Semgrep code analysis
Semgrep is a lightweight static analysis for many languages. Find bug variants with patterns that look like source code
Semgrep is a fast, open-source, static analysis tool that searches code, finds bugs, and enforces secure guardrails and coding standards. Semgrep supports 30+ languages and can run in an IDE, as a pre-commit check, and as part of CI/CD workflows.
Github Actions
Add this file to your .github/workflows folder.
semgrep_code_check.yml
# Name of this GitHub Actions workflow.
name: Semgrep
on:
# Scan changed files in PRs (diff-aware scanning):
pull_request: {}
# Scan on-demand through GitHub Actions interface:
workflow_dispatch: {}
# Scan mainline branches and report all findings:
push:
branches: ["master", "main"]
jobs:
semgrep_scan:
name: semgrep/ci
runs-on: ubuntu-latest
container:
# A Docker image with Semgrep installed. Do not change this.
image: returntocorp/semgrep
permissions:
# required for all workflows
security-events: write
# only required for workflows in private repositories
actions: read
contents: read
steps:
# Fetch project source with GitHub Actions Checkout.
- name: Checkout repository
uses: actions/checkout@v3
- name: Perform Semgrep Analysis
# Change the './src' to the root directory you want to set for semgrep to scan.
run: semgrep scan -q --sarif --config auto ./src > semgrep-results.sarif
# Upload the results for the CodeQL GitHub app to annotate the code
- name: Save SARIF results as artifact
uses: actions/upload-artifact@v3
with:
name: semgrep-scan-results
path: semgrep-results.sarif
# Upload SARIF file generated in previous step
- name: Upload SARIF result to the GitHub Security Dashboard
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: semgrep-results.sarif
if: always()Output
The code check run generates a results file in sarif format, is an industry standard format for the output of static analysis tools.
