Skip to main content

    Upload Semgrep CI findings to GitLab Security Dashboard

    This document shows an sample job configuration that uploads your Semgrep findings to GitLab Security Dashboard. See GitLab CI/CD for information on adding a Semgrep configuration file to your GitLab CI/CD pipeline.

    semgrep:
      # A Docker image with Semgrep installed.
      image: semgrep/semgrep

      rules:
        # Scan changed files in MRs, (diff-aware scanning):
        - if: $CI_MERGE_REQUEST_IID

        # Scan mainline (default) branches and report all findings.
        - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH

      variables:
        # Connect to Semgrep AppSec Platform through your SEMGREP_APP_TOKEN.
        # Generate a token from Semgrep AppSec Platform > Settings
        # and add it as a variable in your GitLab CI/CD project settings.
        SEMGREP_APP_TOKEN: $SEMGREP_APP_TOKEN

        # Upload findings to GitLab SAST Dashboard:
        SEMGREP_GITLAB_JSON: "1"

      # Run the "semgrep ci" command on the command line of the docker image and send findings
      # to GitLab SAST.
      script: semgrep ci --code --gitlab-sast > gl-sast-report.json || true
      artifacts:
        reports:
          sast: gl-sast-report.json

    Not finding what you need in this doc? Ask questions in our Community Slack group, or see Support for other ways to get help.