Skip to main content
If your organization uses a self-hosted source code manager (SCM), IP allowlisting, or other network restrictions, confirm that Semgrep can connect to the systems it needs before you deploy.
Before you configureUse the Pre-deployment checklist to confirm whether network configuration applies to your deployment.

When to configure allowlists

You might need to update ingress or egress allowlists if any of the following apply:
  • Your SCM offers security features that limit access to your resources.
  • Your SCM is behind a firewall or protected by network restrictions.
  • You use a virtual private network (VPN).
  • You host your SCM on-premise or in a private network.

Ingress and egress allowlists

Semgrep deployments might require both ingress and egress allowlist updates:
  • Ingress allowlists control traffic from Semgrep into your infrastructure.
  • Egress allowlists control traffic from your infrastructure to Semgrep.
Depending on your network, you might need to configure one or both.

IP addresses

If you are behind a firewall, are using a virtual private network (VPN), or have network restrictions regarding access, you might need to add the following IP addresses to the ingress allowlist and egress allowlist: 
# Ingress IP addresses (from Semgrep to your infrastructure)
# and egress IP addresses (from your infrastructure to Semgrep)
35.166.231.235
52.35.248.246
52.34.137.110
44.225.64.41

CloudFront egress IP addresses

You must add CloudFront IP addresses to your egress allowlist. Refer to Locations and IP address ranges of CloudFront edge servers for a list of IP addresses.

Semgrep Network Broker

The Semgrep Network Broker facilitates secure access between Semgrep and your private network. Its use can replace allowlisting the IP addresses required for ingress traffic from Semgrep. The Network Broker, however, only facilitates requests from Semgrep to your network. It does not assist with requests originating from your network to Semgrep, including egress traffic from your infrastructure to Semgrep. In other words, the only address you would have to allow inbound is wireguard.semgrep.dev on UDP port 51820, or your tenant’s equivalent. Depending on how restrictive your network is, you might also need to modify your egress allowlist to include the IP addresses listed in IP addresses. For setup instructions, see Set up the Semgrep Network Broker.

Features that require inbound network connectivity

The following Semgrep features require Semgrep to reach resources in your network:
FeatureGuide
On-premise SCM connectionsConnect to on-premise orgs and projects
PR and MR commentsPR or MR comments
Semgrep Managed ScansManaged Scans overview
Semgrep MultimodalSemgrep Multimodal getting started