Semgrep Collector

↓ Collector Stable Security

Detects Semgrep security scanning via GitHub App or CLI integration. Automatically categorizes results (SAST for code analysis, SCA for Supply Chain) and writes to normalized Component JSON paths.

Add semgrep to your lunar-config.yml:

uses: github://earthly/lunar-lib/collectors/semgrep@v1.0.0

Get Started View on GitHub

What This Integration Collects

This integration includes 3 collectors that gather metadata from your systems.

Collector code

`github-app`

Detects Semgrep GitHub App scans on pull requests by querying GitHub check-runs API. Waits for scan completion and captures results. Categorizes as SAST (Code) or SCA (Supply Chain) based on check name.

semgrep github app sast code analysis

Book a demo

Collector code

`running-in-prs`

Proves Semgrep is running on PRs by querying Lunar Hub for Semgrep data from recent PRs. Used on the default branch to provide compliance proof that PR scanning is happening (since Semgrep GitHub App only posts checks on PRs, not directly on the default branch).

semgrep pr scanning compliance proof default branch

Book a demo

Collector ci-after-command

`cli`

Detects Semgrep CLI executions in CI pipelines. Captures the command and version. Categorizes based on flags (--supply-chain for SCA, default SAST).

Pattern: .*\bsemgrep\b.*

semgrep cli ci integration sast code scanning

Book a demo

How Collectors Fit into Lunar

Lunar watches your code and CI/CD systems to collect SDLC data from config files, test results, IaC, deployment configurations, security scans, and more.

Collectors are the automatic data-gathering layer. They extract structured metadata from your repositories and pipelines, feeding it into Lunar's centralized database where guardrails evaluate it to enforce your engineering standards.

Learn How Lunar Works →

↓ Collectors Gather Data This Integration

Triggered by code changes or CI pipelines, collectors extract metadata from config files, tool outputs, test results, and scans

{ } Centralized as JSON

All data merged into each component's unified metadata document

✓ Guardrails Enforce Standards

Real-time feedback in PRs and AI workflows

Example Collected Data

This collector writes structured metadata to the Component JSON. Here's an example of the data it produces:

{ } component.json Component JSON

{
  "sast": {
    "running_in_prs": true,
    "source": {
      "tool": "semgrep",
      "version": "1.50.0",
      "integration": "github_app"
    },
    "native": {
      "semgrep": {
        "github_app": {
          "id": 12345,
          "name": "Semgrep",
          "status": "completed",
          "conclusion": "success"
        },
        "cicd": {
          "cmds": [
            {"cmd": "semgrep scan --config auto", "version": "1.50.0"}
          ]
        }
      }
    }
  }
}

Configuration

Configure this collector in your lunar-config.yml.

Secrets

This collector requires the following secrets to be configured in Lunar:

Secret	Description
`GH_TOKEN`	GitHub token for API access (required for github-app collector)

Documentation

View on GitHub

Semgrep Collector

Detects Semgrep security scans and collects findings data from GitHub App or CLI integrations.

Overview

This collector detects Semgrep security scanning via GitHub App or CLI integration. It automatically categorizes results as SAST (for Semgrep Code analysis) or SCA (for Semgrep Supply Chain) and writes to the appropriate normalized Component JSON paths.

The collector auto-detects the scan type based on the check name (for GitHub App) or command flags (for CLI). Scans containing "supply chain", "supply-chain", or "sca" are categorized as SCA; all others default to SAST.

Collected Data

This collector writes to the following Component JSON paths:

Path	Type	Description
`.sast.source`	object	Source metadata for SAST scans
`.sast.native.semgrep`	object	Raw Semgrep Code scan results
`.sca.source`	object	Source metadata for SCA scans
`.sca.native.semgrep`	object	Raw Semgrep Supply Chain scan results

Collectors

This plugin provides the following collectors (use include to select a subset):

Collector	Hook Type	Description
`github-app`	code (PRs only)	Detects Semgrep GitHub App scans on pull requests
`running-in-prs`	code (default branch)	Proves Semgrep is running on PRs (compliance proof for default branch)
`cli`	ci-after-command	Detects Semgrep CLI executions in CI pipelines

Installation

Add to your lunar-config.yml:

collectors:
  - uses: github://earthly/lunar-lib/collectors/semgrep@v1.0.0
    on: ["domain:your-domain"]  # Or use tags like [backend, python]

The github-app collector requires a GH_TOKEN secret for GitHub API access.

The running-in-prs collector queries the Lunar Hub database to verify PR scanning. It uses lunar sql connection-string to obtain database credentials. If unavailable, the collector skips silently.

Open Source

This collector is open source and available on GitHub. Contribute improvements, report issues, or fork it for your own use.

View Repository

Ready to Automate Your Standards?

See how Lunar can turn your engineering wiki, compliance docs, or postmortem action items into automated guardrails with our 100+ built-in guardrails.

Works with any process

Infrastructure conventions

Post-mortem action items

Security & compliance policies

Testing & quality requirements

Automate Now

Turn any process doc into guardrails

Book a Demo