View findings
To view your findings in Semgrep AppSec Platform:1
Log in to Semgrep AppSec Platform.
2
In the Navigation bar, click Code.
- Are categorized as Security findings. You can identify findings categorized under Security using the badge.
- Are flagged with a severity level of critical or high
- Are flagged with a confidence level of high
- Are flagged by Semgrep Multimodal as likely being a true positive or has not been analyzed by Multimodal yet
LOCAL SCANSFindings from local scans are differentiated from their remote counterparts through their slugs. Remote repositories are identified as ACCOUNT_NAME/REPOSITORY_NAME, while local repositories are identified as local_scan/REPOSITORY_NAME.
Custom Priority tab
Semgrep admins can create a custom priority definition to change the findings shown on the Priority tab. To do so:1
Log in to Semgrep AppSec Platform.
2
In the Navigation bar, click Code. Ensure that you’re viewing the Priority.
3
Using the provided filters, set your parameters for priority findings.
4
Click Save.
5
You’ll see a dialog window asking you to confirm that you want the changes saved for everyone. Click Save to proceed.
Filter findings
Regardless of whether you use the Priority findings view or the All findings view, there are multiple grouping and filtering options available to you.Time period
The time period filters allow you to see which vulnerabilities were opened, fixed, or triaged during a certain period of time. The time period filter is not additive; it is a filter operation that precedes other filters on the page. For example, if you select Last triaged and select the status Status Open filter, no findings appear because, by definition, there are no triaged findings that are also open. The following filters are available:- Triage state update action:
- Opened in
- Triaged in
- Fixed in
- Time period:
- Last day
- Last 7 days
- Last 30 days
- Last 3 months
- Last 6 months
- Last year
- All time
Project
The filter allows you to search for findings associated with the selected projects.Status
The Status filter allows you to search for findings in the selected statuses. See Triage status for additional information.Additional filters
Semgrep offers additional filters that you can use to narrow down your results. The following filters are available:Finding categories
Expand to learn about how Semgrep categorizes your findings.
Expand to learn about how Semgrep categorizes your findings.
A finding can be categorized in two ways:
-
categorization based on the issue or code it detects:
- Anti-patterns
- Security vulnerabilities, such as dangerous function usage
- Business or logic bugs
- Matches based on your own custom rules, such as organization-specific authentication logic
messagefield that describes the security issue or bug found in matching code. Additionally, findings can provide afixfield that fixes the issue by creating a suggestion within your source code management (SCM) tool, such as GitHub, GitLab, and Bitbucket. -
categorization based on the validity of the match:
- True positive: Rules are written to match a certain code pattern. A true positive is a genuine match. The rule is capturing the code as intended.
- False positive: A false positive is a mismatch between the intended purpose of the rule and the code it matched. A finding is generated but does not meet the rule’s intended need. Rules with a high false positivity rate are said to be noisy.
-
False negative: A false negative is a finding that should have been found by a rule, but was not. This can happen for two reasons:
- A flaw in the rule’s logic. See Reporting false negatives.
- A bug within Semgrep itself. See the list of Semgrep issues to file a bug report.
Group and sort findings
By default, Semgrep displays your findings using the Group by Rule view. This view shows your findings grouped by the rule Semgrep used to match the code. Your findings are shown sorted by severity, but you can opt to sort by number of findings for a given rule. For a given severity, Semgrep further sorts findings as follows:- Findings generated by custom rules
- Findings generated by Pro rules
- Issue count in descending order
- Findings ID in ascending order
Export findings
You can export findings to a CSV file. Semgrep can export up to 10,000 most recent findings. To export more than 10,000 findings, you must use the API. Semgrep exports all findings to the CSV file regardless of the filters you apply on the page. Export findings by navigating to the product page and clicking the icon near the Group & Sort filters.Click to view a description of fields included in the CSV.
Click to view a description of fields included in the CSV.
The following fields are exclusive to Code scans:
The following fields are exclusive to Supply Chain scans:
The following fields are exclusive to Secrets scans:
View details about a specific finding
To view in-depth information about a specific finding, select the finding whose details you want to view. Then:- If the default Group by Rule is enabled, click the Details icon on the card of the finding.
- If the No grouping view is enabled, click the header hyperlink on the card of the finding.
How Semgrep displays findings on multiple branches
A single finding may appear in several branches. These appearances are called instances of a finding. Several instances of the same finding may differ in which line of code (LOC) they are on or in their triage state. For example, onproduction the finding may be on line 20, but the same finding was moved further to line 26 in feature-branch-a.
Semgrep automatically recognizes that they are fundamentally the same finding and deduplicates these instances so that you do not get an inflated count of findings per ref that the finding is present in.
By default, the Code page displays findings from the primary branches of all repositories (projects), arranged by most recent scan. You are viewing the primary branch’s instance of that finding, so you may see variations in LOC or triage state when comparing the finding across branches.
When filtering by primary branch and triage status, the filters are applied based on the triage status of the finding on the primary branch. This means that on some feature branches, the instance may already be Fixed, but on the primary branch, the finding is still Open. The finding status on the primary branch is updated when the PR or MR is merged and Semgrep has scanned the code.
Next steps
- Learn more about viewing a finding’s details.
- Learn how to triage and remediate Semgrep Code findings.
- Learn how to get cross-file (interfile) findings for your organization
- See Semgrep Multimodal for Semgrep Code for information on receiving AI-powered security recommendations when reviewing your findings.