> ## Documentation Index
> Fetch the complete documentation index at: https://docs.semgrep.dev/llms.txt
> Use this file to discover all available pages before exploring further.

# Manage rules and policies

<Note>
  <b>Upgrade to Unified Policies:</b> Semgrep's latest version of **Policies** unifies policies across finding types, allows you to assign different policies to different projects, and adds conditional logic. See [Unified Policies](/semgrep-appsec-platform/unified-policies/overview) for more information.
</Note>

The Policies page displays the [<Icon icon="file-lines" iconType="regular" /> rules](/running-rules) that Semgrep Code uses when scanning all of your repositories.

Modifications to the rules on the Policies page allow you to increase the breadth and depth of your scan coverage or remove noise from scans. You can also determine whether findings detected by a given rule can help block merges for pull requests (PRs) or merge requests (MRs).

## Language coverage and scan speeds

Semgrep Code identifies the languages used in your repositories and only runs rules applicable to those languages. For example, adding Ruby and Python rules in your Policies doesn't affect the scan speed for Python-only repositories. Only Python rules are run for Python repositories.

## Policies page structure

The Policies page consists of a header and three main panes:

**Policies header**<br />
The top header consists of:

* **Policies view drop-down**, which lets you choose between:
  * Grouping rules by vulnerability class
  * No grouping
* <Icon icon="gear" iconType="solid" /> <b>Rule Modes</b> button where you can view **rule modes** and edit **notifications** for each rule mode. Rule modes define what **workflow actions** Semgrep Code performs when a rule detects a finding. For example, setting a rule's mode to **Comment** means that Semgrep posts PR or MR comments from findings generated by that rule. See [Block a PR or MR through rule modes](#block-a-pr-or-mr-through-rule-modes) for more information.
* **Add rules** button that takes you to the [<Icon icon="external-link" iconType="solid" />Semgrep Registry](https://semgrep.dev/explore) where you can add rules to the Policies page and assign their initial modes.

**Filter pane**<br />
Displays filters to quickly select and perform operations on rules in bulk. See [Policies filter reference](#policies-filter-reference) for more information.

**Rule pane**<br />
The rule pane displays the rules that Semgrep scans use to detect findings and allows you to edit their assigned rule modes. You can make these edits either one by one or through bulk editing of many rules. You can also use the **Search for rule names or ids** box. See [Policies filter reference](#policies-filter-reference) for more information.

### Policies page filters

This section defines the Policies page filters:

| Filter                                                                                                                                                                                                                                                                                             | Description                                                                                                                                                                                               | Examples or possible values                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         |
| :------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | :-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | :------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
| Modes                                                                                                                                                                                                                                                                                              | Filter by the workflow action Semgrep performs when a rule detects a finding. An additional filter, **Disabled**, is provided for rules that you have turned off and are no longer included for scanning. | See [Rule modes](#block-a-pr-or-mr-through-rule-modes) documentation.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               |
| Category                                                                                                                                                                                                                                                                                           | Filter by the type of security issue or vulnerability that the rule detects.                                                                                                                              | <ul><li>Dangerous method or function</li><li>SQL injection</li><li>Active debug code</li></ul>                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      |
| Severities                                                                                                                                                                                                                                                                                         | The higher the severity, the more critical the issues that a rule detects.                                                                                                                                | <ul><li>Critical</li><li>High</li><li>Medium</li><li>Low</li></ul>                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  |
| Confidence                                                                                                                                                                                                                                                                                         | Filter by the confidence of the rule to detect true positives.                                                                                                                                            | <ul><li>High</li><li>Medium</li><li>Low</li></ul>                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   |
| <Tooltip tip="In taint analysis, code that introduces tainted data, typically user input." cta="See full definition." href="/writing-rules/glossary#source">Source</Tooltip>                                                                                                                       | Filter by the origin of a rule.                                                                                                                                                                           | <ul><li>**Pro:** Authored by Semgrep with cross-file (interfile) and cross-function (interprocedural) analysis capabilities, providing you with enhanced scan accuracy. For more information, see <a href="/semgrep-code/pro-rules/"><Icon icon="file-lines" iconType="regular" /> Pro rules.</a></li><li>**Community:** Authored by Semgrep, Inc or external contributors such as Trail of Bits.</li><li>**Custom:** Rules created within your Semgrep organization. For more information, see <a href="/writing-rules/private-rules/"><Icon icon="file-lines" iconType="regular" /> Private rules</a>.</li></ul>. |
| Available rule upgrades                                                                                                                                                                                                                                                                            | Filter for rules where there exist improved versions to those using paid Semgrep products.                                                                                                                |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     |
| <Tooltip tip="Rulesets are rules related through a programming language, OWASP category, or framework. Rulesets are curated by the team at Semgrep and updated as new rules are added to the Semgrep Registry." cta="See full definition." href="/semgrep-code/glossary#ruleset">Ruleset</Tooltip> | Filter by the name of an existing ruleset.                                                                                                                                                                | <ul><li><a href="https://semgrep.dev/p/xss" target="_blank"><Icon icon="external-link" iconType="solid" /> XSS ruleset</a></li><li><a href="https://semgrep.dev/p/react" target="_blank"><Icon icon="external-link" iconType="solid" /> React ruleset</a></li></ul>                                                                                                                                                                                                                                                                                                                                                 |
| Language                                                                                                                                                                                                                                                                                           | Filter by programming language                                                                                                                                                                            | <ul><li>Python</li><li>JavaScript</li><li>Ruby</li></ul>                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            |
| Minimum count of findings                                                                                                                                                                                                                                                                          | Filter by the number of findings.                                                                                                                                                                         | <ul><li>10</li><li>100</li><li>500</li></ul>                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        |

<Tip>
  **TIP**

  Use **Minimum count of findings** to identify rules generating a lot of findings. This may be an indication of false positives or noise.
</Tip>

### Rule entries reference

This section defines the columns of the rule entries in the Policies page:

| Filter                                                                                                                                                                                                                                                                                             | Description                                                                                                                                                                                                | Examples or possible values                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         |
| :------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | :--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | :------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
| Rule name                                                                                                                                                                                                                                                                                          | Name of the rule that Semgrep Code uses for scanning.                                                                                                                                                      | <a href="https://semgrep.dev/playground/s/KPzL" target="_blank"><Icon icon="external-link" iconType="solid" /> `docs-print-to-logger`</a>                                                                                                                                                                                                                                                                                                                                                                                                                                                                           |
| Labels                                                                                                                                                                                                                                                                                             | Metadata describing the rule. This includes the rule's language, category (good security practices, coding standards), and more.                                                                           | <ul><li>Security</li><li>Code injection</li><li>PHP</li></ul>                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       |
| Open findings                                                                                                                                                                                                                                                                                      | The number of open findings that the rule has detected across all scans.                                                                                                                                   | n/a                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 |
| Fix rate                                                                                                                                                                                                                                                                                           | The percentage of findings that are fixed through changes to the code.                                                                                                                                     | n/a                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 |
| Severity                                                                                                                                                                                                                                                                                           | The higher the severity, the more critical the issues that a rule detects.                                                                                                                                 | <ul><li>High</li><li>Medium</li><li>Low</li></ul>                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   |
| Confidence                                                                                                                                                                                                                                                                                         | Indicates confidence of the rule to detect true positives.                                                                                                                                                 | <ul><li>High</li><li>Medium</li><li>Low</li></ul>                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   |
| <Tooltip tip="In taint analysis, code that introduces tainted data, typically user input." cta="See full definition." href="/writing-rules/glossary#source">Source</Tooltip>                                                                                                                       | Indicates the origin of a rule.                                                                                                                                                                            | <ul><li>**Pro:** Authored by Semgrep with cross-file (interfile) and cross-function (interprocedural) analysis capabilities, providing you with enhanced scan accuracy. For more information, see <a href="/semgrep-code/pro-rules/"><Icon icon="file-lines" iconType="regular" /> Pro rules.</a></li><li>**Community:** Authored by Semgrep, Inc or external contributors such as Trail of Bits.</li><li>**Custom:** Rules created within your Semgrep organization. For more information, see <a href="/writing-rules/private-rules/"><Icon icon="file-lines" iconType="regular" /> Private rules</a>.</li></ul>. |
| <Tooltip tip="Rulesets are rules related through a programming language, OWASP category, or framework. Rulesets are curated by the team at Semgrep and updated as new rules are added to the Semgrep Registry." cta="See full definition." href="/semgrep-code/glossary#ruleset">Ruleset</Tooltip> | Rules are also organized in rulesets. Rulesets are groups of rules related through a programming language, OWASP category, or framework.                                                                   | <ul><li><a href="https://semgrep.dev/p/xss" target="_blank"><Icon icon="external-link" iconType="solid" /> XSS ruleset</a></li><li><a href="https://semgrep.dev/p/react" target="_blank"><Icon icon="external-link" iconType="solid" /> React ruleset</a></li></ul>                                                                                                                                                                                                                                                                                                                                                 |
| Mode                                                                                                                                                                                                                                                                                               | Specifies what workflow action Semgrep performs when a rule detects a finding. An additional filter, **Disabled**, is provided for rules that you have turned off and are no longer included for scanning. | See [Rule modes](#rule-modes) documentation.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        |

## Add rules

To add rules, follow these steps:

<Steps>
  <Step>
    On the [<Icon icon="external-link" iconType="solid" /> Policies](https://semgrep.dev/orgs/-/policies) page, click **Add Rules**.
  </Step>

  <Step>
    You are redirected to the [<Icon icon="external-link" iconType="solid" /> Semgrep Registry](https://semgrep.dev/explore) page. Explore the page, open cards of individual rules, and then click **Add to <Tooltip tip="A policy defines the set of rules that Semgrep runs and the workflow actions it undertakes when a rule from the policy generates a finding. The workflow action can include notifying Slack channels or posting a comment in the pull request or merge request that generated the finding. Not to be confused with policy-as-code." cta="See full definition." href="/semgrep-code/glossary#policy">Policy</Tooltip>**.
  </Step>

  <Step>
    Specify the workflow action of the rule that you are adding. Select either:

    * Monitor
    * Comment
    * Block
  </Step>
</Steps>

### Add custom rules to your Policies

To add custom rules, use the Semgrep Editor. See [<Icon icon="file-lines" iconType="regular" /> Setting code standards with the Policies page](/semgrep-code/editor#add-a-rule-to-the-policies-page).

### Add rulesets to your Policies from the Registry

Instead of adding individual rules to your Policies, you can add rulesets, which are groups of rules related through a programming language, OWASP category, or framework. The Semgrep team curates the rulesets.

<Steps>
  <Step>
    On the [<Icon icon="external-link" iconType="solid" /> Policies](https://semgrep.dev/orgs/-/policies) page, click **Add Rules**.
  </Step>

  <Step>
    You are redirected to the [<Icon icon="external-link" iconType="solid" /> Semgrep Registry](https://semgrep.dev/explore) page. Explore the page to find the ruleset you're interested in adding.
  </Step>

  <Step>
    Click the ruleset to open its **Explore** page. This page lets you view the included rules and provides instructions for testing and running the ruleset locally before adding it to your policies.
  </Step>

  <Step>
    Click **Add to <Tooltip tip="A policy defines the set of rules that Semgrep runs and the workflow actions it undertakes when a rule from the policy generates a finding. The workflow action can include notifying Slack channels or posting a comment in the pull request or merge request that generated the finding. Not to be confused with policy-as-code." cta="See full definition." href="/semgrep-code/glossary#policy">Policy</Tooltip>**.
  </Step>

  <Step>
    pecify the workflow action for the rules that you are adding by selecting one of these options:

    * Monitor
    * Comment
    * Block
  </Step>
</Steps>

If Semgrep adds rules to the ruleset in the future, they will automatically be added to your Policies in the same mode that you select. You can change the default mode for the current and future rules by re-adding the ruleset through the Registry and choosing a different mode. You *cannot* change the mode of all existing rules associated with the ruleset using the Policies page, since this only makes every rule that you changed an exception to the default.

#### Filtering behavior

* Filter types such as **Language** and **Technology** use `AND` logic. This means that search terms must match all filters. For example, selecting Java (a **Language**) and security (a **Category**) shows only rules with both properties (Java and security).
* Adding filters of the same type use `OR` logic. This means that search terms can match any of the filters for that type. For example, selecting Java and Python (both **Languages**) shows rules with either language.
* A gem icon (💎) denotes Semgrep Pro rules.

## Disable rules

See [Triage and remediate findings](/semgrep-code/triage-remediation#turn-off-a-ruleset-or-a-rule) for information on how to disable a rule or a ruleset.

## Rule modes

Semgrep enables you to choose a **workflow action** based on the presence of a finding. Workflow actions include:

* Failing a CI job. Semgrep returns exit code `1`, and you can use this result to set up additional checks to enforce a block in your CI/CD pipeline. This action applies to both full scans and <Tooltip tip="A diff-aware scan shows only findings caused by changes in files starting from a specific Git baseline. It is typically performed on feature branches when a pull request or merge request is opened. Unlike full scans, diff-aware scans only consider changes within modified files. Cross-file analysis is not supported for diff-aware scans." cta="See full definition." href="/semgrep-code/glossary#diff-aware-scan">diff-aware scans</Tooltip>.
* Leaving a PR or MR comment.
* Notifying select channels, such as private Slack channels or webhooks.

Semgrep Code provides three rule modes:

| Rule mode | Description                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               |
| :-------- | :-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| Monitor   | Rules in **Monitor mode** display findings only in: <ul><li>Semgrep AppSec Platform</li><li>**For Semgrep Code and Supply Chain**: User-defined notifications</li></ul>Set rules to this mode to evaluate their true positive rate and other criteria you may have. By keeping rules in Monitor, developers do not receive potentially noisy findings in their PRs or MRs.                                                                                                                                                                                |
| Comment   | Rules in **Comment mode** display findings in:<ul><li>Developers' PRs or MRs</li><li>Semgrep AppSec Platform</li><li>**For Semgrep Code and Supply Chain**: User-defined notifications</li></ul>Set rules that have met your performance criteria to this mode when you are ready to display findings to developers.                                                                                                                                                                                                                                      |
| Block     | Rules in **Block mode** cause the scan job to fail with an exit code of `1` if Semgrep Secrets detects a finding from these rules. You can use this result to enforce a block on the PR or MR. For example, GitHub users can enable branch protection and set the PR to fail if the Semgrep step fails. <br />These rules display findings in:<ul><li>Developers' PRs or MRs</li><li>Semgrep AppSec Platform</li><li>**For Semgrep Code and Supply Chain**: User-defined notifications</li></ul>These are typically high-confidence, high-severity rules. |

Semgrep Code provides first-time users with the [<Icon icon="external-link" iconType="solid" /> Default ruleset](https://semgrep.dev/p/default). These rules are initially placed in the Monitor column. As you develop confidence in these rules, you are able to change their modes to Comment or Block, ensuring that developers remain free of friction from false positives.

## Block a PR or MR through rule modes

The following instructions walk you through changing the rule mode for rules that generate high severity findings to **block**. Whenever Semgrep identifies such findings, it returns exit code `1`.

You can use this result to set up additional checks to enforce a block in your CI/CD pipeline, such as not allowing the merge of the PR/MR. The process to implement a block on a PR or MR after Semgrep exits with error code `1` is dependent on your CI provider. Review your CI provider's documentation for further information.

<Steps>
  <Step>
    Sign in to [<Icon icon="external-link" iconType="solid" /> Semgrep AppSec Platform](https://semgrep.dev/login).
  </Step>

  <Step>
    Navigate to **Rules > Policies > Code**.
  </Step>

  <Step>
    Filter for the applicable rules. For example, select **High** under **Severities** to find all of the rules that generate high severity findings if they match any part of your code.
  </Step>

  <Step>
    Select either the box next to **<span style={{color: '#E3116C'}}>*Number*</span> matching rules** or select individual checkboxes next to one or more rules. These are the rules whose mode you will change in the next step.
  </Step>

  <Step>
    Click **Change modes <span style={{color: '#E3116C'}}>*Number*</span>** and select **Block**.
  </Step>
</Steps>

## Multiple policies

<Info>
  The multiple policies beta program is no longer accepting new participants. To find out more about the functionality this feature provides, see [Unified policies](/semgrep-appsec-platform/unified-policies/overview).

  Contact [Support](/support) if you're unable to migrate to unified policies.
</Info>

The multiple policies feature enables users to customize the Semgrep Code rules that run on specific projects (repositories). Users create different policies that projects can be assigned to.

This feature makes use of a **Global <Tooltip tip="A policy defines the set of rules that Semgrep runs and the workflow actions it undertakes when a rule from the policy generates a finding. The workflow action can include notifying Slack channels or posting a comment in the pull request or merge request that generated the finding. Not to be confused with policy-as-code." cta="See full definition." href="/semgrep-code/glossary#policy">Policy</Tooltip>** that runs on **all** projects. Projects cannot be unassigned from it.

You can create a new policy and add one or more projects, then select rules to add to the policy. Projects are assigned manually to additional policies, and multiple projects can be added by searching repository names or tags.

During a scan, the repositories assigned to your custom policy run all of the rules from the **Global <Tooltip tip="A policy defines the set of rules that Semgrep runs and the workflow actions it undertakes when a rule from the policy generates a finding. The workflow action can include notifying Slack channels or posting a comment in the pull request or merge request that generated the finding. Not to be confused with policy-as-code." cta="See full definition." href="/semgrep-code/glossary#policy">Policy</Tooltip>** as well as all the rules from your custom policy.

### Policy limit

Current users of the Multiple Policies beta can create up to 10 policies. Some users from earlier phases of the beta may have a higher limit.

### Resolve workflow actions in multiple policies

If a rule is in multiple policies, then the rule is deduplicated and Semgrep prioritizes the workflow action based on the rule mode, where precedence is as follows:

1. Block
2. Comment
3. Monitor

For example, if an instance of `Rule A` is set to **Block**, the scan fails for PRs with any findings from that rule, even if the same `Rule A` is set to **Monitor** in another policy applied to that repository.

To ensure that the workflow action is resolved as expected, add the specific rule to the desired policy mode. This will override any behavior that it inherits from the rulesets it belongs to.
