Receive Semgrep MR comments through a GitLab runner

Generally, Semgrep recommends using the GitLab merge request pipeline to receive MR comments. This method is used in the default Semgrep GitLab config file. However, you can also receive comments through your own GitLab runner by setting the following variables in your CI job:

 export GITLAB_CI='true'
 export CI_PROJECT_PATH='<span className="placeholder">USERNAME</span>/<span className="placeholder">PROJECTNAME</span>'
 export CI_MERGE_REQUEST_PROJECT_URL='https://gitlab.com/<span className="placeholder">USERNAME</span>/<span className="placeholder">PROJECTNAME</span>'
 export CI_PROJECT_URL="$CI_MERGE_REQUEST_PROJECT_URL"
 export CI_COMMIT_SHA='<span className="placeholder">COMMIT-SHA-VALUE</span>'
 export CI_COMMIT_REF_NAME='<span className="placeholder">REF</span>'
 export CI_MERGE_REQUEST_TARGET_BRANCH_NAME='<span className="placeholder">BRANCH_NAME</span>'
 export CI_JOB_URL='<span className="placeholder">JOB_URL</span>'
 export CI_PIPELINE_SOURCE='merge_request_event'
 export CI_MERGE_REQUEST_IID='<span className="placeholder">REQUEST_IID</span>'
 export CI_MERGE_REQUEST_DIFF_BASE_SHA='<span className="placeholder">SHA</span>'
 export CI_MERGE_REQUEST_TITLE='<span className="placeholder">MERGE_REQUEST_TITLE</span>'

Replace magenta-colored placeholders in the preceding code snippet with your specific values (for example USERNAME). For more information on all of these variables see GitLab documentation Predefined variables reference. Example with sample values:

export GITLAB_CI='true'
export CI_PROJECT_PATH="gitlab-org/gitlab-foss"
export CI_MERGE_REQUEST_PROJECT_URL="https://example.com/gitlab-org/gitlab-foss"
export CI_PROJECT_URL="$CI_MERGE_REQUEST_PROJECT_URL"
export CI_COMMIT_SHA="1ecfd275763eff1d6b4844ea3168962458c9f27a"
export CI_COMMIT_REF_NAME="main"
export CI_MERGE_REQUEST_TARGET_BRANCH_NAME="main"
export CI_JOB_URL="https://gitlab.com/gitlab-examples/ci-debug-trace/-/jobs/379424655"
export CI_PIPELINE_SOURCE='merge_request_event'
export CI_MERGE_REQUEST_IID="1"
export CI_MERGE_REQUEST_DIFF_BASE_SHA="1ecfd275763eff1d6b4844ea6874447h694gh23d"
export CI_MERGE_REQUEST_TITLE="Testing branches"

Scan GitHub projects in Jenkins Why are there new source code manager (SCM) connections that I didn't manually configure listed in Semgrep AppSec Platform?

⌘I