Skip to main content

    Add Semgrep to your Semaphore pipeline

    This document shows you how to add Semgrep into Semaphore.

    In Semaphore:

    1. Create a secret with your SEMGREP_APP_TOKEN.
    2. Open the YAML pipeline for your project using the Visual Editor.
    3. Click +Add Block.
    4. Expand Jobs, and add the following commands to perform a full scan: 
      checkout
      sudo pip install semgrep
      semgrep ci
    5. Enable the secret that you created in Step 1. To do this, expand Secret, and select SEMGREP_APP_TOKEN.
    6. Click Run the workflow, provide a Commit summary, and click Looks good, Start to save your changes and run the pipeline job.

    Sample Semaphore configuration snippet

    The following configuration creates a CI job that runs scans using the products and options you have enabled in Semgrep AppSec Platform.

    version: v1.0
    name: Semaphore Semgrep Example
    agent:
      machine:
        type: f1-standard-2
        os_image: ubuntu2204
    blocks:
      - name: Semgrep
        task:
          jobs:
            # Job performing a full scan
            - name: Semgrep Full Scan
              commands:
                - checkout
                - sudo pip install semgrep
                - semgrep ci
            # Job performing a diff scan for PR/branches
            - name: Semgrep Diff-aware Scan
              commands:
                - checkout
                - export SEMGREP_BRANCH=$SEMAPHORE_GIT_BRANCH
                - export SEMGREP_BASELINE_COMMIT=$SEMAPHORE_GIT_SHA
                - sudo pip install semgrep
                - semgrep ci
          # import a secret named 'semgrep' with the SEMGREP_APP_TOKEN
          secrets:
            - name: SEMGREP_APP_TOKEN

    You can run specific product scans by passing an argument, such as --supply-chain. View the list of arguments.

    Not finding what you need in this doc? Ask questions in our Community Slack group, or see Support for other ways to get help.