Skip to content
Latchkey

Semgrep secrets findings block the pipeline in CI

semgrep ci ran the Secrets rules over your diff, found matches, and exited non-zero because at least one finding is set to block. The finding names the rule, file, and line.

What this error means

semgrep prints a findings summary such as "X findings" including secret rule IDs and exits 1, failing the step. Blocking findings are marked in the output.

semgrep
Findings:
  config/app.py
     generic.secrets.security.detected-generic-api-key
        12| API_KEY = "sk_live_...redacted..."

  1 Blocking finding
Ran 850 rules on 42 files: 1 finding.

Common causes

A Secrets rule matched real credential syntax

A rule such as detected-generic-api-key matched a value in the diff, and the rule is configured to block, so the job fails.

A false positive from a broad pattern

An example key or test fixture matches a generic secrets pattern even though it is not a live credential.

How to fix it

Remove a real secret or annotate a false positive

  1. Open the file and line for each blocking finding.
  2. If it is a real secret, remove and rotate it and read it from the environment.
  3. For a verified false positive, add a # nosemgrep: <rule-id> comment on that line.
config/app.py
API_KEY = os.environ["API_KEY"]
EXAMPLE = "sk_test_example"  # nosemgrep: generic.secrets.security.detected-generic-api-key

Run the same scan locally

Run semgrep ci locally against the same ruleset so blocking findings surface before the push.

Terminal
semgrep ci --config auto

How to prevent it

  • Rotate any credential a secrets rule confirms as real.
  • Use line-scoped # nosemgrep only for verified non-secrets.
  • Run semgrep ci in a pre-merge check so findings are caught early.

Related guides

Tired of flaky CI? Latchkey auto-heals failed jobs and retries them for you. Start free →