Documentation Index
Fetch the complete documentation index at: https://docs.semgrep.dev/llms.txt
Use this file to discover all available pages before exploring further.
Prerequisites and permissions
Semgrep Managed Scans require one of the following plans:- Bitbucket Cloud Premium
- Bitbucket Data Center (v8.8 or above for diff-aware scans)
Bitbucket Cloud
You must provide a Bitbucket workspace access token to Semgrep, which can be created by a user with theProduct Admin role. Once you have Semgrep Managed Scans fully configured, you can update the token provided to Semgrep to one that’s more restrictive. The scopes you must assign to the token include:
webhook (read and write)repository (read and write)pullrequest (read and write)project (admin)account (read)
Bitbucket Data Center
You must provide a Bitbucket HTTP access token to Semgrep, which can be created by a user with theProject Admin role. This access token must be created with PROJECT_ADMIN permissions.
Project-level webhooks are required to support diff-aware scans.
Enable Semgrep Managed Scans and scan your first repository
In the Set up Managed Scans page that appears, provide the information needed by Semgrep to connect to your Bitbucket project:
i. Select Bitbucket or Bitbucket Data Center.
ii. Provide your Access token.
iii. Provide the name of your Bitbucket workspace.
iv. For Bitbucket Data Center users only: provide the Bitbucket Data Center URL.
v. Click Connect.
i. Select Bitbucket or Bitbucket Data Center.
ii. Provide your Access token.
iii. Provide the name of your Bitbucket workspace.
iv. For Bitbucket Data Center users only: provide the Bitbucket Data Center URL.
v. Click Connect.
- After enabling Managed Scans, Semgrep performs a full scan in batches on all the repositories in the workspace.
- Once a repository has been added to Semgrep AppSec Platform, it becomes a project. A project in Semgrep AppSec Platform includes all the findings, history, and scan metadata of that repository.
- Projects with a Managed Scan configuration are tagged with
managed-scan, regardless of whether the project is actively being scanned by Semgrep Managed Scans or not. The Projects list also contains pending scans and scans that never started.
Add additional Bitbucket projects
You can enable Managed Scans for additional repositories after onboarding using the following steps:In the Enable Managed Scans for repos page, select the repositories you want to add to Semgrep Managed Scans.
i. Optional: If you don’t see the repository you want to add, click Can’t find your project? and follow the troubleshooting steps provided.
i. Optional: If you don’t see the repository you want to add, click Can’t find your project? and follow the troubleshooting steps provided.
Click Enable Managed Scans. The Enable Managed Scans dialog appears. By default, Semgrep runs both full and diff-aware scans.
If the page doesn’t display any repositories
Ensure that you’ve connected your Bitbucket account by following the steps in Connect a source code manager and confirm the workspace access token is created with the required scopes listed above with the
Product Admin role.If the page doesn’t display the repository you want to add, click Can’t find your project? > Sync projects.
Convert or migrate an existing Semgrep CI job
You can immediately add any existing project to Managed Scans.Follow the steps in Enable Semgrep Managed Scans.
Scan management and configuration
Manually run a full scan
You can manually run a full scan for both primary and non-primary branches.
Re-run a failed scan or a scan that never finished
Find the scan that failed or never finished using the Status column, and click Details to open the Scan logs dialog.
Disable diff-aware scans on PRs
Delete a project
To delete an archived project:
Configure fail open to prevent diff-aware scans from blocking pull requests and merge requests
By default, diff-aware managed scans are set to fail open if a scan errors out or takes too long. This means that diff-aware scans are marked as successful on the pull request (PR) or merge request (MR), even if they haven’t completed after the specified timeout, allowing you to make the Semgrep status check required in your source code manager (SCM) while not blocking someone from merging a PR or MR if the check encounters an unexpected issue or takes too long.
How fail open works
If Semgrep marks a PR or MR as
succeeded, you can merge the PR or MR without waiting for the diff-aware scan to complete. However, if the PR or MR is still open and the scan completes after the fail open timeout is reached, Semgrep can still report the findings and mark the status as failed.
Configure fail open
By default, fail open is enabled. However, you can disable this feature and adjust the timeout value:Sign in to Semgrep AppSec Platform.
Disable webhooks
Performing diff-aware Managed Scans of Bitbucket projects requires webhooks to be enabled. Webhooks are enabled by default when you add Bitbucket as a source code manager when setting up Semgrep Managed Scans. You can disable webhooks at any time by following these steps:In Semgrep AppSec Platform, go to Settings > Source code managers.
Revoke Semgrep’s access to your repositories
The following steps revoke the code access you previously granted Semgrep for all repositories you selected.Turn off Managed Scans for specific repositories in Semgrep AppSec Platform
Go to Projects and find the project you no longer want scanned with Semgrep Managed Scanning. Click the project’s Details page > Settings tab.
Appendices
Scan logs
To view your scan logs in Semgrep AppSec Platform, go to Projects, then click on the project name. The projects in the list are sorted by scan date, with the most recent scans listed first.INFOIt can take a few minutes for your latest scan logs to appear. However, if the logs do not update 15 minutes after the scan, there may be issues with the scan itself.