Skip to content

Semgrep SAST Scanning

Semgrep is a static application security testing (SAST) tool that runs on every branch in the validate stage. It replaced bandit, safety, and npm audit across all CWIQ pipelines in March 2026.

Image: nexus.shared.cwiq.io:8444/semgrep/semgrep:latest

Semgrep is non-blocking: commands run with || true to prevent pipeline failure on findings. The scan produces SARIF and JSON output. The SARIF file is imported into SonarQube for unified viewing; the JSON file is available as a pipeline artifact for direct inspection.

Rulesets

Different rulesets are applied depending on the project language.

Python projects:

semgrep --config p/python --config p/secrets --config p/owasp-top-ten \
  --sarif --output semgrep-results.sarif . || true

Node.js projects:

semgrep --config p/javascript --config p/typescript --config p/react --config p/secrets \
  --sarif --output semgrep-results.sarif . || true

Ruleset Reference

Ruleset Language What It Catches
p/python Python Python-specific security anti-patterns, unsafe deserialization, SQL injection, subprocess misuse
p/javascript JavaScript JS security patterns, prototype pollution, insecure randomness
p/typescript TypeScript TypeScript-specific patterns, type assertion misuse
p/react React/TSX XSS via dangerouslySetInnerHTML, unsafe link targets, insecure state handling
p/secrets All Hardcoded credentials, API keys, tokens, private keys across any file type
p/owasp-top-ten Python OWASP Top 10 vulnerability patterns (injection, broken auth, sensitive data exposure, etc.)

Output Artifacts

Both output formats are saved as job artifacts:

Artifact Format Consumed By
semgrep-results.sarif SARIF sonarqube-scan job (imported into SonarQube)
semgrep-results.json JSON Available for manual download from pipeline

Including Semgrep in Your Pipeline

The Semgrep job is defined in .gitlab-ci-python.yml (for Python) and .gitlab-ci-node.yml (for Node.js). Extend the appropriate hidden job for your project:

semgrep:
  extends: .python-semgrep
  stage: validate
  tags:
    - small

semgrep:
  extends: .node-semgrep
  stage: validate
  tags:
    - small

The sonarqube-scan job must declare a needs: dependency on the semgrep job to download the SARIF artifact:

sonarqube-scan:
  extends: .sonarqube-scan
  needs:
    - job: semgrep
      artifacts: true
    - job: test
      artifacts: true
    - job: trivy-fs-scan
      artifacts: true

View findings in SonarQube, not directly in the artifact

The JSON artifact is useful for quick inspection, but SonarQube provides a far better interface for triaging findings — grouping by rule, filtering by severity, and tracking which issues are new versus pre-existing. Check https://sonarqube.shared.cwiq.io after the sonarqube-scan job completes.