returntocorp/semgrep-agent

By returntocorp

Updated over 2 years ago
Archived

A specialized Docker image for running Semgrep in CI environments

Image
1

10M+

returntocorp/semgrep-agent repository overview

Semgrep Action

Slack invite Documentation Tests status Docker Pulls

Update from April 11th, 2022

Semgrep now supports GitHub Actions natively! :tada:

Refer to the GitHub Actions configuration document to run Semgrep natively in CI environments.

Project summary

⚠️ Warning ⚠️
This wrapper script is deprecated. It is recommended to stop using this wrapper script and migrate to native Semgrep support instead. Refer to the GitHub Actions configuration document.

Semgrep Action runs Semgrep in CI environments. It can also connect to Semgrep App to configure rules and review findings on a web UI.

To see all the configuration options, check Semgrep docs. Semgrep Action runs Semgrep in CI environments. It can also connect to Semgrep App to configure rules and review findings on a web UI.

  • Scan every commit. Semgrep CI rapidly scans modified files on pull and merge requests, protecting developer productivity. Longer full project scans are configurable on merges to specific branches.
  • Block new bugs. You shouldn’t have to fix existing bugs just to adopt a tool. Semgrep CI reports newly introduced issues on pull and merge requests, scanning them at their base and HEAD commits to compare findings. Developers are signficantly more likely to fix the issues they introduced themselves on PRs and MRs.
  • Get findings where you work. Semgrep CI can connect to Semgrep App to present findings in Slack, on PRs and MRs via inline comments, email, and through 3rd party services.

Semgrep runs fully in your build environment: code is never sent anywhere.

Getting started

Semgrep behaves like other static analysis and linting tools: it runs a set of user-configured rules and returns a non-zero exit code if there are findings, resulting in its job showing a ✅ or ❌.

Refer to Getting started with Semgrep in CI to set up a CI job with Semgrep.

Once Semgrep Action is running, explore the Semgrep Registry to find and add more project-specific rules.

Configuration

See the Semgrep in CI configuration reference for further customizations, such as scanning with custom rules, ignoring files, and tuning performance.

Metrics

Semgrep collects opt-out non-identifiable aggregate metrics for improving the user experience, guiding Semgrep feature development, and identifying regressions.

The PRIVACY.md file describes the principles that guide our data-collection decisions, the breakdown of the data that are and are not collected, and how to opt-out of Semgrep CI’s metrics.

Semgrep never sends your source code anywhere.

Technical details

Packaging

The Semgrep Action GitHub Marketplace listing runs the semgrep-agent Docker image.

New versions of Semgrep CI and the Docker image above are released by Semgrep maintainers on a regular basis. To run all jobs with the latest releases, use the returntocorp/semgrep Docker image, or the returntocorp/semgrep-action@v1 action.

Contributing

See CONTRIBUTING.md

Tag summary

Content type

Image

Digest

sha256:5dc78ee61

Size

96.1 MB

Last updated

over 2 years ago

docker pull returntocorp/semgrep-agent:sha-688b98c