Semgrep secrets findings block the pipeline in CI
semgrep ci ran the Secrets rules over your diff, found matches, and exited non-zero because at least one finding is set to block. The finding names the rule, file, and line.
What this error means
semgrep prints a findings summary such as "X findings" including secret rule IDs and exits 1, failing the step. Blocking findings are marked in the output.
semgrep
Findings:
config/app.py
generic.secrets.security.detected-generic-api-key
12| API_KEY = "sk_live_...redacted..."
1 Blocking finding
Ran 850 rules on 42 files: 1 finding.Common causes
A Secrets rule matched real credential syntax
A rule such as detected-generic-api-key matched a value in the diff, and the rule is configured to block, so the job fails.
A false positive from a broad pattern
An example key or test fixture matches a generic secrets pattern even though it is not a live credential.
How to fix it
Remove a real secret or annotate a false positive
- Open the file and line for each blocking finding.
- If it is a real secret, remove and rotate it and read it from the environment.
- For a verified false positive, add a
# nosemgrep: <rule-id>comment on that line.
config/app.py
API_KEY = os.environ["API_KEY"]
EXAMPLE = "sk_test_example" # nosemgrep: generic.secrets.security.detected-generic-api-keyRun the same scan locally
Run semgrep ci locally against the same ruleset so blocking findings surface before the push.
Terminal
semgrep ci --config autoHow to prevent it
- Rotate any credential a secrets rule confirms as real.
- Use line-scoped
# nosemgreponly for verified non-secrets. - Run
semgrep ciin a pre-merge check so findings are caught early.
Related guides
Semgrep "SEMGREP_APP_TOKEN not set" blocks the scan in CIFix Semgrep "You are not logged in" / missing SEMGREP_APP_TOKEN in CI - semgrep ci needs the app token to pul…
Semgrep "invalid rule schema" for a secrets ruleset in CIFix Semgrep "invalid rule schema" / "Invalid rule" in CI - a custom secrets rule YAML is malformed or uses an…
GitGuardian ggshield "1 incident detected" fails CIFix ggshield "1 incident detected" with a non-zero exit in CI - GitGuardian matched a secret in the scanned d…