defines the condition to trigger the job described in the reusable workflow: when another repository calls it. Other keys under `on:` are optional for the reusable workflow.

    <Frame>
      <img src="https://mintcdn.com/semgrep-ee9d73d8/dAOv4YoaZfaIbJZH/images/kb/semgrep-ci/github-reusable-workflows-semgrep/reusable-workflows-image-2.png?fit=max&auto=format&n=dAOv4YoaZfaIbJZH&q=85&s=b1ef4ba0fccb12636d6706127a1300ee" alt="image info" width="1432" height="1454" data-path="images/kb/semgrep-ci/github-reusable-workflows-semgrep/reusable-workflows-image-2.png" />
    </Frame>
  </Step>

  <Step>
    In each repository where you want your reusable workflow called, create or update the `semgrep.yml` file to call the reusable workflow. To do this, include `uses` under the `jobs:` key as shown in the following sample configuration.
  </Step>
</Steps>

```
name: Semgrep
on:
  # Scan changed files in PRs (diff-aware scanning):
  pull_request: {}
  # Scan on-demand through GitHub Actions interface:
  workflow_dispatch: {}
  # Schedule the CI job (this method uses cron syntax):
  schedule:
    # Please change the cron schedule to a random time to avoid load spikes on GHA.
    - cron: '24 13 * * *' # Sets Semgrep to scan every day at 13:24 UTC.
jobs:
  call-semgrep:
    uses: {ORG}/{REPO}/.github/workflows/semgrep.yml@main
    secrets: inherit
```

When using this sample configuration, be sure to update the schedule under `on` to a random time, and set repository details and path for the reusable workflow under `jobs` to match where you stored your reusable workflow.

The `secrets: inherit` line passes the secrets from the calling workflow to the called workflow, so each calling repository must also have a `SEMGREP_APP_TOKEN` secret added. GitHub [does not currently support](https://github.com/github/roadmap/issues/636) passing secrets from a central reusable workflow (the called workflow) to the calling workflows.

## Run a scan

Once you've configured the workflows for your repositories, the reusable workflow is called whenever a triggering event occurs, such as when a developer opens a pull request or commits a change.

<Frame>
  <img src="https://mintcdn.com/semgrep-ee9d73d8/dAOv4YoaZfaIbJZH/images/kb/semgrep-ci/github-reusable-workflows-semgrep/reusable-workflows-image-3.png?fit=max&auto=format&n=dAOv4YoaZfaIbJZH&q=85&s=d29c9040c47b296925b882ff606ae688" alt="image info" width="1516" height="742" data-path="images/kb/semgrep-ci/github-reusable-workflows-semgrep/reusable-workflows-image-3.png" />
</Frame>

## Limitations

As described in [Set up a reusable workflow](#set-up-a-reusable-workflow), you must create a `.github/workflows/semgrep.yml` file for each repository to call the reusable workflow **and** add a `SEMGREP_APP_TOKEN` secret to the repository. This is in contrast to [repository rulesets](/kb/semgrep-ci/github-repository-rulesets-semgrep), which only require the central workflow file to be added.
