Upgrade to Unified Policies: Semgrep’s latest version of Policies unifies policies across finding types, allows you to assign different policies to different projects, and adds conditional logic. See Unified Policies for more information.
Language coverage and scan speeds
Semgrep Code identifies the languages used in your repositories and only runs rules applicable to those languages. For example, adding Ruby and Python rules in your Policies doesn’t affect the scan speed for Python-only repositories. Only Python rules are run for Python repositories.Policies page structure
The Policies page consists of a header and three main panes: Policies headerThe top header consists of:
- Policies view drop-down, which lets you choose between:
- Grouping rules by vulnerability class
- No grouping
- Rule Modes button where you can view rule modes and edit notifications for each rule mode. Rule modes define what workflow actions Semgrep Code performs when a rule detects a finding. For example, setting a rule’s mode to Comment means that Semgrep posts PR or MR comments from findings generated by that rule. See Block a PR or MR through rule modes for more information.
- Add rules button that takes you to the Semgrep Registry where you can add rules to the Policies page and assign their initial modes.
Displays filters to quickly select and perform operations on rules in bulk. See Policies filter reference for more information. Rule pane
The rule pane displays the rules that Semgrep scans use to detect findings and allows you to edit their assigned rule modes. You can make these edits either one by one or through bulk editing of many rules. You can also use the Search for rule names or ids box. See Policies filter reference for more information.
Policies page filters
This section defines the Policies page filters:Rule entries reference
This section defines the columns of the rule entries in the Policies page:Add rules
To add rules, follow these steps:1
On the Policies page, click Add Rules.
2
You are redirected to the Semgrep Registry page. Explore the page, open cards of individual rules, and then click Add to .
3
Specify the workflow action of the rule that you are adding. Select either:
- Monitor
- Comment
- Block
Add custom rules to your Policies
To add custom rules, use the Semgrep Editor. See Setting code standards with the Policies page.Add rulesets to your Policies from the Registry
Instead of adding individual rules to your Policies, you can add rulesets, which are groups of rules related through a programming language, OWASP category, or framework. The Semgrep team curates the rulesets.1
On the Policies page, click Add Rules.
2
You are redirected to the Semgrep Registry page. Explore the page to find the ruleset you’re interested in adding.
3
Click the ruleset to open its Explore page. This page lets you view the included rules and provides instructions for testing and running the ruleset locally before adding it to your policies.
4
Click Add to .
5
pecify the workflow action for the rules that you are adding by selecting one of these options:
- Monitor
- Comment
- Block
Filtering behavior
- Filter types such as Language and Technology use
ANDlogic. This means that search terms must match all filters. For example, selecting Java (a Language) and security (a Category) shows only rules with both properties (Java and security). - Adding filters of the same type use
ORlogic. This means that search terms can match any of the filters for that type. For example, selecting Java and Python (both Languages) shows rules with either language. - A gem icon (💎) denotes Semgrep Pro rules.
Disable rules
See Triage and remediate findings for information on how to disable a rule or a ruleset.Rule modes
Semgrep enables you to choose a workflow action based on the presence of a finding. Workflow actions include:- Failing a CI job. Semgrep returns exit code
1, and you can use this result to set up additional checks to enforce a block in your CI/CD pipeline. This action applies to both full scans and . - Leaving a PR or MR comment.
- Notifying select channels, such as private Slack channels or webhooks.
Semgrep Code provides first-time users with the Default ruleset. These rules are initially placed in the Monitor column. As you develop confidence in these rules, you are able to change their modes to Comment or Block, ensuring that developers remain free of friction from false positives.
Block a PR or MR through rule modes
The following instructions walk you through changing the rule mode for rules that generate high severity findings to block. Whenever Semgrep identifies such findings, it returns exit code1.
You can use this result to set up additional checks to enforce a block in your CI/CD pipeline, such as not allowing the merge of the PR/MR. The process to implement a block on a PR or MR after Semgrep exits with error code 1 is dependent on your CI provider. Review your CI provider’s documentation for further information.
1
Sign in to Semgrep AppSec Platform.
2
Navigate to Rules > Policies > Code.
3
Filter for the applicable rules. For example, select High under Severities to find all of the rules that generate high severity findings if they match any part of your code.
4
Select either the box next to Number matching rules or select individual checkboxes next to one or more rules. These are the rules whose mode you will change in the next step.
5
Click Change modes Number and select Block.
Multiple policies
The multiple policies beta program is no longer accepting new participants. To find out more about the functionality this feature provides, see Unified policies.Contact Support if you’re unable to migrate to unified policies.
Policy limit
Current users of the Multiple Policies beta can create up to 10 policies. Some users from earlier phases of the beta may have a higher limit.Resolve workflow actions in multiple policies
If a rule is in multiple policies, then the rule is deduplicated and Semgrep prioritizes the workflow action based on the rule mode, where precedence is as follows:- Block
- Comment
- Monitor
Rule A is set to Block, the scan fails for PRs with any findings from that rule, even if the same Rule A is set to Monitor in another policy applied to that repository.
To ensure that the workflow action is resolved as expected, add the specific rule to the desired policy mode. This will override any behavior that it inherits from the rulesets it belongs to.