Skip to content
Latchkey

semgrep --sarif: Upload Findings to Code Scanning

semgrep --sarif --output semgrep.sarif writes a SARIF report that GitHub code scanning ingests via github/codeql-action/upload-sarif.

SARIF puts Semgrep findings in the GitHub Security tab and as PR annotations. Generate it in the scan step, upload it in a follow-up step.

What it does

Adding --sarif --output semgrep.sarif to semgrep scan or semgrep ci produces SARIF 2.1.0 alongside the normal output. The codeql-action upload step publishes it to code scanning, mapping each finding to a security alert with rule id and severity.

Common usage

.github/workflows/semgrep.yml
- name: Semgrep
  run: semgrep ci --sarif --output semgrep.sarif
  continue-on-error: true
- name: Upload SARIF
  if: always()
  uses: github/codeql-action/upload-sarif@v3
  with:
    sarif_file: semgrep.sarif

Options

Flag / stepWhat it does
--sarifEmit SARIF format
--output <file>Path for the SARIF file
continue-on-error: trueLet the upload run even on a failing scan
permissions: security-events: writeRequired to upload SARIF
if: always()Upload regardless of the scan exit code

In CI

semgrep ci exits non-zero on blocking findings, which would skip the upload, so guard the upload with if: always() and let the scan continue-on-error. The job needs permissions: security-events: write. Fork PRs cannot upload SARIF because they run with read-only tokens.

Common errors in CI

"Resource not accessible by integration" means the missing security-events: write permission. "Path does not exist: semgrep.sarif" means --output was not set or the scan crashed before writing. "rejected SARIF: results exceed limit" appears on enormous result sets; filter with --severity or split rule packs.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →