Skip to main content
This document shows you how to add Semgrep into Semaphore. In Semaphore:
1
Create a secret with your SEMGREP_APP_TOKEN.
2
Open the YAML pipeline for your project using the Visual Editor.
3
Click +Add Block.
4
Expand Jobs, and add the following commands to perform a full scan:
checkout
pipx install semgrep
semgrep ci
5
Enable the secret that you created in Step 1. To do this, expand Secret, and select SEMGREP_APP_TOKEN.
6
Click Run the workflow, provide a Commit summary, and click Looks good, Start to save your changes and run the pipeline job.

Sample Semaphore configuration snippet

The following configuration creates a CI job that runs scans using the products and options you have enabled in Semgrep AppSec Platform.
version: v1.0
name: Semaphore Semgrep Example
agent:
  machine:
    type: f1-standard-2
    os_image: ubuntu2204
blocks:
  - name: Semgrep
    task:
      jobs:
        # Job performing a full scan
        - name: Semgrep Full Scan
          commands:
            - checkout
            - pipx install semgrep
            - semgrep ci
        # Job performing a diff scan for PR/branches
        - name: Semgrep Diff-aware Scan
          commands:
            - checkout
            - export SEMGREP_BRANCH=$SEMAPHORE_GIT_BRANCH
            - export SEMGREP_BASELINE_COMMIT=$SEMAPHORE_GIT_SHA
            - pipx install semgrep
            - semgrep ci
      # import a secret named 'semgrep' with the SEMGREP_APP_TOKEN
      secrets:
        - name: SEMGREP_APP_TOKEN
You can run specific product scans by passing an argument, such as --supply-chain. View the list of arguments.