Add Semgrep to your CI environment by installing it with pip install semgrep or using the official Docker image; pin the version for reproducible builds
Run semgrep scan --config auto (to use Semgrep's recommended rules for detected languages) or specify a custom ruleset with --config path/to/rules.yaml; add --error to fail the pipeline on findings
For team workflows, authenticate with SEMGREP_APP_TOKEN set as a CI secret and use semgrep ci to upload results to Semgrep Cloud Platform and enable diff-aware scanning that only reports new findings in a pull request
Configure a .semgrepignore file (using .gitignore syntax) to exclude generated code, vendor directories, and test fixtures from scanning
Parse SARIF output (--sarif --output results.sarif) and upload it to your code review platform or security dashboard; GitHub natively displays SARIF results as code scanning alerts
Write or adapt custom Semgrep rules in YAML to detect project-specific anti-patterns (hardcoded secrets, unsafe deserialization calls, missing authorization checks) and place them in a rules/ directory
Known gotchas
Semgrep's --config auto downloads rules at scan time; in air-gapped or strict egress environments, pre-download the ruleset and reference it by local path
Pattern matching is syntax-aware but not always flow-sensitive; Semgrep may report false positives for findings that are mitigated by surrounding logic, so triage rules should be tuned over time
Running all community rulesets simultaneously can produce a high volume of findings and slow the scan considerably; start with a curated subset relevant to your language and framework
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp