Documentation Index
Fetch the complete documentation index at: https://docs.semgrep.dev/llms.txt
Use this file to discover all available pages before exploring further.
Prerequisites
You must have an existing Semgrep org account. See Sign in to Semgrep.Ignore findings in bulk
Sign in to Semgrep AppSec Platform.
Click Code for SAST findings, Secrets for secrets findings, or Supply Chain for SCA findings. You are taken to a page with all the findings for that product.
Click on Projects and branches, then click the drop-down arrow to view open branches, which is listed by its unique ID. For example, GitHub branches are represented by their PR number.
Appendix: triage statuses
Click to view all triage statuses.
Click to view all triage statuses.
| Status | Description |
|---|---|
| Open | Findings are open by default. A finding is open if it was present the last time Semgrep scanned the code and has not been ignored. An open finding represents a match between the code and a rule enabled in the repository. Open findings require action, such as rewriting the code to eliminate the detected vulnerability. |
| Reviewing | Indicates that the finding requires investigation to determine what the next steps in the triage process should be. |
| Provisionally ignored | Findings that Semgrep Multimodal has flagged as false positives. You can change the status to Ignored if you agree with Multimodal’s assement. Otherwise, you can change the status to To fix if you disagree. |
| To fix | Findings that you have decided to fix. Commonly used to indicate that these findings are tracked in Jira or assigned to developers for further work. |
| Fixed | Fixed findings were detected in a previous scan but are no longer detected in the most recent scan of that same branch due to changes in the code. |
| Ignored | Findings marked as ignored are present in the code but have been labeled unimportant. Ignore false positives or deprioritized issues. Mark findings as ignored through Semgrep AppSec Platform or by adding a nosemgrep code comment. You can also provide a reason for ignoring a finding: False positive, Acceptable risk, No time to fix. |
| Closed | Vulnerabilities that are no longer detected after a scan. This can be due to changes in the underlying rule or the code. |
Removed findings
Findings can also be removed. Semgrep considers a finding removed if it is not found in the most recent scan of the branch where Semgrep initially detected it due to any of the following conditions:- The rule that detected the finding isn’t enabled in the policy anymore.
- The rule that detected the finding was updated in a way that it no longer detects the finding.
- The file path where the finding appeared is no longer found. The file path was deleted, renamed, added to a
.semgrepignorefile, added to a.gitignorefile, or added to the list of ignored paths in Semgrep AppSec Platform. - For GitHub organization accounts: the pull request or merge request where the finding was detected has been closed without merging.
Triage behavior across refs and branches
- When you triage a finding as ignored, reviewing, fixing, or reopened, Semgrep always triages across other branches and Git references (refs).
- At scan time, there’s automatic triaging that occurs in specific cases, and the behavior changes depending on the type of scan:
- Full scans: if the current branch includes a finding that was
- Previously introduced in another branch and
- Triaged to a specific state
Then the finding in the current branch is triaged to that same state.
- Diff-aware scan: findings introduced in a diff-aware scan are not automatically triaged at scan time, even if there are other instances of that finding on branches that have been triaged.
- Full scans: if the current branch includes a finding that was