Documentation Index
Fetch the complete documentation index at: https://docs.semgrep.dev/llms.txt
Use this file to discover all available pages before exploring further.
Types of access tokens
Semgrep uses the following types of access tokens:- API tokens
- CLI tokens
- Service tokens
API tokens
API tokens can be created by admins and are used for calls to the Semgrep API and to set up third-party integrations. For auditing purposes, API tokens are associated with the user who created them. However, they remain valid until manually revoked, even if the creator is no longer associated with the deployment.CLI tokens
CLI tokens authenticate users who run scans or publish rules from the Semgrep CLI. Both members and admins of a deployment can create CLI tokens. The CLI token allows users to run scans on their local machine using thesemgrep ci command. This sends findings data to Semgrep AppSec Platform. It also allows users to publish rules using semgrep publish.
For auditing purposes, Semgrep records the user who generated the CLI token, but the user’s actions are attributed to the token rather than the user.
Logging out of the Semgrep CLI with semgrep logout removes the local token, but it does not invalidate it.
Service tokens
Service tokens are functionally the same as API tokens, but instead of being manually generated by a user, they are automatically generated during repository onboarding for CI/CD scans or when repositories are added to Semgrep AppSec Platform. These tokens authenticate agents running automated scans. The default scope for these tokens is Agent/CI, but admins can edit the token and grant them the API scope as well.Token scopes
The following table displays the scopes assigned to each token:| Token | Send findings from a remote repository | Send findings from a local repository | Connect to Semgrep API |
|---|---|---|---|
| API | ❌ No | ❌ No | ✔️ Yes |
| CLI | ❌ No | ✔️ Yes | ❌ No |
| Service (CI) | ✔️ Yes | ✔️ Yes | ❌ No |
| Token | Use |
|---|---|
| API | Used to access Semgrep’s API |
| CLI | Auto-generated by Semgrep when a user is logging in through Semgrep CLI. Use this token to scan your code locally using your organization’s configured policies, including private rules. |
| Service (CI) | Generated by Semgrep when onboarding (adding) a repository to Semgrep AppSec Platform. |
View and manage tokens
You can view a list of tokens for your deployment in Semgrep AppSec Platform under Settings > Tokens. Each token type has its own page that lists all existing tokens of that type. Use the search bar to help find a specific token. For API tokens, you can use the drop-down menu to view only those tokens associated with specific roles, such as Admin or Member. For Service tokens, you can use the drop-down menu to view tokens for specific services, such as Semgrep Managed Scans, Autofix, or AI Scan.Create an API token
Sign in to Semgrep AppSec Platform.
Copy the Secrets name and the Secrets value, and save these values. The Secrets value is your token and is only shown at this time.
Optional: change the Name of the token. This is the value used in the list of tokens associated with your Semgrep deployment.
Create a CLI token
Once you’ve set up the Semgrep CLI, create a CLI token by running the following command:Edit a token
Sign in to Semgrep AppSec Platform.
Go to one of the following pages based on the type of token you’re interested in: API tokens, CLI tokens, or Semgrep service tokens.
Revoke a token
Sign in to Semgrep AppSec Platform.
Go to one of the following pages based on the type of token you’re interested in: API tokens, CLI tokens, or Semgrep service tokens.