Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.semgrep.dev/llms.txt

Use this file to discover all available pages before exploring further.

The following config.yml file demonstrates how you can generate a manifest file or lockfile and pass it to subsequent jobs using CircleCI workspaces. This example, which is most relevant to users scanning a Scala or Bazel project, uses a maven_dep_tree.txt file, which typically needs to be generated from a pom.xml for Maven dependency tracking. 
version: 2.1

jobs:
  lock_file_generation:
    docker:
      - image: cimg/openjdk:17.0
    steps:
      - checkout
      - run:
          name: lock file generation
          command: |
            mkdir -p workspace
            mvn dependency:tree -DoutputFile=workspace/maven_dep_tree.txt
            cat workspace/maven_dep_tree.txt
      - persist_to_workspace:
          root: workspace
          paths:
            - maven_dep_tree.txt

  scan:
    docker:
      - image: semgrep/semgrep
    steps:
      - checkout
      - attach_workspace: # This step attaches the workspace from the previous job
          at: /tmp/workspace
      - run:
         name: semgrep scan
         command: |
           cp /tmp/workspace/maven_dep_tree.txt .
           semgrep ci

workflows:
  version: 2
  build_and_scan:
    jobs:
      - lock_file_generation
      - scan:
          context:
            - semgrep
          requires:
            - build
The semgrep context is used here as the name for the context where you define the environment variables Semgrep needs, such as the SEMGREP_APP_TOKEN. This is similar to the sample configuration for CircleCI. You can choose to give the context a different name if you prefer.