Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.semgrep.dev/llms.txt

Use this file to discover all available pages before exploring further.

The Semgrep dashboard is an overview of your organization’s security posture based on data aggregated within Semgrep AppSec Platform. It helps you:
  • Evaluate your AppSec program, enabling you to know your current security risk.
  • Assess the deployment and adoption of secure guardrails to your organization.
  • Become aware of trends and opportunities that you can use to improve your security posture.
  • Quickly filter data granularly for all the charts on the page and view priority findings.
  • Export the information as a PDF report.

Dashboard overview

The dashboard is divided into several sections:
SectionDescription
Reporting summary top barSets the filters for all the data in the page.
Production backlogDisplays data about all the findings detected in your primary or default branch and helps you answer the following questions:
- How is my security posture doing over time?
- Is my backlog decreasing or increasing?
- Is the team addressing findings faster than new findings are coming in?
Secure guardrailsDisplays data relevant to the deployment and adoption of secure guardrails. It helps address the following:
- How many vulnerabilities did Semgrep prevent from entering production over time?
- Am I effectively introducing guardrails to my developers?
- Of the issues shown to developers, are they being fixed, or are they being ignored?
Most findings by projectLists projects arranged by most open findings to least, grouped by product or severity. Helps answer the following:
- Which of my projects have the most findings in a particular product area?
- Which of my projects have the most findings for a particular severity?
Median open ageA graph showing the middle age of all Open findings, grouped by product or severity. Half of the open findings are older than this age, and half are newer. Helps you answer:
- What is the amount of time a finding remains open, by product or by severity?
TIPUse the filters to quickly generate views for a single Semgrep product or all products.When viewing data for a single Semgrep product, you can’t group by product in Most findings by project and Median open age.

Export reports

To generate reports from the current view, click Dashboard > Download.

Triage states

The following triage states are displayed:
  • Open
  • Ignored, including provisionally ignored
  • Fixed
Additional triage states, such as Fixing or Reviewing, are not displayed at this time.

Filters and configuration

Use the filters to gain a top-level view or zoom in to a single product, specific period of time, or other slice of data. Create quarterly overviews or recent incident statements for various AppSec stakeholders. Configurations set here apply to the entire page. The following quick filters are visible on the page:
  • Time period
  • Semgrep product or type of scan (SAST, SCA, or Secrets)
  • Project (a repository or a subfolder of a monorepo)
  • Recommended priority toggle
INFO
  • By default, the Dashboard displays data for projects that members or managers have access to. Admins can view findings from all the projects in the organization. See the Teams documentation for more information.
  • It can take up to a day (24 hours) for the Dashboard to correctly update and remove findings if you have recently deleted a project.
To access all filters:
1
Click All filters to open the filter drawer.
2
Turn off the Recommended priority toggle.
This displays the following filters in the filter drawer: This refers to any finding that is Critical or High severity in addition to being:
  • High confidence - if the finding is from Semgrep Code.
  • Reachable - if the finding is from Semgrep Supply Chain.
  • Valid - if the finding is from Semgrep Secrets.
By default, Recommended priority filters are enabled. If you choose to turn off recommended priority filters, all findings are displayed.

Production backlog

This pane displays analytics related to findings detected in your primary or default branch. This typically means that the finding, usually a security issue, has made it to production environments.

Key metrics

Key metricsDescription
Total openedTotal number of findings set to Open during the time period. This includes new findings as well as re-opened findings that were previously in a different state.
Total fixedTotal number of Fixed findings during the time period that remained fixed until the end of the time period.
Total ignoredTotal number of Ignored findings during the time period that remained ignored until the end of the time period. Ignored findings includes those with a status of Provisionally ignored.
Total net newThe difference between the number of Open findings at the beginning of the time period and the end of the time period.
TIPA low or negative value for Total net new is ideal. It indicates that, within the period, more findings are being triaged or resolved than opened. This reduces the backlog of security issues.

Charts

ChartDescription
Open backlogThis tracks the total findings from each scan and displays them. Lower values are better.

Hover over the chart to see a breakdown of findings by product for the selected time period.
Backlog activityDisplays the number of new, net new, fixed, and ignored, including provisionally ignored, findings. A greater Fixed value is better.

Hover over the chart to see a breakdown of findings by triage state for that selected time period.

Secure guardrails

This provides an overview of how secure guardrails in PR or MR comments are used in your organization, including how often Semgrep shows findings to developers, how the developers handle the findings, and how often Semgrep flags a finding as provisionally ignored. Other guardrail interfaces, such as the IDE or pre-commit, are not counted in this section.

Key metrics

Key metricsDescription
Findings shown to devsNumber of findings shown to developers in PR or MR comments (the numerator) against the total findings count (denominator). An upward or stable trend is better.
Findings fixed in developmentNumber of findings that were fixed before they could be detected in a default branch or production backlog (numerator) against the total findings count in the specified time period (denominator). An upward or stable trend is better.

Hover over the chart to see a breakdown of findings by triage state for that selected time period.

Charts

ChartDescription
Secure guardrails adoptionPercent of new findings shown to developers over the specified time period. An upward or stable trend is better.
Guardrails activityThis chart displays a breakdown of the status of findings shown to developers; whether they were ignored, provisionally ignored, fixed, or remained open. A greater Fixed value is better.

Hover over the chart to see a breakdown of findings by triage state for that selected time period.

Most findings by project

A table listing projects from most open findings to least, grouped by product or severity. Lower values are better.
TIPIt is recommended to prioritize triage and remediation for the top projects listed in this table, especially if the priority filters are enabled.

Median open age

A chart displaying the median open age of a finding in days over the specified time period. Lower is better. For a finding to be remediated, it must have any of the following statuses:
  • Fixed
  • Ignored, including provisionally ignored