This document provides a breakdown of the .gitlab-ci.yml configuration used to run Semgrep for static code analysis in a GitLab CI/CD pipeline.
The pipeline is set up to execute Semgrep within a single stage called semgrep. The scan results are stored as a JSON artifact and retained for 1 week.
stages:
- semgrep
run_semgrep:
stage: semgrep
image: python:3.8
before_script:
- pip install --no-cache-dir --upgrade pip
- pip install --no-cache-dir virtualenv
- virtualenv venv
- source venv/bin/activate
- pip install --no-cache-dir semgrep
- source venv/bin/activate && semgrep --version
script:
- export TZ="Asia/Kolkata"
- TIMESTAMP=$(date +%Y-%m-%d:%H.%M)
- FILENAME="semgrep_report_${TIMESTAMP}.json"
- source venv/bin/activate && semgrep --config auto --json --verbose > $FILENAME
artifacts:
paths:
- semgrep_report_*.json
expire_in: 1 week
only:
- branchesDefines a single stage named semgrep to run the Semgrep scan.
run_semgrep)python:3.8 as the Docker image, providing Python for installing Semgrep.pip install --upgrade pip: Upgrades pip to the latest version in the container.pip install virtualenv: Installs virtualenv to create an isolated Python environment.virtualenv venv: Creates a virtual environment named venv.source venv/bin/activate: Activates the virtual environment to ensure that all installed packages (like Semgrep) are isolated within venv.pip install semgrep: Installs Semgrep within the activated virtual environment.semgrep --config auto --json > semgrep_report.json: Runs Semgrep with automatic configuration. The --json flag outputs results in JSON format, saved to semgrep_report.json.semgrep --config path/to/your/config.yaml --json > semgrep_report.json: Optionally, runs Semgrep using a specific configuration file.semgrep_report.json as an artifact to retain after the job completes..gitlab-ci.yml file to the root of your repository.For further customization, refer to the Semgrep documentation.