.semgrepignore file in your repository’s root directory and define code files and lock files to ignore. The file paths you provide in your .semgrepignore file depend on the option that best suits your organization’s needs:
Unreachable findings are only generated from manifest files or lockfiles, because Semgrep defines unreachable findings as the absence of a match in the code.
Sample .semgrepignore configuration
Given a repository with the following files:
- A file
codefile_with_vuln.jsthat generates reachable and unreachable findings due to a vulnerable dependency. - A
package-lock.jsonfile that lists the vulnerable dependency.
codefile_with_vuln.js to the .semgrepignore file, Semgrep ignores any reachable findings generated when scanning codefile_with_vuln.js, but can still generate findings from package-lock.json:
package-lock.json to the .semgrepignore file, Semgrep will not scan dependencies from this lockfile, so no Supply Chain findings will be generated in either codefile_with_vuln.js or package-lock.json: