semgrep --sarif: Upload Findings to Code Scanning
semgrep --sarif --output semgrep.sarif writes a SARIF report that GitHub code scanning ingests via github/codeql-action/upload-sarif.
SARIF puts Semgrep findings in the GitHub Security tab and as PR annotations. Generate it in the scan step, upload it in a follow-up step.
What it does
Adding --sarif --output semgrep.sarif to semgrep scan or semgrep ci produces SARIF 2.1.0 alongside the normal output. The codeql-action upload step publishes it to code scanning, mapping each finding to a security alert with rule id and severity.
Common usage
- name: Semgrep
run: semgrep ci --sarif --output semgrep.sarif
continue-on-error: true
- name: Upload SARIF
if: always()
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: semgrep.sarifOptions
| Flag / step | What it does |
|---|---|
| --sarif | Emit SARIF format |
| --output <file> | Path for the SARIF file |
| continue-on-error: true | Let the upload run even on a failing scan |
| permissions: security-events: write | Required to upload SARIF |
| if: always() | Upload regardless of the scan exit code |
In CI
semgrep ci exits non-zero on blocking findings, which would skip the upload, so guard the upload with if: always() and let the scan continue-on-error. The job needs permissions: security-events: write. Fork PRs cannot upload SARIF because they run with read-only tokens.
Common errors in CI
"Resource not accessible by integration" means the missing security-events: write permission. "Path does not exist: semgrep.sarif" means --output was not set or the scan crashed before writing. "rejected SARIF: results exceed limit" appears on enormous result sets; filter with --severity or split rule packs.