# Semgrep ## Docs - [Authentication](https://docs.semgrep.dev/api-reference/Authentication.md) - [Deployment](https://docs.semgrep.dev/api-reference/DeploymentsService.md): Deployments encapsulate your organization's security organization, with multiple projects, policies, and integrations. As the root object of the organization, they're similarly the root object of the API. - [Code, Supply Chain, and AI-Powered Scan](https://docs.semgrep.dev/api-reference/FindingsService.md): Manage and retrieve code, supply chain, and AI-powered scan findings from Semgrep scans - [Introduction](https://docs.semgrep.dev/api-reference/Introduction.md): Welcome to Semgrep's portal for the Semgrep AppSec Platform web API. - [Other](https://docs.semgrep.dev/api-reference/MiscService.md): Utility endpoints. - [Policies](https://docs.semgrep.dev/api-reference/PoliciesService.md): View and manage the Policies of your organization. - [Scans](https://docs.semgrep.dev/api-reference/ScansService.md): View details of scans associated with projects in your organization. - [Secrets](https://docs.semgrep.dev/api-reference/SecretsService.md): View and manage the Secrets of your organization. - [Supply Chain](https://docs.semgrep.dev/api-reference/SupplyChainService.md): Manage the Supply Chain findings and dependencies of your organization. - [Terms of Use](https://docs.semgrep.dev/api-reference/Terms-of-Use.md) - [Ticketing](https://docs.semgrep.dev/api-reference/TicketingService.md): Create and manage external tickets - [Triage](https://docs.semgrep.dev/api-reference/TriageService.md): View and manage the triage of your organization. - [List deployments](https://docs.semgrep.dev/api-reference/deploymentsservice/list-deployments.md): Request the deployments your auth can access. - [List code, supply chain, or AI-powered scan findings](https://docs.semgrep.dev/api-reference/findingsservice/list-code-or-supply-chain-findings.md): Request the list of code or supply chain findings in an organization, paginated in pages of 100 entries and limited by the `since` timestamp. Findings are returned by `relevant_since` descending (see `since` in the Query Parameters list). Examples: List SAST findings with pagination, List SCA findin… - [[Beta] Get SMS VPC Bootstrap CloudFormation Template](https://docs.semgrep.dev/api-reference/miscservice/[beta]-get-sms-vpc-bootstrap-cloudformation-template.md): VPC support for Managed Scans is in private beta. - [Ping](https://docs.semgrep.dev/api-reference/miscservice/ping.md): Use to ping the server and assert liveness. - [List policies](https://docs.semgrep.dev/api-reference/policiesservice/list-policies.md) - [List policy rules](https://docs.semgrep.dev/api-reference/policiesservice/list-policy-rules.md) - [Update policy](https://docs.semgrep.dev/api-reference/policiesservice/update-policy.md) - [Add tags to project](https://docs.semgrep.dev/api-reference/projectsservice/add-tags-to-project.md): Add tags to a project for a deployment you have access to. - [Delete project](https://docs.semgrep.dev/api-reference/projectsservice/delete-project.md): Delete a project for a deployment you have access to. This will also delete all of the associated findings. - [Get project details](https://docs.semgrep.dev/api-reference/projectsservice/get-project-details.md): Retrieve details for a single project associated with a deployment that you have access to. - [List all projects](https://docs.semgrep.dev/api-reference/projectsservice/list-all-projects.md): Request the list of projects that have been scanned or onboarded to Managed Scans. Does not return archived repositories. Returns 100 projects per page by default. - [Remove tags from project](https://docs.semgrep.dev/api-reference/projectsservice/remove-tags-from-project.md): Remove tags from a project for a deployment you have access to. - [Toggle Managed Scans for a project](https://docs.semgrep.dev/api-reference/projectsservice/toggle-managed-scans-for-a-project.md): Enable or disable [Semgrep Managed Scans](/deployment/managed-scanning/overview) for a project. - [Update project details](https://docs.semgrep.dev/api-reference/projectsservice/update-project-details.md): Update attributes for the project using the value passed in to the request body. - [Get scan details](https://docs.semgrep.dev/api-reference/scansservice/get-scan-details.md): Request the details of a scan including the associated deployment, repository, and commit information. - [List scans (beta)](https://docs.semgrep.dev/api-reference/scansservice/list-scans-beta.md): List the scans associated with a particular repository over the past 30 days. - [List secrets](https://docs.semgrep.dev/api-reference/secretsservice/list-secrets.md) - [Create a new SBOM export job](https://docs.semgrep.dev/api-reference/supplychainservice/create-a-new-sbom-export-job.md) - [Get the status of a SBOM export job](https://docs.semgrep.dev/api-reference/supplychainservice/get-the-status-of-a-sbom-export-job.md) - [List dependencies](https://docs.semgrep.dev/api-reference/supplychainservice/list-dependencies.md) - [List lockfiles in a given repository with dependencies](https://docs.semgrep.dev/api-reference/supplychainservice/list-lockfiles-in-a-given-repository-with-dependencies.md) - [List repositories with dependencies](https://docs.semgrep.dev/api-reference/supplychainservice/list-repositories-with-dependencies.md) - [Create Jira tickets](https://docs.semgrep.dev/api-reference/ticketingservice/create-jira-tickets.md): Create Jira tickets for your findings. You can create tickets by passing in a list of issue_ids or by passing in filter query parameters to dynamically select findings. If passing in filters, Semgrep will skip already ticketed findings. This endpoint is synchronous, so it may take some time for your… - [Unlink a Jira ticket](https://docs.semgrep.dev/api-reference/ticketingservice/unlink-a-jira-ticket.md): Unlink a Jira ticket by its ID - [Bulk triage](https://docs.semgrep.dev/api-reference/triageservice/bulk-triage.md): Bulk triage your findings. You can select the findings to triage by passing in a list of finding IDs as issue_ids, or by passing in filter query parameters. You must specify the issue_type of the findings you want to bulk triage. One of new_triage_state or new_note is required. If specifying a new_t… - [Bitbucket PR comments](https://docs.semgrep.dev/category/bitbucket-pr-comments.md) - [CI references](https://docs.semgrep.dev/category/ci-references.md) - [CI references](https://docs.semgrep.dev/category/ci-references-1.md) - [Deployment at scale](https://docs.semgrep.dev/category/deployment-at-scale.md) - [Glossaries](https://docs.semgrep.dev/category/glossaries.md) - [Glossaries](https://docs.semgrep.dev/category/glossaries-1.md) - [Go](https://docs.semgrep.dev/category/go.md): Security guides and cheatsheets for the Go programming language and related frameworks. - [Java](https://docs.semgrep.dev/category/java.md): Security guides and cheatsheets for the Java programming language and related frameworks. - [JavaScript](https://docs.semgrep.dev/category/javascript.md): Security guides and cheatsheets for the JavaScript programming language, Node and related frameworks. - [Language reference](https://docs.semgrep.dev/category/language-reference.md) - [Language-specific features](https://docs.semgrep.dev/category/language-specific-features.md) - [Local and CLI scans](https://docs.semgrep.dev/category/local-and-cli-scans.md) - [PR or MR comments](https://docs.semgrep.dev/category/pr-or-mr-comments.md) - [Python](https://docs.semgrep.dev/category/python.md): Security guides and cheatsheets for the Python programming language and related frameworks. - [Ruby](https://docs.semgrep.dev/category/ruby.md): Security guides and cheatsheets for the Ruby programming language and related frameworks. - [Scan repositories with the AppSec Platform](https://docs.semgrep.dev/category/scan-repositories-with-the-appsec-platform.md) - [Prevent XSS in Django](https://docs.semgrep.dev/cheat-sheets/django-xss.md) - [Prevent XSS in ExpressJS](https://docs.semgrep.dev/cheat-sheets/express-xss.md) - [Prevent XSS for Flask](https://docs.semgrep.dev/cheat-sheets/flask-xss.md) - [Prevent Command Injection for Go](https://docs.semgrep.dev/cheat-sheets/go-command-injection.md) - [Prevent XSS for Go](https://docs.semgrep.dev/cheat-sheets/go-xss.md) - [Prevent Code Injection for Java](https://docs.semgrep.dev/cheat-sheets/java-code-injection.md) - [Prevent Command Injection for Java](https://docs.semgrep.dev/cheat-sheets/java-command-injection.md) - [Prevent XSS for Java and Java Server Pages (JSP)](https://docs.semgrep.dev/cheat-sheets/java-jsp-xss.md) - [Prevent XML External Entity Vulnerabilities for Java](https://docs.semgrep.dev/cheat-sheets/java-xxe.md) - [Prevent Code Injection in JavaScript](https://docs.semgrep.dev/cheat-sheets/javascript-code-injection.md) - [Prevent Command Injection for JavaScript](https://docs.semgrep.dev/cheat-sheets/javascript-command-injection.md) - [Cheat Sheets](https://docs.semgrep.dev/cheat-sheets/overview.md) - [Prevent Code Injection for Python](https://docs.semgrep.dev/cheat-sheets/python-code-injection.md) - [Prevent Command Injection for Python](https://docs.semgrep.dev/cheat-sheets/python-command-injection.md) - [Prevent XSS for Ruby on Rails](https://docs.semgrep.dev/cheat-sheets/rails-xss.md) - [Prevent Code Injection for Ruby](https://docs.semgrep.dev/cheat-sheets/ruby-code-injection.md) - [Prevent Command Injection for Ruby](https://docs.semgrep.dev/cheat-sheets/ruby-command-injection.md) - [CLI reference](https://docs.semgrep.dev/cli-reference.md) - [Compliance](https://docs.semgrep.dev/compliance/compliance-overview.md): Semgrep provides security tooling that can support compliance efforts, but does not guarantee compliance. Organizations remain responsible for meeting all compliance requirements. Consult with your compliance team and auditors to determine how Semgrep fits into your compliance program. - [FedRAMP compliance](https://docs.semgrep.dev/compliance/fedramp.md) - [GDPR compliance](https://docs.semgrep.dev/compliance/gdpr.md) - [HIPAA/HITRUST compliance](https://docs.semgrep.dev/compliance/hipaa-hitrust.md) - [ISO 27017 compliance](https://docs.semgrep.dev/compliance/iso-27017.md) - [ISO 27001 compliance](https://docs.semgrep.dev/compliance/iso27001.md) - [NIST 800-171 compliance](https://docs.semgrep.dev/compliance/nist-800-171.md) - [PCI DSS compliance](https://docs.semgrep.dev/compliance/pci-dss.md) - [SOC 2 compliance](https://docs.semgrep.dev/compliance/soc2.md) - [How to add support for a new language](https://docs.semgrep.dev/contributing/adding-a-language.md) - [Contributing overview](https://docs.semgrep.dev/contributing/contributing.md): Your contributions to Semgrep Community Edition (CE) are welcome! - [Contributing code](https://docs.semgrep.dev/contributing/contributing-code.md) - [Contribute rules to the Semgrep Registry](https://docs.semgrep.dev/contributing/contributing-to-semgrep-rules-repository.md) - [semgrep-cli contributing](https://docs.semgrep.dev/contributing/semgrep-contributing.md) - [semgrep-core contributing](https://docs.semgrep.dev/contributing/semgrep-core-contributing.md) - [Semgrep Community Edition (CE) philosophy](https://docs.semgrep.dev/contributing/semgrep-philosophy.md) - [Semgrep Community Edition (CE) philosophy](https://docs.semgrep.dev/contributing/semgrep-philosophy-1.md) - [Troubleshooting](https://docs.semgrep.dev/contributing/troubleshooting.md) - [How to upgrade the grammar for a language](https://docs.semgrep.dev/contributing/updating-a-grammar.md) - [Customize Semgrep Community Edition (CE) scans](https://docs.semgrep.dev/customize-semgrep-ce.md): This article shows you how to customize your local scans with Semgrep Community Edition (CE). Before proceeding with this article, ensure that you are familiar with [scanning a project using Semgrep CE](/getting-started/quickstart-ce). - [Scan with AI-powered detection (beta)](https://docs.semgrep.dev/deployment/add-ai-to-scans.md) - [Add Semgrep to CI](https://docs.semgrep.dev/deployment/add-semgrep-to-ci.md) - [Add Semgrep manually to CI providers](https://docs.semgrep.dev/deployment/add-semgrep-to-other-ci-providers.md) - [Customize a core deployment](https://docs.semgrep.dev/deployment/beyond-core-deployment.md): Now that you've finished your Semgrep core deployment, you can either customize Semgrep's scan behavior or continue to enable additional deployment features. The following sections list common tasks after you've finished your core deployment. - [Pre-deployment checklist](https://docs.semgrep.dev/deployment/checklist.md) - [Claim a license](https://docs.semgrep.dev/deployment/claim-a-license.md): Once you've purchased a subscription, you should receive an email from Semgrep with your license information. Follow the instructions provided in the email to claim your license and begin onboarding your Semgrep products. - [Connect a source code manager](https://docs.semgrep.dev/deployment/connect-scm.md) - [Core deployment](https://docs.semgrep.dev/deployment/core-deployment.md): Semgrep can be set up to scan repositories of any size. - [Create a Semgrep account and set up organizations](https://docs.semgrep.dev/deployment/create-account-and-orgs.md) - [Customize your CI job](https://docs.semgrep.dev/deployment/customize-ci-jobs.md) - [Scan local repositories and upload findings](https://docs.semgrep.dev/deployment/local-to-scp-scans.md) - [Manage projects](https://docs.semgrep.dev/deployment/manage-projects.md): View, sort, and tag your projects through the **Projects** page. Refer to this page to manage and troubleshoot thousands of repositories by identifying scan issues or scans with a high number of findings. - [Add an Azure DevOps repository to Semgrep Managed Scans](https://docs.semgrep.dev/deployment/managed-scanning/azure.md) - [Add a Bitbucket repository to Semgrep Managed Scans](https://docs.semgrep.dev/deployment/managed-scanning/bitbucket.md): Add Bitbucket repositories to your Semgrep organization in bulk without adding or changing your existing CI workflows through **Managed Scans**. - [Add a GitHub repository to Semgrep Managed Scans](https://docs.semgrep.dev/deployment/managed-scanning/github.md): Add GitHub repositories to your Semgrep organization in bulk without adding or changing your existing CI workflows through **Managed Scans**. - [Add a GitLab repository to Semgrep Managed Scans](https://docs.semgrep.dev/deployment/managed-scanning/gitlab.md): Add GitLab repositories to your Semgrep organization in bulk without adding or changing your existing CI workflows through **Managed Scans**. - [Semgrep Managed Scans](https://docs.semgrep.dev/deployment/managed-scanning/overview.md): Add repositories to your Semgrep organization in bulk without adding or changing your existing CI workflows through **Managed Scans**. Similar to CI workflows, Managed Scans also integrates into developer workflows through pull request (PR) or merge request (MR) comments. - [Semgrep Community Edition in CI](https://docs.semgrep.dev/deployment/oss-deployment.md): Semgrep Community Edition (CE) can be set up run static application security testing (SAST) scans on repositories of any size. - [Set a primary branch](https://docs.semgrep.dev/deployment/primary-branch.md) - [Single-sign on (SSO) configuration](https://docs.semgrep.dev/deployment/sso.md) - [Manage teams and roles](https://docs.semgrep.dev/deployment/teams/manage.md) - [Manage user access to projects](https://docs.semgrep.dev/deployment/teams/overview.md): Basic access control, which determines which users can manage Semgrep resources such as scans, projects, and findings, is managed in Semgrep AppSec Platform. This allows you to configure different levels of collaboration and visibility for users in your organization with access to Semgrep. - [Access tokens](https://docs.semgrep.dev/deployment/tokens.md): An access token is a secure credential used to authorize requests to Semgrep AppSec Platform or the Semgrep API without a username and password. Each token is associated with a specific Semgrep account and has a defined set of [scopes](#token-scopes) that determine the permissions granted to its bea… - [Extensions](https://docs.semgrep.dev/extensions/overview.md): Several third-party tools include Semgrep extensions. - [Run scans on pre-commit](https://docs.semgrep.dev/extensions/pre-commit.md) - [Semgrep IntelliJ extension](https://docs.semgrep.dev/extensions/semgrep-intellij.md) - [Semgrep Visual Studio Code extension](https://docs.semgrep.dev/extensions/semgrep-vs-code.md) - [Compare Semgrep to CodeQL](https://docs.semgrep.dev/faq/comparisons/codeql.md): Both Semgrep and CodeQL use static analysis to find bugs, but there are a few differences: - [Compare Semgrep to Endor Labs](https://docs.semgrep.dev/faq/comparisons/endor-labs.md) - [Compare Semgrep to Opengrep](https://docs.semgrep.dev/faq/comparisons/opengrep.md) - [Compare Semgrep to Opengrep](https://docs.semgrep.dev/faq/comparisons/opengrep-1.md) - [Compare Semgrep to Snyk](https://docs.semgrep.dev/faq/comparisons/snyk.md) - [Compare Semgrep to SonarQube](https://docs.semgrep.dev/faq/comparisons/sonarqube.md): Both Semgrep and SonarQube use static analysis to find bugs, but there are a few differences: - [Frequently asked questions](https://docs.semgrep.dev/faq/overview.md) - [Run local CLI scans](https://docs.semgrep.dev/for-developers/cli.md): You can run local Semgrep CLI scans with the Semgrep command-line tool. - [How Semgrep works](https://docs.semgrep.dev/for-developers/detection.md): Semgrep enables you to: - [Run IDE scans](https://docs.semgrep.dev/for-developers/ide.md): Semgrep supports the following IDE extensions: - [Semgrep for developers](https://docs.semgrep.dev/for-developers/overview.md): This guide is for developers who are using Semgrep in a team or organizational setting. - [Resolve findings through Semgrep AppSec Platform](https://docs.semgrep.dev/for-developers/resolve-findings-through-app.md): This guide explains how you can view and triage findings in bulk through the Semgrep AppSec Platform web app. - [Resolve findings in your pull request or merge request](https://docs.semgrep.dev/for-developers/resolve-findings-through-comments.md) - [Sign in to Semgrep](https://docs.semgrep.dev/for-developers/signin.md) - [Local scans with Semgrep](https://docs.semgrep.dev/getting-started/cli.md): Learn how to set up Semgrep, scan your project for security issues using Semgrep Code's interfile analysis, and view your findings in the CLI. - [Quickstart](https://docs.semgrep.dev/getting-started/quickstart.md): Learn how to set up Semgrep, scan your first project, which can be any codebase, repository, or folder within a monorepo, for security issues, and view your findings. - [Get started with Semgrep Community Edition](https://docs.semgrep.dev/getting-started/quickstart-ce.md): Semgrep Community Edition (CE) is an open source static analysis tool that can find insecure coding patterns and security vulnerabilities in source code. Semgrep CE encompasses a SAST scanning engine, community rules, and integrated development environment plugins. - [Quickstart for Semgrep Managed Scans](https://docs.semgrep.dev/getting-started/quickstart-managed-scans.md): This quickstart guide will help you set up Semgrep and scan your first project using Semgrep Managed Scans. - [Supported source code managers](https://docs.semgrep.dev/getting-started/scm-support.md): Semgrep supports the following source code managers (SCM) and plans to varying degrees. Please review the information for your specific SCM and plan to see what Semgrep features are available to you. - [Semgrep Guardian](https://docs.semgrep.dev/guardian.md) - [Ignore files, folders, and code](https://docs.semgrep.dev/ignoring-files-folders-code.md) - [Semgrep Docs](https://docs.semgrep.dev/index.md): Read the documentation and get started with Semgrep. A fast static analysis engine for finding bugs, detecting dependency vulnerabilities, and enforcing code standards at editor, commit, and CI time. - [Semgrep integration guide for partners](https://docs.semgrep.dev/integrating.md): We're excited that you're integrating Semgrep into your tooling! Our goal with Semgrep is to bring world-class security tools to developers based on our conviction that software will run the most exciting parts of the future. It's not something that we can do alone; we want to build a community arou… - [Introduction to Semgrep](https://docs.semgrep.dev/introduction.md): Semgrep is a software security tool that provides static application security testing (SAST), software composition analysis (SCA), and secrets detection. Semgrep identifies vulnerabilities in your source code without executing your code. It integrates with IDEs and CI/CD, and can also run from the S… - [Knowledge base](https://docs.semgrep.dev/kb.md) - [Integrations](https://docs.semgrep.dev/kb/integrations.md) - [Customize Semgrep in pre-commit](https://docs.semgrep.dev/kb/integrations/customize-semgrep-precommit.md) - [How to connect Semgrep and DefectDojo](https://docs.semgrep.dev/kb/integrations/defect-dojo-integration.md) - [How to paginate responses from the Semgrep API](https://docs.semgrep.dev/kb/integrations/pagination.md) - [Rules](https://docs.semgrep.dev/kb/rules.md) - [Change rule severity and other metadata by forking rules](https://docs.semgrep.dev/kb/rules/changing-rule-severity-and-other-metadata.md) - [Matching multiple tokens with ellipsis metavariables](https://docs.semgrep.dev/kb/rules/ellipsis-metavariables.md) - [How to exclude certain file types for a particular rule](https://docs.semgrep.dev/kb/rules/exclude_rule_for_certain_filetypes.md) - [Match the absence of something in a file](https://docs.semgrep.dev/kb/rules/match-absence.md) - [Match comments with Semgrep](https://docs.semgrep.dev/kb/rules/match-comments.md) - [Fix pattern parse errors when running rules](https://docs.semgrep.dev/kb/rules/pattern-parse-error.md) - [Rule upgrades and supersession](https://docs.semgrep.dev/kb/rules/pro-vs-community-secrets-vs-code-rules.md): This article describes Semgrep behavior when multiple rules match the same issue in the same code. Overlap can occur when you scan your project with Semgrep Code using similar **Pro** and **CE** rules, or when you scan your code using both **Semgrep Code** and **Semgrep Secrets**. - [Performance principles for rules and files to abide by when scanning repositories](https://docs.semgrep.dev/kb/rules/rule-file-perf-principles.md) - [Why do new rules keep appearing in Comment or Block mode?](https://docs.semgrep.dev/kb/rules/ruleset-default-mode.md) - [Run all available rules on a repository](https://docs.semgrep.dev/kb/rules/run-all-available-rules.md) - [How does Semgrep assign severity levels to rules?](https://docs.semgrep.dev/kb/rules/understand-severities.md) - [My rule with pattern-not doesn't work: using pattern-not-inside](https://docs.semgrep.dev/kb/rules/using-pattern-not-inside.md) - [Use the Semgrep rule schema to write rules in VS Code](https://docs.semgrep.dev/kb/rules/using-semgrep-rule-schema-in-vscode.md) - [Semgrep AppSec Platform](https://docs.semgrep.dev/kb/semgrep-appsec-platform.md) - [What does 'Act on your behalf' mean?](https://docs.semgrep.dev/kb/semgrep-appsec-platform/act-on-your-behalf.md) - [Web API error 404 and token scopes](https://docs.semgrep.dev/kb/semgrep-appsec-platform/api-404-token-scope.md) - [Automate private rules deployment using the Semgrep API](https://docs.semgrep.dev/kb/semgrep-appsec-platform/automate-rules-deployment.md) - [Why can't I access my Semgrep organization after logging in with GitHub?](https://docs.semgrep.dev/kb/semgrep-appsec-platform/cannot-access-semgrep-after-github-login.md) - [Why does the Projects page display a different dependency count from the Dependencies page?](https://docs.semgrep.dev/kb/semgrep-appsec-platform/dependency-count-differ-platform.md): The **Projects** page displays the count of individual dependency entries in the latest full scan for the project. The **Dependencies** page shows only unique entries for a dependency, taking into account its lockfile and transitivity status. Dependencies that appear more than once indicate their li… - [error: externally-managed-environment](https://docs.semgrep.dev/kb/semgrep-appsec-platform/error-externally-managed-environment.md): If your Python environment is [externally managed by a package manager](https://packaging.python.org/en/latest/specifications/externally-managed-environments/), you can't use `pip` for system-wide installations. This results in the `externally-managed-environment` when you try to use `pip` to instal… - [FedRAMP authorization boundary for code scanning services like Semgrep](https://docs.semgrep.dev/kb/semgrep-appsec-platform/fedramp-with-semgrep.md): At Semgrep, we understand the importance of staying within the FedRAMP Authorization Boundary guidelines, especially when it comes to code security and scanning services. Many other companies agree with our understanding of the FedRAMP Authorization Boundary guidance (Section 7) which stipulates tha… - [Why do the findings count differ in the API and the Semgrep AppSec Platform UI?](https://docs.semgrep.dev/kb/semgrep-appsec-platform/findings-count-differ-api-platform.md) - [Why are findings counts different across Semgrep AppSec Platform pages?](https://docs.semgrep.dev/kb/semgrep-appsec-platform/findings-count-differ-platform.md): You may see different findings counts across the [Dashboard](/semgrep-appsec-platform/dashboard), [Projects](/deployment/manage-projects), [Scans](/deployment/manage-projects#scan-details-and-logs), and Findings pages in Semgrep AppSec Platform. This is typically due to the filtering criteria used t… - [Why did the comments on a PR or MR not appear inline?](https://docs.semgrep.dev/kb/semgrep-appsec-platform/inline-pr-comments.md): When Semgrep comments on PR or MR findings, the comments are usually posted on the line of code where the finding is identified (inline). However, there are two common reasons why comments may not appear inline. - [Why is my repository not receiving PR or MR comments?](https://docs.semgrep.dev/kb/semgrep-appsec-platform/missing-pr-comments.md): If you have configured Semgrep in CI and Semgrep AppSec Platform to create comments when a rule generates a finding in a PR or MR, but you are not seeing those comments, review the following possibilities. - [Semgrep Managed Scans doesn't run for pull requests in GitHub merge queues](https://docs.semgrep.dev/kb/semgrep-appsec-platform/no-runs-in-github-merge-queues.md) - [Why are my projects showing a status of 'Not yet started' after I enable Managed Scans?](https://docs.semgrep.dev/kb/semgrep-appsec-platform/projects-not-yet-started-sms.md): When onboarding a large number of projects to Semgrep Managed Scans (SMS), users may notice that many of them show a 'Not yet started' status, even after enabling Managed Scans. This is because Semgrep doesn't trigger scans for all projects at once. Instead, Semgrep scans the repositories over time… - [Remove users from your Semgrep AppSec Platform organization](https://docs.semgrep.dev/kb/semgrep-appsec-platform/remove-users.md) - [How to re-run a Semgrep Managed Scan](https://docs.semgrep.dev/kb/semgrep-appsec-platform/rerun-managed-scans.md) - [SAML SSO error: There is no AttributeStatement on the Response](https://docs.semgrep.dev/kb/semgrep-appsec-platform/saml-attributestatement.md) - [SAML SSO Error: Authentication method doesn't match requested](https://docs.semgrep.dev/kb/semgrep-appsec-platform/saml-authentication-method-match.md) - [SAML SSO Error: Signature validation failed](https://docs.semgrep.dev/kb/semgrep-appsec-platform/saml-bad-signature.md) - [SAML SSO with Google Workspace](https://docs.semgrep.dev/kb/semgrep-appsec-platform/saml-google-workspace.md) - [SAML SSO with Microsoft Entra ID](https://docs.semgrep.dev/kb/semgrep-appsec-platform/saml-microsoft-entra-id.md) - [Troubleshooting SAML SSO](https://docs.semgrep.dev/kb/semgrep-appsec-platform/saml-stops-working.md): This article walks you through troubleshooting SAML SSO failures, including the case where your SAML configuration stops working after you've successfully configured it and used it for some time. There are several common reasons why a configuration may fail. - [Why is the scan duration reported by Semgrep different from the scan duration of the end-to-end process of running a diff-aware managed scan?](https://docs.semgrep.dev/kb/semgrep-appsec-platform/scan-duration-discrepancy.md): The **Duration** of a scan shown on Semgrep AppSec Platform's **Projects** page reflects the amount of time required to run the Semgrep scan. This timer begins when Semgrep sends the scan request and receives a scan identifier, and ends when Semgrep sends results and receives a `scan complete` respo… - [Search, filter, and sort findings in Semgrep AppSec Platform](https://docs.semgrep.dev/kb/semgrep-appsec-platform/search-filter-sort-findings.md): Semgrep AppSec Platform provides you with an overview of the findings identified by Semgrep Code, Supply Chain, and Secrets. Each product-specific page provides you with filters to narrow down the list of findings shown to you. For example, you can filter for Semgrep Code findings that are flagged a… - [The semgrep login command doesn't redirect to my Semgrep tenant site"](https://docs.semgrep.dev/kb/semgrep-appsec-platform/semgrep-login-cli-tenant.md) - [SAML SSO error BadRequest: Missing attribute](https://docs.semgrep.dev/kb/semgrep-appsec-platform/sso-attribute-error.md): When setting up SAML-based SSO for Semgrep AppSec Platform, you may see the following error: - [Semgrep in CI](https://docs.semgrep.dev/kb/semgrep-ci.md) - [Semgrep with self-hosted Ubuntu runners in Azure Pipelines](https://docs.semgrep.dev/kb/semgrep-ci/azure-self-hosted-ubuntu.md) - [Running Semgrep using templates in Azure Pipelines](https://docs.semgrep.dev/kb/semgrep-ci/azure-using-templates-with-semgrep.md) - [Run Semgrep in Jenkins when using Bitbucket as the source code manager](https://docs.semgrep.dev/kb/semgrep-ci/bitbucket-jenkins.md) - [Semgrep in CI vs CLI: align your SAST scan results and understand differences](https://docs.semgrep.dev/kb/semgrep-ci/ci-vs-cli.md) - [Collecting Semgrep GitHub Actions logs from GitHub](https://docs.semgrep.dev/kb/semgrep-ci/collect-gha-logs.md) - [GitLab Job's log exceeded limit' error](https://docs.semgrep.dev/kb/semgrep-ci/collect-gitlab-logs.md) - [Failed to run a git command during a pull request or merge request scan](https://docs.semgrep.dev/kb/semgrep-ci/git-command-errors.md) - [Use GitHub repository rulesets to implement Semgrep](https://docs.semgrep.dev/kb/semgrep-ci/github-repository-rulesets-semgrep.md) - [Set up reusable GitHub workflows for Semgrep scans](https://docs.semgrep.dev/kb/semgrep-ci/github-reusable-workflows-semgrep.md) - [Why aren't findings populating in the GitHub Advanced Security Dashboard after running Semgrep in CI?](https://docs.semgrep.dev/kb/semgrep-ci/github-upload-findings-in-security-dashboard.md): When scanning with Semgrep in CI, findings automatically populate in Semgrep AppSec Platform. To show findings in the GitHub Advanced Security Dashboard, run an alternate job that uploads findings to the dashboard in the form of a `SARIF` file. See [Sample GitHub Actions configuration file](/semgrep… - [Scan GitHub projects in Jenkins](https://docs.semgrep.dev/kb/semgrep-ci/jenkins-diff-scans.md) - [Receive Semgrep MR comments through a GitLab runner](https://docs.semgrep.dev/kb/semgrep-ci/mr-comments-through-gitlab-runner.md) - [Why are there new source code manager (SCM) connections that I didn't manually configure listed in Semgrep AppSec Platform?](https://docs.semgrep.dev/kb/semgrep-ci/new-scm-connections.md) - [Does Semgrep scan compressed files or other non-code files?](https://docs.semgrep.dev/kb/semgrep-ci/scan-compressed-files-artifacts.md) - [Scanning a monorepo in parts](https://docs.semgrep.dev/kb/semgrep-ci/scan-monorepo-in-parts.md) - [Add Semgrep to your Semaphore pipeline](https://docs.semgrep.dev/kb/semgrep-ci/semaphore-pipelines.md) - [How to trigger diff-aware scans](https://docs.semgrep.dev/kb/semgrep-ci/trigger-diff-scans-env-var.md) - [Upload Semgrep CI findings to GitHub Advanced Security Dashboard](https://docs.semgrep.dev/kb/semgrep-ci/upload-ci-findings-to-github.md) - [Upload Semgrep CI findings to GitLab Security Dashboard](https://docs.semgrep.dev/kb/semgrep-ci/upload-ci-findings-to-gitlab.md) - [Configure GitHub Actions to use the nonroot Semgrep docker image](https://docs.semgrep.dev/kb/semgrep-ci/using-nonroot-docker-image-with-gha.md) - [Why are duplicate findings appearing after running Semgrep in CI?](https://docs.semgrep.dev/kb/semgrep-ci/why-duplicate-findings.md) - [Semgrep Code](https://docs.semgrep.dev/kb/semgrep-code.md) - [Troubleshoot ValueError: Invalid header value error](https://docs.semgrep.dev/kb/semgrep-code/InvalidHeaderValue.md) - [How to collect logs when running Semgrep in CLI](https://docs.semgrep.dev/kb/semgrep-code/collect-cli-logs.md): When troubleshooting Semgrep scans on the command line interface (CLI), collecting and sharing logs can be extremely helpful. By default, Semgrep prints findings from a scan to `stdout`, and other messages, including scan details and progress, to `stderr`. For troubleshooting, it's best to provide b… - [Why isn’t Semgrep reporting all my tainted data flows?](https://docs.semgrep.dev/kb/semgrep-code/finding_all_taints.md): One of the reasons behind seeing fewer than expected tainted data flows could be the principle of reporting on shortest paths only. - [My GitLab pipeline says that the token is invalid, but it is valid](https://docs.semgrep.dev/kb/semgrep-code/gitlab-group-variables.md) - [Reduce false positives in semgrep scan](https://docs.semgrep.dev/kb/semgrep-code/reduce-false-positives.md): The `semgrep scan` command can be used to quickly perform SAST scans. However, you may encounter false positives as you work through your findings. This document presents different strategies to reduce false positives and increase true positives in your scans. - [How to run different versions of Semgrep](https://docs.semgrep.dev/kb/semgrep-code/run-specific-version.md): However, when testing or managing upgrades, it can be helpful to run different versions of Semgrep to compare behavior. - [Troubleshooting 'You are seeing this because the engine was killed' on monorepos](https://docs.semgrep.dev/kb/semgrep-code/scan-engine-kill.md): Scans can fail to complete on large monorepos. This article describes possible solutions, such as: - [A Semgrep scan is having a problem - what next?](https://docs.semgrep.dev/kb/semgrep-code/semgrep-scan-troubleshooting.md): If a Semgrep scan is failing or running slowly, - [Why am I getting findings in files that should be ignored?](https://docs.semgrep.dev/kb/semgrep-code/semgrepignore-ignored.md): If you don't have a `.semgrepignore` file, see our [guide on how to exclude files from Semgrep scans](/ignoring-files-folders-code). - [Support for all versions of a programming language](https://docs.semgrep.dev/kb/semgrep-code/support-for-language-versions.md): Semgrep language support has several levels of maturity. The **Generally available (GA)** maturity level means that Semgrep broadly supports all versions of that programming language. - [Why are there more Semgrep findings when the code hasn't changed?](https://docs.semgrep.dev/kb/semgrep-code/unexpected-new-findings.md): If the rules you're using in Semgrep have changed since you last performed a full scan of your project, you may see more findings for the project even if your code has not changed. - [Semgrep Multimodal](https://docs.semgrep.dev/kb/semgrep-multimodal.md) - [Azure OpenAI: Error 429 - Max Tokens Exceeded](https://docs.semgrep.dev/kb/semgrep-multimodal/azure-openai-error-429.md) - [Missing PR or MR comments from Semgrep Multimodal.](https://docs.semgrep.dev/kb/semgrep-multimodal/missing-pr-mr-comments.md) - [Semgrep Secrets](https://docs.semgrep.dev/kb/semgrep-secrets.md) - [Why didn't Semgrep Secrets find these example secrets?](https://docs.semgrep.dev/kb/semgrep-secrets/no-example-secrets-found.md): One common pattern in code is to include a placeholder value or format indicator for a secret rather than a real secret value. Where possible, Semgrep Secrets rules are intentionally written to minimize matches with this type of placeholder to avoid false positives, since the primary concern is iden… - [Why didn't Semgrep ignore the files and folders in the Secrets Path ignores for this project?](https://docs.semgrep.dev/kb/semgrep-secrets/per-product-ignore-not-working.md): The Semgrep AppSec Platform allows you to [define ignore patterns](/ignoring-files-folders-code#define-ignored-files-and-folders-in-semgrep-appsec-platform) for different Semgrep products for each project. Product-specific ignores for Semgrep Secrets require Semgrep version `1.71.0` or later in your… - [Semgrep Supply Chain (SSC)](https://docs.semgrep.dev/kb/semgrep-supply-chain.md) - [How to exclude a Semgrep Supply Chain rule from a scan](https://docs.semgrep.dev/kb/semgrep-supply-chain/exclude-rule.md) - [Malware incident response with Semgrep Supply Chain](https://docs.semgrep.dev/kb/semgrep-supply-chain/incident-response.md): This document describes how to respond to a malicious dependency incident using Semgrep Supply Chain. - [How to scan multiple or nested manifest files or lockfiles](https://docs.semgrep.dev/kb/semgrep-supply-chain/scanning_multiple_lockfiles.md): Semgrep Supply Chain uses manifest files or lockfiles as part of its reachability analysis to determine the exact version of a dependency that a codebase is using. Semgrep parses manifest files or lockfiles, such as: - [Generate manifest files or lockfiles for Semgrep Supply Chain in a Circle CI pipeline](https://docs.semgrep.dev/kb/semgrep-supply-chain/ssc-lockfiles-circleci.md): In CircleCI, you can generate a manifest file or lockfile for your project as part of your pipeline job. This step happens during the first job, then the manifest file or lockfile is passed to the Semgrep scan using a [workspace](https://circleci.com/workspaces/) to share files between jobs. - [Generating Python lockfiles for Semgrep Supply Chain scans](https://docs.semgrep.dev/kb/semgrep-supply-chain/ssc-python-lockfiles.md) - [Why aren't Supply Chain findings showing?](https://docs.semgrep.dev/kb/semgrep-supply-chain/why-no-findings.md) - [C# support](https://docs.semgrep.dev/languages/csharp.md) - [Go support](https://docs.semgrep.dev/languages/go.md) - [Java support](https://docs.semgrep.dev/languages/java.md) - [JavaScript support](https://docs.semgrep.dev/languages/javascript.md) - [Kotlin support](https://docs.semgrep.dev/languages/kotlin.md) - [Python support](https://docs.semgrep.dev/languages/python.md) - [Ruby support](https://docs.semgrep.dev/languages/ruby.md) - [Scala support](https://docs.semgrep.dev/languages/scala.md) - [Swift support](https://docs.semgrep.dev/languages/swift.md) - [Semgrep Learning Guides](https://docs.semgrep.dev/learn.md) - [Security Foundations](https://docs.semgrep.dev/learn/security-foundations/overview.md): This section includes conceptual guides on application security essentials. These fundamental concepts can help strengthen your organization's security posture and can be a helpful reference when educating teams on security principles. - [Understanding static code scanning tools](https://docs.semgrep.dev/learn/security-foundations/sast/overview.md) - [Incorporating security testing into development workflows](https://docs.semgrep.dev/learn/security-foundations/security-testing-workflow.md) - [Understanding supply chain security](https://docs.semgrep.dev/learn/security-foundations/supply-chain-security.md) - [Code Injection](https://docs.semgrep.dev/learn/vulnerabilities/code-injection.md): An attacker's ultimate goal is often to escalate a vulnerability into something as impactful as possible. The most dangerous outcome is arbitrary code execution, and few vulnerabilities provide as direct a path to it as code injection. - [Command Injection](https://docs.semgrep.dev/learn/vulnerabilities/command-injection.md) - [Command Injection in Argo Workflows](https://docs.semgrep.dev/learn/vulnerabilities/command-injection/argo-injection.md) - [Injection Attacks in GitHub Actions](https://docs.semgrep.dev/learn/vulnerabilities/command-injection/github-actions-injection.md) - [Cross-Site Scripting (XSS)](https://docs.semgrep.dev/learn/vulnerabilities/cross-site-scripting.md) - [Insecure Direct Object Reference (IDOR)](https://docs.semgrep.dev/learn/vulnerabilities/idor.md): Imagine you’re browsing your order history in an online store. You notice the URL includes an order ID, and out of curiosity, you try changing the number to see what happens. - [Insecure Deserialization](https://docs.semgrep.dev/learn/vulnerabilities/insecure-deserialization.md) - [Insecure Deserialization in Python](https://docs.semgrep.dev/learn/vulnerabilities/insecure-deserialization/python.md) - [Open Redirect](https://docs.semgrep.dev/learn/vulnerabilities/open-redirect.md) - [Understanding Security Vulnerabilities](https://docs.semgrep.dev/learn/vulnerabilities/overview.md) - [Server Side Request Forgery (SSRF)](https://docs.semgrep.dev/learn/vulnerabilities/server-side-request-forgery.md) - [SQL Injection](https://docs.semgrep.dev/learn/vulnerabilities/sql-injection.md) - [XML Security](https://docs.semgrep.dev/learn/vulnerabilities/xml-security.md) - [Licensing](https://docs.semgrep.dev/licensing.md): The following is a list of products offered by Semgrep, Inc., along with their license information. - [Semgrep metrics](https://docs.semgrep.dev/metrics.md): Semgrep CLI may collect aggregate metrics to help improve the product. This document describes: - [Semgrep metrics](https://docs.semgrep.dev/metrics-1.md): Semgrep CLI may collect aggregate metrics to help improve the product. This document describes: - [Prerequisites](https://docs.semgrep.dev/prerequisites.md): This document details the required software or services to run Semgrep products. - [Feature definitions](https://docs.semgrep.dev/references/feature-definitions.md) - [Language maturity levels](https://docs.semgrep.dev/references/language-maturity-levels.md) - [April 2025](https://docs.semgrep.dev/release-notes/april-2025.md): April 30, 2025 · 4 min read - [April 2026](https://docs.semgrep.dev/release-notes/april-2026.md): May 12, 2026 · 8 min read - [August 2025](https://docs.semgrep.dev/release-notes/august-2025.md): September 3, 2025 · 3 min read - [December 2025](https://docs.semgrep.dev/release-notes/december-2025.md): January 13, 2026 · 7 min read - [February 2026](https://docs.semgrep.dev/release-notes/february-2026.md): March 6, 2026 · 4 min read - [Semgrep release notes](https://docs.semgrep.dev/release-notes/index.md): Product updates and release notes for Semgrep Code, Supply Chain, Secrets, and the AppSec Platform. - [January 2026](https://docs.semgrep.dev/release-notes/january-2026.md): February 4, 2026 · 4 min read - [July 2025](https://docs.semgrep.dev/release-notes/july-2025.md): August 8, 2025 · 5 min read - [June 2025](https://docs.semgrep.dev/release-notes/june-2025.md): July 18, 2025 · 6 min read - [March 2026](https://docs.semgrep.dev/release-notes/march-2026.md): April 10, 2026 · 8 min read - [May 2025](https://docs.semgrep.dev/release-notes/may-2025.md): May 30, 2025 · 5 min read - [November 2025](https://docs.semgrep.dev/release-notes/november-2025.md): December 9, 2025 · 6 min read - [October 2025](https://docs.semgrep.dev/release-notes/october-2025.md): November 11, 2025 · 3 min read - [September 2025](https://docs.semgrep.dev/release-notes/september-2025.md): October 23, 2025 · 3 min read - [Run a successful proof-of-value (POV) trial with Semgrep](https://docs.semgrep.dev/run-a-successful-pov.md) - [Run a successful proof-of-value (POV) trial with Semgrep](https://docs.semgrep.dev/run-a-successful-pov-1.md) - [Run rules](https://docs.semgrep.dev/running-rules.md): This document explains how to use local Semgrep rules when scanning your project. - [Custom rules for secure guardrails](https://docs.semgrep.dev/secure-guardrails/custom-guardrails-rules.md): You can create custom Semgrep rules and deploy them as guardrails to enforce your organization's secure coding conventions. - [Secure defaults](https://docs.semgrep.dev/secure-guardrails/secure-defaults.md) - [Secure guardrails in Semgrep](https://docs.semgrep.dev/secure-guardrails/secure-guardrails-in-semgrep.md): Secure guardrails guide **developers** towards fixing security issues in the early stages of development. By deploying secure guardrails, you can: - [Security](https://docs.semgrep.dev/security.md) - [Enable Azure pull request comments](https://docs.semgrep.dev/semgrep-appsec-platform/azure-pr-comments.md) - [Enable Bitbucket Cloud pull request comments](https://docs.semgrep.dev/semgrep-appsec-platform/bitbucket-cloud-pr-comments.md) - [Enable Bitbucket Data Center pull request comments](https://docs.semgrep.dev/semgrep-appsec-platform/bitbucket-data-center-pr-comments.md) - [View exposure and runtime context from Cortex by Palo Alto Networks](https://docs.semgrep.dev/semgrep-appsec-platform/cortex.md): The Semgrep Cortex integration can ingest exposure and runtime context from your Cortex instance in Semgrep AppSec Platform. This allows you to prioritize findings based on deployment status and internet exposure status. - [Dashboard](https://docs.semgrep.dev/semgrep-appsec-platform/dashboard.md) - [Receive email notifications](https://docs.semgrep.dev/semgrep-appsec-platform/email-notifications.md): You can receive emails from Semgrep regarding **new findings** and **failed scans**. - [Set up GitHub pull request comments](https://docs.semgrep.dev/semgrep-appsec-platform/github-pr-comments.md) - [Set up GitLab merge request comments](https://docs.semgrep.dev/semgrep-appsec-platform/gitlab-mr-comments.md) - [Create Jira tickets](https://docs.semgrep.dev/semgrep-appsec-platform/jira.md): The Semgrep Jira integration allows you to create Jira tickets based on your Semgrep Code, Supply Chain, and Secrets findings. - [Semgrep JSON and SARIF fields](https://docs.semgrep.dev/semgrep-appsec-platform/json-and-sarif.md): This reference provides Semgrep fields for JSON and SARIF output. - [Alerts and notifications](https://docs.semgrep.dev/semgrep-appsec-platform/notifications.md): You can receive notifications for Semgrep findings in the following channels: - [Enable source code manager code access](https://docs.semgrep.dev/semgrep-appsec-platform/scm-code-access.md) - [Receive Slack notifications](https://docs.semgrep.dev/semgrep-appsec-platform/slack-notifications.md) - [View runtime context from Sysdig](https://docs.semgrep.dev/semgrep-appsec-platform/sysdig.md): The Semgrep Sysdig integration can ingest runtime context from your Sysdig account into Semgrep AppSec Platform. This allows you to prioritize findings based on deployment status. - [Tag projects](https://docs.semgrep.dev/semgrep-appsec-platform/tags.md): Tagging enables you to group projects together based on your organization's unique business structure or needs. By tagging projects, you are able to quickly apply Supply Chain policies and other Semgrep features to specific groups. - [Enable webhooks](https://docs.semgrep.dev/semgrep-appsec-platform/webhooks.md): Webhooks are a generic method for Semgrep AppSec Platform to post JSON-formatted findings after each scan to your URL endpoint. - [View Semgrep findings in Wiz's Security Graph](https://docs.semgrep.dev/semgrep-appsec-platform/wiz.md) - [Supported languages for Semgrep Community Edition (CE)](https://docs.semgrep.dev/semgrep-ce-languages.md): This document provides information about supported languages for Semgrep Code and Semgrep CE. - [Continuous integration (CI) environment variables](https://docs.semgrep.dev/semgrep-ci/ci-environment-variables.md) - [Continuous integration (CI) environment variables](https://docs.semgrep.dev/semgrep-ci/ci-environment-variables-1.md) - [Handling blocking findings and errors](https://docs.semgrep.dev/semgrep-ci/configuring-blocking-and-errors-in-ci.md): This article documents how Semgrep handles blocking findings and errors and how you can change Semgrep's default behavior. - [Findings in CI](https://docs.semgrep.dev/semgrep-ci/findings-ci.md): When running any Semgrep product in CI, Semgrep is able to track the lifetime of an individual finding. When configured to perform a diff-aware scan, Semgrep only shows new findings relative to some specified baseline commit. - [Findings in CI](https://docs.semgrep.dev/semgrep-ci/findings-ci-1.md): When running any Semgrep product in CI, Semgrep is able to track the lifetime of an individual finding. When configured to perform a diff-aware scan, Semgrep only shows new findings relative to some specified baseline commit. - [Set up the Semgrep Network Broker](https://docs.semgrep.dev/semgrep-ci/network-broker.md): The Semgrep Network Broker facilitates secure access between Semgrep and your private network. The Network Broker creates a WireGuard VPN tunnel to the Semgrep backend and proxies **inbound** HTTP requests from Semgrep to the customer through the tunnel. This allows Semgrep to communicate with priva… - [Packages in the Semgrep docker image](https://docs.semgrep.dev/semgrep-ci/packages-in-semgrep-docker.md) - [Packages in the Semgrep docker image](https://docs.semgrep.dev/semgrep-ci/packages-in-semgrep-docker-1.md) - [Sample continuous integration (CI) configurations](https://docs.semgrep.dev/semgrep-ci/sample-ci-configs.md): This document provides sample configuration snippets to run Semgrep CI on various continuous integration (CI) providers. - [Sample continuous integration (CI) configurations](https://docs.semgrep.dev/semgrep-ci/sample-ci-configs-1.md): This document provides sample configuration snippets to run Semgrep CI on various continuous integration (CI) providers. - [AI-powered detection (beta) overview](https://docs.semgrep.dev/semgrep-code/ai-powered-detection-concepts.md) - [ Write rules using Semgrep Editor](https://docs.semgrep.dev/semgrep-code/editor.md) - [View findings' details](https://docs.semgrep.dev/semgrep-code/finding-details.md) - [View findings in Semgrep AppSec Platform](https://docs.semgrep.dev/semgrep-code/findings.md) - [Semgrep Code product terms](https://docs.semgrep.dev/semgrep-code/glossary.md): The terms and definitions provided here are specific to Semgrep Code. - [Semantic detection in Java](https://docs.semgrep.dev/semgrep-code/java.md): This document explains how Semgrep detects true positives and reduces false positives in Java. - [Semgrep Code overview](https://docs.semgrep.dev/semgrep-code/overview.md) - [Manage rules and policies](https://docs.semgrep.dev/semgrep-code/policies.md) - [Semgrep Pro rules](https://docs.semgrep.dev/semgrep-code/pro-rules.md) - [Remove duplicate findings](https://docs.semgrep.dev/semgrep-code/remove-duplicates.md): Semgrep scans are performed on both mainline (trunk) and non-mainline branches. The scope of the scan can differ depending on if Semgrep is called on a mainline or non-mainline branch. - [Cross-file analysis examples](https://docs.semgrep.dev/semgrep-code/semgrep-pro-engine-examples.md) - [Perform cross-file analysis](https://docs.semgrep.dev/semgrep-code/semgrep-pro-engine-intro.md): Use Semgrep Code's **cross-file (interfile) analysis** to detect vulnerabilities across files and folders within a project. - [Triage and remediate findings](https://docs.semgrep.dev/semgrep-code/triage-remediation.md): This article shows you how to manage and triage findings identified by Semgrep Code using Semgrep AppSec Platform. The specific actions available to you when managing your findings include: - [Autofix for Semgrep Code (beta)](https://docs.semgrep.dev/semgrep-code/triage-remediation/autofix.md): Semgrep’s Autofix feature uses AI to generate proposed code changes for Semgrep Code findings. - [Analyze Code findings](https://docs.semgrep.dev/semgrep-multimodal/analyze.md) - [Best practices for writing Memories](https://docs.semgrep.dev/semgrep-multimodal/best-practices-for-memories.md): This page covers various best practices for writing Memories. - [Customize Semgrep Multimodal](https://docs.semgrep.dev/semgrep-multimodal/customize.md): You can customize Semgrep Multimodal by enabling and using the features detailed on this page. - [Enable Semgrep Multimodal](https://docs.semgrep.dev/semgrep-multimodal/getting-started.md): Semgrep Multimodal extends standard Semgrep capabilities by providing contextually aware AI-powered vulnerability detection and remediation suggestions. - [Semgrep Multimodal metrics and methodology](https://docs.semgrep.dev/semgrep-multimodal/metrics.md): Metrics for evaluating Semgrep Multimodal's performance are derived from two sources: - [Semgrep Multimodal overview](https://docs.semgrep.dev/semgrep-multimodal/overview.md): Semgrep Multimodal adds AI-driven capabilities to Semgrep, including AI-powered detection, triage, and remediation of your findings. - [Data privacy and legal considerations](https://docs.semgrep.dev/semgrep-multimodal/privacy.md): Semgrep Multimodal uses API permissions to access code in your selected GitHub or GitLab repositories. To provide AI-powered functionality, portions of the source code are processed by Semgrep's AI model vendors. - [Semgrep AppSec Platform versus Semgrep Community Edition](https://docs.semgrep.dev/semgrep-pro-vs-oss.md) - [Semgrep AppSec Platform versus Semgrep Community Edition](https://docs.semgrep.dev/semgrep-pro-vs-oss-1.md) - [Semgrep Secrets overview](https://docs.semgrep.dev/semgrep-secrets/conceptual-overview.md) - [View findings details](https://docs.semgrep.dev/semgrep-secrets/finding-details.md): The finding's details page displays in-depth information about the finding, including: - [View findings in Semgrep AppSec Platform](https://docs.semgrep.dev/semgrep-secrets/findings.md) - [Generic secrets AI](https://docs.semgrep.dev/semgrep-secrets/generic-secrets.md) - [Scan for secrets](https://docs.semgrep.dev/semgrep-secrets/getting-started.md): Semgrep Secrets allows you to detect and triage leaked secrets and credentials and save time by prioritizing which secrets to rotate based on whether they're active and in use. - [Semgrep Secrets glossary](https://docs.semgrep.dev/semgrep-secrets/glossary.md): The terms and definitions provided here are specific to Semgrep Secrets. - [Scan your Git history (beta)](https://docs.semgrep.dev/semgrep-secrets/historical-scanning.md) - [Manage Semgrep Secrets rules using the policies page](https://docs.semgrep.dev/semgrep-secrets/policies.md) - [Semgrep Secrets rule structure and sample](https://docs.semgrep.dev/semgrep-secrets/rules.md): This article walks you through writing, publishing, and using Semgrep Secrets rules. It also demonstrates what a sample Semgrep Secrets rule looks like, with subsequent sections describing the key-value pairs in the context of a Semgrep Secrets rule. - [Semgrep Secrets rule structure and sample](https://docs.semgrep.dev/semgrep-secrets/rules-1.md): This article walks you through writing, publishing, and using Semgrep Secrets rules. It also demonstrates what a sample Semgrep Secrets rule looks like, with subsequent sections describing the key-value pairs in the context of a Semgrep Secrets rule. - [Triage and remediate findings](https://docs.semgrep.dev/semgrep-secrets/triage-remediation.md): This article shows you how to manage and triage the findings identified by Semgrep Secrets using Semgrep AppSec Platform. - [Write custom validators](https://docs.semgrep.dev/semgrep-secrets/validators.md) - [Write custom validators](https://docs.semgrep.dev/semgrep-secrets/validators-1.md) - [View advisories and search for related findings](https://docs.semgrep.dev/semgrep-supply-chain/advisories.md) - [View and search for dependencies](https://docs.semgrep.dev/semgrep-supply-chain/dependency-search.md) - [View findings details](https://docs.semgrep.dev/semgrep-supply-chain/finding-details.md): The finding's details page displays in-depth information about the finding, including: - [View findings in Semgrep AppSec Platform](https://docs.semgrep.dev/semgrep-supply-chain/findings.md) - [Scan third-party dependencies](https://docs.semgrep.dev/semgrep-supply-chain/getting-started.md) - [Semgrep Supply Chain glossary](https://docs.semgrep.dev/semgrep-supply-chain/glossary.md): The terms and definitions provided here are specific to Semgrep Supply Chain. - [Ignore manifest files, lockfiles, and dependencies](https://docs.semgrep.dev/semgrep-supply-chain/ignoring-dependencies.md) - [Ignore manifest files, lockfiles, and dependencies](https://docs.semgrep.dev/semgrep-supply-chain/ignoring-deps.md) - [License compliance](https://docs.semgrep.dev/semgrep-supply-chain/license-compliance.md) - [Detect and remove malicious dependencies](https://docs.semgrep.dev/semgrep-supply-chain/malicious-dependencies.md) - [Overview](https://docs.semgrep.dev/semgrep-supply-chain/overview.md): Semgrep Supply Chain is a software composition analysis (SCA) tool that detects security vulnerabilities in your codebase introduced by open source dependencies. It can also: - [Manage policies](https://docs.semgrep.dev/semgrep-supply-chain/policies.md) - [Generate a software bill of materials](https://docs.semgrep.dev/semgrep-supply-chain/sbom.md) - [Supply Chain feature support](https://docs.semgrep.dev/semgrep-supply-chain/sca-feature-support.md): This document discusses the features supported by Semgrep Supply Chain. - [Package manager support](https://docs.semgrep.dev/semgrep-supply-chain/sca-package-manager-support.md): Semgrep Supply Chain (SCA) scans dependencies by parsing manifest files or lockfiles, or with Dynamic Dependency Resolution (beta). This page lists the supported package managers and file types. - [Set up Semgrep Supply Chain for your infrastructure](https://docs.semgrep.dev/semgrep-supply-chain/setup-infrastructure.md) - [Set up Semgrep Supply Chain with Apache Maven (Java)](https://docs.semgrep.dev/semgrep-supply-chain/setup-maven.md) - [Triage and remediate Supply Chain findings](https://docs.semgrep.dev/semgrep-supply-chain/triage-and-remediation.md) - [Semgrepignore v2 reference](https://docs.semgrep.dev/semgrepignore-v2-reference.md) - [Support](https://docs.semgrep.dev/support.md): This document provides various methods for all users of Semgrep to get help. - [Supported languages](https://docs.semgrep.dev/supported-languages.md) - [Semgrep trophy case](https://docs.semgrep.dev/trophy-case.md): This is a list of vulnerabilities found and security fixes made with Semgrep. - [Troubleshooting rules](https://docs.semgrep.dev/troubleshooting/rules.md) - [Troubleshooting the CLI](https://docs.semgrep.dev/troubleshooting/semgrep.md) - [Troubleshooting CI scans](https://docs.semgrep.dev/troubleshooting/semgrep-app.md) - [Update Semgrep](https://docs.semgrep.dev/update.md): Stay up-to-date by running the latest version of Semgrep automatically in CI or your local CLI. - [How Semgrep calculates contributor count](https://docs.semgrep.dev/usage-and-billing/contributor-count-explained.md) - [ Usage and billing](https://docs.semgrep.dev/usage-and-billing/overview.md): This document provides information on how Semgrep calculates usage for billing purposes and is intended for users with paid Semgrep Code, Supply Chain, or Secrets licenses. - [Upgrade your Semgrep subscription plan](https://docs.semgrep.dev/usage-and-billing/plan-changes-and-payments.md): To upgrade your Semgrep subscription from the **Free** plan to the **Team** plan using a credit card as the payment method: - [Additional usage and reconciliation of licenses](https://docs.semgrep.dev/usage-and-billing/reconciliation.md): If your organization uses more licenses than purchased for the contract period, you will be charged for each extra license starting the month after the overage occurs. - [Constant propagation](https://docs.semgrep.dev/writing-rules/data-flow/constant-propagation.md) - [Dataflow analysis engine overview](https://docs.semgrep.dev/writing-rules/data-flow/data-flow-overview.md): Semgrep provides an intraprocedural data-flow analysis engine that opens various Semgrep capabilities. Semgrep provides the following data-flow analyses: - [Dataflow status](https://docs.semgrep.dev/writing-rules/data-flow/status.md) - [Advanced taint analysis techniques](https://docs.semgrep.dev/writing-rules/data-flow/taint-mode/advanced.md) - [Taint analysis overview](https://docs.semgrep.dev/writing-rules/data-flow/taint-mode/overview.md) - [Aliengrep](https://docs.semgrep.dev/writing-rules/experiments/aliengrep.md) - [Deprecated experiments](https://docs.semgrep.dev/writing-rules/experiments/deprecated-experiments.md) - [Display propagated value of metavariables](https://docs.semgrep.dev/writing-rules/experiments/display-propagated-metavariable.md) - [Introduction to Semgrep experiments](https://docs.semgrep.dev/writing-rules/experiments/introduction.md) - [Join mode overview](https://docs.semgrep.dev/writing-rules/experiments/join-mode/overview.md): Join mode runs several Semgrep rules at once and only returns results if certain conditions on the results are met. Join mode is an experimental mode that lets you cross file boundaries, allowing you to write rules for whole code bases instead of individual files. As the name implies, this was inspi… - [Recursive joins](https://docs.semgrep.dev/writing-rules/experiments/join-mode/recursive-joins.md) - [Match captured metavariables with specific types](https://docs.semgrep.dev/writing-rules/experiments/metavariable-type.md) - [Include multiple focus metavariables using set union semantics](https://docs.semgrep.dev/writing-rules/experiments/multiple-focus-metavariables.md): Semgrep matches all pieces of code captured by focus metavariables when you specify them in a rule. Specify the metavariables you want to focus on in a YAML list format. - [Pattern syntax (experimental)](https://docs.semgrep.dev/writing-rules/experiments/pattern-syntax.md) - [r2c-internal-project-depends-on](https://docs.semgrep.dev/writing-rules/experiments/r2c-internal-project-depends-on.md) - [Symbolic propagation](https://docs.semgrep.dev/writing-rules/experiments/symbolic-propagation.md): Symbolic propagation allows Semgrep to perform matching modulo variable assignments. Consider the following Python code: - [Generic pattern matching](https://docs.semgrep.dev/writing-rules/generic-pattern-matching.md) - [Static analysis and rule-writing glossary](https://docs.semgrep.dev/writing-rules/glossary.md): The definitions provided here are specific to Semgrep. - [Metavariable analysis](https://docs.semgrep.dev/writing-rules/metavariable-analysis.md) - [Write rules](https://docs.semgrep.dev/writing-rules/overview.md): Semgrep uses rules, which encapsulate pattern matching logic and data flow analysis, to scan your code for security issues, style violations, bugs, and more. In addition to rules available to you in the Semgrep Registry, you can write custom rules to determine what Semgrep detects in your repositori… - [Write rules](https://docs.semgrep.dev/writing-rules/overview-1.md): Semgrep uses rules, which encapsulate pattern matching logic and data flow analysis, to scan your code for security issues, style violations, bugs, and more. In addition to rules available to you in the Semgrep Registry, you can write custom rules to determine what Semgrep detects in your repositori… - [Rule pattern syntax examples](https://docs.semgrep.dev/writing-rules/pattern-examples.md) - [Rule pattern syntax](https://docs.semgrep.dev/writing-rules/pattern-syntax.md) - [Private rules](https://docs.semgrep.dev/writing-rules/private-rules.md) - [Rule-defined fix](https://docs.semgrep.dev/writing-rules/rule-defined-fix.md): Rule-defined fix is a Semgrep feature that lets you add suggested fixes to rules. - [Rule structure syntax examples](https://docs.semgrep.dev/writing-rules/rule-ideas.md): Not sure what to write a rule for? Below are some common questions, ideas, and topics to spur your imagination. Happy hacking! 💡 - [Rule structure syntax](https://docs.semgrep.dev/writing-rules/rule-syntax.md) - [Test rules](https://docs.semgrep.dev/writing-rules/testing-rules.md): Semgrep provides a testing mechanism for your rules. You can write code and provide annotations to let Semgrep know where you are or aren't expecting findings. Semgrep provides the following annotations: ## OpenAPI Specs - [public_v1.openapi](https://docs.semgrep.dev/public_v1.openapi.yaml) - [openapi](https://docs.semgrep.dev/api-reference/openapi.json) ## Optional - [Registry](https://semgrep.dev/explore/) - [Playground](https://semgrep.dev/playground/new) - [Academy](https://academy.semgrep.dev) - [Registry](https://semgrep.dev/explore) - [Playground](https://semgrep.dev/playground/new) - [Semgrep Academy](https://academy.semgrep.dev/) - [GitHub](https://github.com/semgrep/semgrep-docs)