Skip to content
Latchkey

Semgrep "SEMGREP_APP_TOKEN not set" blocks the scan in CI

When semgrep ci uses a rule policy or reports to Semgrep AppSec Platform, it reads SEMGREP_APP_TOKEN. If that token is missing, semgrep cannot fetch the policy and stops.

What this error means

semgrep ci fails with "You are not logged in!" or a message that SEMGREP_APP_TOKEN is required to fetch the configured rules.

semgrep
You are not logged in!
Run `semgrep login` or set SEMGREP_APP_TOKEN to pull your configured rules.
[ERROR] Failed to fetch rules from the Semgrep platform.

Common causes

The app token secret is not exposed to the step

The workflow references a platform policy but never maps SEMGREP_APP_TOKEN into the environment, so semgrep cannot authenticate.

The scan expects a platform policy but runs unauthenticated

Using semgrep ci with a platform-managed ruleset requires the token; without it, semgrep has no rules to run.

How to fix it

Provide the token from a CI secret

  1. Store the Semgrep app token as a repository or organization secret.
  2. Map it into SEMGREP_APP_TOKEN for the semgrep step.
  3. Re-run so semgrep pulls the configured policy.
.github/workflows/ci.yml
- run: semgrep ci
  env:
    SEMGREP_APP_TOKEN: ${{ secrets.SEMGREP_APP_TOKEN }}

Run with a local ruleset when no token exists

If you do not use the platform, pass a config explicitly so semgrep does not need to log in.

Terminal
semgrep --config p/secrets --error

How to prevent it

  • Keep the Semgrep app token in CI secrets.
  • Map SEMGREP_APP_TOKEN into every step that uses a platform policy.
  • Use an explicit --config for token-free local scans.

Related guides

Tired of flaky CI? Latchkey auto-heals failed jobs and retries them for you. Start free →