Enable source code manager code access

Some Semgrep features require additional levels of code access. You can grant these permissions to Semgrep by assigning additional scopes to the access token that facilitates communication between Semgrep and the source code manager (SCM). The following table shows the minimum scope needed to enable the required code access level.

Required SCM code access scopes

SCM	Read access scope	Write access scope
Azure DevOps	`code:read`	`code:write`
Bitbucket Cloud	`repository:read` `pullrequest:read`	`repository:write` `pullrequest:write`
Bitbucket Data Center	`repository:read`	`repository:write`
GitHub.com and Github Enterprise	`contents:read`	`contents:write`
GitLab and Gitlab Self-Managed	`read_repository`	`write_repository`

Grant code access to Semgrep with a private GitHub app

If you already have a private Semgrep GitHub app set up and configured for your deployment that doesn’t have code access enabled, follow these steps to update the app and grant code access to Semgrep.

APP SLUGTo find the name of your app slug:

Go to Settings > Source code managers.
Find the panel for your source code manager. The app slug is listed immediately following the name of the source code manager.

Navigate to the GitHub Application permissions and events page. GitHub Enterprise users must replace the https://github.com base URL with the base URL of the GitHub Enterprise instance.
i. For organization accounts, go to https://github.com/organizations/ORGANIZATION_NAME/settings/apps/APP_SLUG/permissions.
ii. For user accounts, go to https://github.com/settings/apps/APP_SLUG/permissions

Expand Repository Permissions.

Under Contents, change the access level to Read and write. If you don’t want to grant write permissions, change the access level to Read.

Click Save Changes.

At this point, GitHub sends you or your GitHub admin an email to approve the permissions changes. Once approved, Semgrep has code access to your GitHub instance.

Grant code access to Semgrep with an access token

If you onboarded your repositories using an access token, then you can follow these steps to grant code access to Semgrep.

Azure DevOps Cloud
Bitbucket Cloud
Bitbucket Data Center
GitHub
GitLab

Navigate to the Azure DevDps access token settings page: https://dev.azure.com/ORGANIZATION_NAME/_usersSettings/tokens.

Click New token to launch the Create a new personal access token dialog. Ensure that you assign the Code: Read and Code: Write scopes to the token, in addition to any other scopes you may need for other features you’ve enabled for your Semgrep deployment. Create the token, and copy its value.

Return to Semgrep AppSec Platform, and go to Settings > Source code managers.

Find the connection associated with your organization, and click Update access token.

Paste in your new access token.

Click Save.

Navigate to the Bitbucket Cloud access token settings page: https://bitbucket.org/WORKSPACE/workspace/settings/access-keys.

Create a new access token and ensure that you assign the repository:read, pullrequest:read, repository:write, and pullrequest:write scopes to the token, in addition to any other scopes you may need for other features you’ve enabled for your Semgrep deployment. Create the token, and copy the token’s value.

Return to Semgrep AppSec Platform, and go to Settings > Source code managers.

Find the Bitbucket connection associated with your workspace, and click Update access token.

Paste in your new access token.

Click Save.

Navigate to the Bitbucket Data Center access token settings page: BITBUCKET_BASE_URL/plugins/servlet/access-tokens/projects/PROJECT.

Create a new HTTP access token, ensuring that you assign the repository:read and repository:write scopes to the token, along with any other scopes or permissions you may need for other features you’ve enabled for your Semgrep deployment. Copy the token’s value.

Return to Semgrep AppSec Platform, and go to Settings > Source code managers.

Find the Bitbucket connection associated with your workspace, and click Update access token.

Paste in your new access token.

Click Save.

Navigate to the GitHub personal access token settings page: https://github.com/settings/personal-access-tokens. GitHub Enterprise users must replace the https://github.com base URL with the base URL of the GitHub Enterprise instance.

Click Generate new token.

Under Repository access, select either All repositories or Only select repositories. If you choose Only select repositories, select the repositories that this token is used with.

Under Contents, set the access level to Read and write.

Click Generate token and copy its value.

Return to Semgrep AppSec Platform, and go to Settings > Source code managers.

Find the GitHub connection associated with your org, and click Update access token.

Paste in your new access token.

Click Save.

Navigate to the GitLab access token settings page: https://gitlab.com/groups/GROUP/-/settings/access_tokens.

Create a new access token, ensuring that you add the read_repository and write_repository scopes, along with any other scopes or permissions you may need for other features you’ve enabled for your Semgrep deployment. Copy the token’s value. Copy the token’s value.

Return to Semgrep AppSec Platform, and go to Settings > Source code managers.

Find the GitLab connection associated with your group, and click Update access token.

Paste in your new access token.

Click Save.

Documentation Index

​Required SCM code access scopes

​Grant code access to Semgrep with a private GitHub app

​Grant code access to Semgrep with an access token

Required SCM code access scopes

Grant code access to Semgrep with a private GitHub app

Grant code access to Semgrep with an access token