- Running Semgrep scanners as part of your CI. These scans can be any combination of SAST (Static Application Security Testing), SCA (Software Composition Analysis), or Secrets, depending on your plan.
- Managing team members’ access and authentication.
- Ensuring that Semgrep has sufficient access to your self-hosted source code manager (SCM), such as GitLab Self-Managed.
- Customizing your SAST, SCA, or secrets scans
- Custom rule writing
- Triage
All Semgrep deployment features
Semgrep supports many different technology stacks. Refer to the following table to evaluate which deployment features of Semgrep you can use based on your technologies.Core deployment
These are the absolute minimum Semgrep features for any deployment.Additional deployment features
Useful features that you can add based on your tech stack. You can integrate these features further into your security workflows after some initial testing of your core deployment.Core deployment process
At the minimum, your deployment of Semgrep consists of the following steps:1
Creating a Semgrep account.
Each user of Semgrep has one account.
2
Setting up organizations (orgs).
Each Semgrep account can have many orgs. Orgs are logical groupings of related projects and users.
3
Setting up membership:
- For GitHub or GitLab users, you can connect your Semgrep org to the orgs in your source code manager (SCM). This means that any member of an org in your SCM can sign in to your Semgrep deployment.
- You can also use SSO to manage user authentication.
4
Adding Semgrep into your CI workflows.
This step ensures that your Semgrep deployment is up and running and that you receive findings of security issues in Semgrep AppSec Platform.
5
Enabling Semgrep to post PR or MR comments.

- Role management
- Tagging projects