Documentation Index
Fetch the complete documentation index at: https://docs.semgrep.dev/llms.txt
Use this file to discover all available pages before exploring further.
INFOA project is any codebase, repository, or folder within a monorepo that is added to Semgrep for scanning. This includes all the findings, history, and scan metadata for the project.
What are Semgrep Managed Scans?
Semgrep Managed Scans allow you to run Semgrep scans without needing to set up and maintain your own infrastructure. It provides a simple, scalable way to scan your code for security vulnerabilities, code quality issues, and other problems without setting up and maintaining separate configurations for each project.
Supported source code managers
You must be an existing Semgrep AppSec Platform user with one of the following plans:
- Bitbucket Cloud Premium plans or Bitbucket Data Center (v8.8 or above for diff-aware scans)
- Hosted GitHub (GitHub.com) and GitHub Enterprise Server plans
- GitLab Cloud and GitLab self-managed plans and a Premium or Ultimate subscription
- Azure DevOps Cloud repositories
Add projects to Semgrep Managed Scans
Azure DevOps
Bitbucket
GitHub
GitLab
Prerequisites
You must have admin access to your Azure DevOps organization.Read access is granted through an access token you generate on Azure DevOps. You can provide this token by adding Azure DevOps as a source code manager.Semgrep recommends setting up and configuring Semgrep with an Azure DevOps service account, not a personal account. Regardless of whether you use a personal or service account, the account must be assigned the Owner or Project Collection Administrator role for the organization. During setup and configuration, you must provide a personal access token generated by this account. This token must be authorized with Full access. Once you have Semgrep Managed Scans fully configured, you can update the token provided to Semgrep to a more restrictive one. The scopes you must assign to the token include:
Code: ReadCode: StatusMember Entitlement Management: ReadProject and Team: Read & writePull Request Threads: Read & write
Add a project
Navigate to Projects, and click Scan new project > Semgrep Managed Scan.
In the Enable Managed Scans for repos page, select the repositories you want to add to Semgrep Managed Scans.
Click Enable Managed Scans. The Enable Managed Scans dialog appears. By default, Semgrep runs both full and diff-aware scans.
Click Enable. You are taken to the Projects page as your scans begin.
Prerequisites
You must have admin access to your Bitbucket organization.Bitbucket Cloud
- Read access is granted through a workspace access token you generate on Bitbucket. You can provide this token by adding Bitbucket as a source code manager.
- The user generating the workspace token must be a Product Admin for the workspace. The scopes you must assign to the token include:
webhook (read and write)repository (read and write)pullrequest (read and write)project (admin)account (read)
Bitbucket Data Center
- V8.8 or above for diff-aware scans. Additionally, project-level webhooks are required to support diff-aware scans.
- Read access is granted through an HTTP access token you generate on Bitbucket. You can provide this token by adding Bitbucket as a source code manager.
- The user generating the workspace token must be a Product Admin for the workspace. The token must be created with
PROJECT_ADMIN permissions.
Add a project
Navigate to Projects, and click Scan new project > Semgrep Managed Scan.
In the Enable Managed Scans for repos page, select the repositories you want to add to Semgrep Managed Scans.
Click Enable Managed Scans. The Enable Managed Scans dialog appears. By default, Semgrep runs both full and diff-aware scans.
Click Enable. You are taken to the Projects page as your scans begin.
Prerequisites
You must have admin access to your GitHub organization.To enable and use this feature, you must grant Semgrep Read access to your code. This is done by installing a private GitHub app that you create and register yourself. The steps to do so are provided in the subsequent section of this document. See Managed Scans > Security for more information on how Semgrep handles your code once you’ve provided read access.Add a project
Provide the Organization display name you’d like to use, then click Create new organization.
When asked Where do you want to scan? click GitHub.
Follow the steps in the Connect GitHub to Semgrep page. These steps install a public GitHub app to handle PR comments and a private GitHub app to handle code access. You can select which repositories these apps have access to, and remove or revoke their permissions at any time.
Click Set up projects. You are taken to the Enable Managed Scans for repos page.
Select all the repositories you want to add to Semgrep Managed Scans for scanning.
Click Enable Managed Scans. You are taken to the Projects page as your scans begin.
Prerequisites
Semgrep Managed Scanning (SMS) requires one of the following plans:
- GitLab Premium
- GitLab Ultimate
- GitLab Self Managed
You must provide a GitLab group access token or personal access token to Semgrep. The token must have the api scope assigned to it.During SMS onboarding, the group or user to which the token is assigned must have one of the following roles:This is because managed scans of GitLab repositories require the enablement of webhooks to facilitate diff-aware scans and the creation of pull request comments by Semgrep. The webhooks are enabled by default when you set up Managed Scans and add GitLab as a source code manager. Once onboarding is complete, you can downgrade the role assigned to the token to Developer.Add a project
Navigate to Semgrep AppSec Platform, and sign up by clicking on Sign in with GitLab. Follow the on-screen prompts to proceed. When prompted, click Scan new project > Semgrep Managed Scan.
In the Enable Managed Scans for repos page, select the repositories you want to add to Semgrep Managed Scans.
Click Enable Managed Scans. The Enable Managed Scans dialog appears. By default, Semgrep runs both full and diff-aware scans.
Click Enable. You are taken to the Projects page as your scans begin.
managed-scan, regardless of whether they are actively being scanned by Semgrep Managed Scans.
Next steps
Once a scan has finished, you can view your findings on the following Semgrep AppSec Platform pages:
See Semgrep Managed Scans to learn more about how Semgrep manages your scans.
