Skip to main content
Use this page as the canonical reference for Source code manager (SCM) permissions. It lists what each feature requires and where to configure access.
Before you configureConfirm organizational readiness using the Pre-deployment checklist, which covers permission details and includes links to setup guides.

Permissions

The following tables list SCM roles and token or app scopes required for each Semgrep feature. Unless noted otherwise, pull request (PR) or merge request (MR) refers to a proposed set of code changes in your SCM. See Configure for setup guides.
FeatureRoleScopesConfigure
PR comments
  • Owner
  • Project Collection Administrator
Required for triage through PR comments.
  • Full access during setup/triage-webhook enablement
  • After configuration:
    • Project and Team: Read & write
    • Pull Request Threads: Read & write
Azure PR comments
Managed Scans
  • Owner
  • Project Collection Administrator
  • Full access on the PAT during setup
  • Code: Read
  • Code: Status
  • Member Entitlement Management: Read
  • Project and Team: Read & write
  • Pull Request Threads: Read & write
Azure Managed Scans
Code accessUser who can update the SCM connection tokenConnection PAT scopes:
  • Code: Read
  • Code: Write
Grant code access
Autofix
  • Owner
  • Project Collection Administrator
Connection PAT scopes:
  • Code: Read
  • Code: Write
  • Project and Team: Read & write
  • Pull Request Threads: Read & write
Autofix

GitHub App permissions

Semgrep AppSec Platform requests different GitHub App permissions depending on when you grant access.

Permissions when signing in with GitHub

Semgrep AppSec Platform requests the following standard permissions set by GitHub when you first sign in. However, not all permissions are used by Semgrep AppSec Platform.
Verify your GitHub identity
Enables Semgrep AppSec Platform to read your GitHub profile data, such as your username.Know which resources you can access
Semgrep does not use or access any resources when first logging in. However, you can choose to share resources at a later point to add repositories into Semgrep AppSec Platform.Act on your behalf
Enables Semgrep AppSec Platform to perform certain tasks only on resources that you choose to share with Semgrep AppSec Platform. Semgrep AppSec Platform never uses this permission and never performs any actions on your behalf, even after you have installed semgrep-app. For more information, see What does ‘Act on your behalf’ mean? and GitHub Apps acting on your behalf in GitHub documentation.

Permissions when adding members or repositories

The public GitHub integration app is called semgrep-app. This app integrates Semgrep into user-selected GitHub repositories.
Reading metadata of the repositories you select
Enables Semgrep AppSec Platform to list repository names on the project setup page.Reading the list of organization members
Enables Semgrep AppSec Platform to determine who can manage your Semgrep organization based on your GitHub organization’s members list.Reading and writing pull requests
Enables Semgrep AppSec Platform to comment about findings on PRs. Read permissions allow Semgrep AppSec Platform to automatically remove findings when the PR that introduced them is closed without merging.Reading and writing actions
Enables Semgrep AppSec Platform to cancel stuck jobs, rerun jobs, pull logs from jobs, and perform on-demand scanning.Reading GitHub Checks
Facilitates debugging of Semgrep AppSec Platform when configured out of GitHub Actions.Reading and writing security events
Enables integration with GitHub Advanced Security (for example, to show Semgrep results).Reading and writing secrets
Enables the automatic adding of the Semgrep AppSec Platform Token to your repository secrets when onboarding projects. Note: Semgrep cannot read the values of your existing or future secrets (only the names).Reading and writing 2 files
Enables Semgrep AppSec Platform to configure itself to run in CI by writing to .github/workflows/semgrep.yml and .semgrepignore files.Reading and writing workflows
Enables Semgrep AppSec Platform to configure itself to run in CI by writing to .github/workflows/semgrep.yml. GitHub allows writing to files within .github/workflows/ directory only if this permission is granted along with “Writing a single file.”

Permissions for Managed Scans and AI features

You can create a private GitHub app, which follows the naming convention Semgrep Code - YOUR_ORG_NAME. This private app is used for:
Managed Scans and Multimodal require read access to your code. Autofix also requires write access and permission to open PRs.
Reading metadata of the repositories you select
Lets Semgrep list their names on the project setup page.Reading the list of organization members
Lets Semgrep determine who can manage your Semgrep organization based on your GitHub organization’s members list.Writing (and reading) pull requests
Lets Semgrep comment about findings on PRs.Writing (and reading) actions
Allows Semgrep AppSec Platform to cancel stuck jobs, rerun jobs, pull logs from jobs, and perform on-demand scanning.Reading checks
Facilitates debugging of Semgrep AppSec Platform when configured out of GitHub Actions.Writing (and reading) security events
Enables integration with GitHub Advanced Security (for example, to show Semgrep results).Writing (and reading) secrets
Enables automatic adding of the Semgrep AppSec Platform Token to your repository secrets when onboarding projects. Note: Semgrep cannot read the values of your existing or future secrets (only the names).Writing (and reading) 2 files
Lets Semgrep configure itself to run in CI by writing to .github/workflows/semgrep.yml and .semgrepignore.Writing (and reading) workflows
Lets Semgrep configure itself to run in CI by writing to .github/workflows/semgrep.yml. GitHub allows writing to files within .github/workflows/ only if this permission is granted along with “Writing a single file.”Read source code of the repositories you select
Allows Semgrep Multimodal to fetch source code files on-demand to construct AI prompts.

Autofix permissions

Semgrep Code Autofix creates a branch with AI-generated changes and opens a draft PR or MR. Autofix requires Semgrep Multimodal, code read and write access on your SCM connection, and permission to create PRs or MRs. For SCM and plan availability, see Supported source code managers. For roles, scopes, and setup links, see the Autofix row for each provider in Permissions table.

GitHub App permissions and API usage

Autofix uses your private Semgrep GitHub App with the permissions below. Use this section for security reviews, such as determining which GitHub operations require Contents: Read and write). See Grant code access to configure Contents: Read and write under Repository permissions > Contents on the private app.

Repository permissions

GitHub App permissionWhy Autofix needs it
Contents: ReadClone the repository using git+https (shallow, single-branch) so Semgrep can analyze the code and generate a fix.
Contents: WritePush the Autofix branch back to the repository using git+https.
Metadata: ReadRead repository metadata, including the default branch, using GET /repos/{owner}/{repo}.
Pull requests: WriteOpen a draft PR using POST /repos/{owner}/{repo}/pulls.

How repository contents are accessed

Semgrep does not read or write file contents through the API’s contents endpoints (GET or PUT /repos/{owner}/{repo}/contents/{path}). Autofix reads and writes code only through the Git transport layer (clone and push), which still requires the GitHub Contents permissions above.