Ignore files, folders, and code
This document describes two types of ignore operations:
- Ignoring as exclusion. Exclude or skip specific files and folders from the scope of Semgrep scans in your repository or working directory. Ignoring in this context means that Semgrep does not generate findings for the ignored files and folders.
- Ignoring as triage action. Ignore specific parts of code that would have generated a finding. Ignoring in this context means that Semgrep generates a finding record and automatically triages it as Ignored, a triage state.
All Semgrep environments (CLI, CI, and Semgrep AppSec Platform) adhere to user-defined or Semgrep-defined ignore patterns.
Reference summary
Method | Usage | Examples |
---|---|---|
To ignore blocks of code: nosemgrep | Create a comment, followed by a space ( ), followed by nosemgrep at the first line or preceding line of the pattern match. This generates a finding that is automatically ignored. | // nosemgrep // nosemgrep: rule-id # nosemgrep |
To ignore files and folders: .semgrepignore | Create a .semgrepignore file in your repository's root directory or your project's working directory and add patterns for files and folders there. Patterns follow .gitignore syntax with some caveats. See Defining ignored files and folders in .semgrepignore . | .semgrepignore sample file |
Understand Semgrep defaults
Without user customization, Semgrep refers to the following to define ignored files and folders:
- Semgrep's default
.semgrepignore
file - Your repository's
.gitignore
file (if it exists)
In the absence of a user-generated .semgrepignore
, Semgrep refers to its repository's default template:
# Common large paths
node_modules/
build/
dist/
vendor/
.env/
.venv/
.tox/
*.min.js
.npm/
.yarn/
# Common test paths
test/
tests/
*_test.go
# Semgrep rules folder
.semgrep
# Semgrep-action log folder
.semgrep_logs/
The default .semgrepignore
file causes Semgrep to skip these folders:
/tests
,/test
/vendors
To include these folders, create a .semgrepignore
file without those paths.
Files, folders, and code beyond Semgrep's scope
There are files that Semgrep ignores even without .semgrepignore
:
- Large files (maximum file size defaults to 1 MB)
- Binary files
- Unknown file extensions (file extensions not matched with any supported programming language)
Large files and unknown file extensions are included or excluded through command line flags (See CLI reference). Binary files are never scanned.
This document defines files, folders and code as those that are relevant to a Semgrep scan. For example, .jpg
files are not a part of Semgrep's scope and therefore are not part of the scope of this document.
Customize ignore behavior
Semgrep provides several methods to customize ignore behavior. Refer to the following table to see which method suits your goal:
Goal | Method |
---|---|
To scan all files within Semgrep's scope each time you run Semgrep (only files within .git are ignored). | Create an empty .semgrepignore file in your repository root directory or in your project's working directory, and for semgrep ci scans, remove any entries listed in your project's Path Ignores list in Semgrep AppSec Platform. |
To ignore custom files and folders each time you run a scan. | Add these files to your .semgrepignore file or define them through Semgrep AppSec Platform. |
To ignore specific code blocks each time you run a scan. | Create a comment with the word nosemgrep . |
To ignore files or folders for a particular scan. | Run Semgrep with the flag --exclude followed by the pattern or file to be excluded. See CLI reference. |
To include files or folders for a particular scan. | Run Semgrep with the flag --include followed by the pattern or file to be included. Any file that isn't matched is excluded. See CLI reference. When including a pattern from a .gitignore or .semgrepignore file, --include does not override either, resulting in the file's exclusion. |
To include files or folders defined within a .gitignore for a particular scan. | Run Semgrep with the flag --no-git-ignore . |
To ignore files or folders for a particular rule. | Edit the rule to set the paths key with one or more patterns. See Rule syntax. |
Define ignored files and folders in .semgrepignore
.semgrepignore
syntax mirrors .gitignore
syntax, with the following modifications:
- "Include" patterns (lines starting with
!
) are unsupported. - "Character range" patterns (lines including a collection of characters inside brackets) are unsupported.
- An
:include ...
directive is added, which allows another file to be included in the ignore pattern list; typically this included file would be the project.gitignore
. No attempt at cycle detection is made. - Any line that begins with a colon, but not
:include
, raises an error. \:
is added to escape leading colons.
Unsupported patterns are silently removed from the pattern list (this is done so that .gitignore
files may be included without raising errors). The removal is logged.
For a description of .gitignore
syntax, see .gitignore documentation.
Define ignored files and folders in Semgrep AppSec Platform
Another method for users to define ignore patterns is through a Project in Semgrep AppSec Platform. These patterns follow the same syntax as .semgrepignore
in the preceding section.
To define files and folders in Semgrep AppSec Platform:
- Sign in to Semgrep AppSec Platform.
- From the Dashboard Sidebar, select Projects > [Project name].
- Find the project you want to modify, then click its gear icon in the Settings column.
- To define files and folders that Semgrep Code and Semgrep Supply Chain ignore:
- Click Code (SAST) & Supply Chain (SCA) to expand and display the Path Ignores box.
- Enter files and folders to ignore in the Path Ignores box.
- Click Save changes.
- To define files and folders that Semgrep Secrets ignores:
- Click Secrets to expand and display the Path Ignores box.
- Enter files and folders to ignore in the Path Ignores box.
- Click Save changes.
Including files and folders through this method is additive. When you run a scan using semgrep ci
, Semgrep looks for a .semgrepignore
within the repository. If no .semgrepignore
file is found, Semgrep temporarily creates one and adds items from Semgrep AppSec Platform's Path Ignores.
Adding items to Semgrep AppSec Platform's Path Ignores box doesn't override default Semgrep ignore patterns included with its CLI tool, since the patterns are additive. However, items added to .semgrepignore
override default Semgrep CLI patterns.
Add items to .semgrepignore
during findings triage
You can also add files to .semgrepignore
while triaging individual findings using Semgrep AppSec Platform:
- On the Semgrep Code Findings page, click the Status filter, and then select the Open status to see all open findings.
- Click the finding you want ignored to open its Details page.
- Select Ignored, and optionally, select an Ignore reason.
- Click to expand Ignore files in future scans....
- Select the files you want ignored in future scans.
- Click Change status to save.
Ignore code through nosemgrep
To ignore blocks of code, define an inline comment, followed by a space (
), followed by the word nosemgrep
at either the first line or the line preceding the potential match. Semgrep ignores all rule pattern matches. This functionality works across all supported languages.
Ignoring code through this method still generates a finding. The finding is automatically set to the Ignored triage state.
nosemgrep
in Python:
bad_func1() # nosemgrep
# nosemgrep
bad_func2()
nosemgrep
in JavaScript:
// nosemgrep
bad_func1()
bad_func2(); // nosemgrep
bad_func3( // nosemgrep
arg
);
The space (
) before nosemgrep
is required for Semgrep to detect this annotation.
To ignore blocks of code for a particular rule, enter its rule-id
as follows: nosemgrep: RULE_ID
. To ignore multiple rules, use a comma-delimited list. rule-ids
must be referenced with their namespace.
Python examples:
bad_func1() # nosemgrep: rule-id-1
# nosemgrep: rule-id-1, rule-id-2
bad_func2()
JavaScript examples wherein rules are stored in a configs
subdirectory:
// nosemgrep: configs.rule-id-3
bad_func1()
bad_func2(); // nosemgrep: configs.rule-id-3
bad_func3( // nosemgrep: configs.rule-id-3, configs.rule-id-4
arg
);
Previous annotations for ignoring code inline, such as nosem
, are deprecated.
Disable rules on Semgrep AppSec Platform
Semgrep AppSec Platform users can disable rules and rulesets through the Policies page. See Disabling rules and Disabling rulesets.
Ignore findings
Ignoring can also be a triage action. In this case, the code is scanned rather than excluded, and if a pattern match occurs, a finding record is generated that you can then triage as Ignored. See Triage and remediate Semgrep Code findings in Semgrep AppSec Platform to learn how to:
Troubleshooting
For GitLab users: if you use the SAST_EXCLUDED_PATHS
variable to specify paths excluded from analysis, you may find that Semgrep doesn't honor these items. This is due to default Semgrep behavior. To explicitly exclude files, you must do one of the following steps:
- Create a
.semgrepignore
file that lists the files you want excluded. - Update the Path Ignores box in Semgrep AppSec Platform.
Known issues
-
--no-git-ignore
is overridden due to default ignore patterns (.semgrepignore) (#4537)To fix this, create an empty .semgrepignore file. If the scan is a one-off event, delete the .semgrepignore file to restore default ignore patterns.
Not finding what you need in this doc? Ask questions in our Community Slack group, or see Support for other ways to get help.