Customize Semgrep Multimodal

Remediation

Multimodal Suggested fix allows you to receive AI-generated code snippets for true positives. Perform the following to enable it:

Click the Suggested fix toggle to enable this feature.

Optional: Select a confidence level in the drop-down box. This value determines the quality of Suggested fix. For example, if you select lower confidence, Semgrep Multimodal suggests a fix even when the code quality is poor.

TIPSemgrep recommends setting a low confidence level since even incorrect suggestions may be useful starting points for triage and remediation.

Weekly priority emails

Weekly priority emails allows organization admins to receive information on top backlog tasks according to Multimodal. If this feature isn’t enabled for your deployment, you can do so as follows:

Click the Weekly priority emails if it is not yet enabled.

Noise filtering

Multimodal is over 95% accurate in categorizing Semgrep Code findings as false positives, so you can minimize the number of findings shown by enabling Noise filter for Code PR/MR comments. To do so:

Click the Noise filter for Code PR/MR comments if it is not yet enabled.

Select whether you want to enable PR or MR comments:

Don’t leave a PR/MR comment: Hide Semgrep’s comments on findings that are likely to be false positives. These findings are available for security review on the Code > Pre-production backlog page. Comments still appear for rules in Block mode.
Include a notification in the PR/MR comment: Show developers likely false positive findings in PR/MR comments, but include a note explaining why Multimodal thinks the finding may be safe to ignore.

Findings filtered out by Multimodal can be reviewed at any time in Semgrep by going to the Code > Pre-production backlog page. Semgrep also allows you to agree with the filtering to close the finding or disagree to reopen.

Add Memories

Memories allow admins to tailor Multimodal’s remediation guidance to their organization’s standards and defaults. You can provide feedback by adding custom instructions whenever Multimodal gives a suggested fix. Memories are enabled by default for all organizations with Multimodal enabled.

Add a memory

Navigate to Rules & Policies > Memories.

Click New Memory.

In Memory, enter your preferred remediation approach and secure default.

Select the Projects and the Rules to which the memory should be applied.

Choose All projects or any specific project.
Choose All rules, or search for and select a specific rule or a general vulnerability class. Selecting a vulnerability class means the memory applies to all rules with that vulnerability class.

Click Add memory to save your changes and proceed.

See Best practices for writing Memories for information on writing effective memories.

Add a memory based on Multimodal’s suggested fix

To add a memory based on a suggested fix presented by Multimodal:

Identify the specific instance of Multimodal’s suggested fix that you want to modify. These can be found on the finding details page or in the PR or MR comment.

If Multimodal used existing memories to generate the guidance, you can click on Referenced X memories while writing this guidance to see the memories used.

Click Customize fix to open an input box, and enter your preferred remediation approaches and secure defaults for the project. Your suggestion can be as general as “Use X library to sanitize SQL queries.”

Click Save and regenerate.

Multimodal regenerates the suggested fix to reflect the instructions you provided.

Memories are scoped to remediation guidance on a per-project, per-vulnerability class, or per-rule basis. A saved memory only affects future guidance for findings triggered by the same rule in the same project.

Add memory during triage and receive memory suggestions from Multimodal

When you identify findings that are safe to ignore and provide reasoning for your actions, Semgrep Multimodal can use this triage feedback to suggest memories. It can start suggesting memories from the very first triage feedback it receives, or it may suggest memories from multiple pieces of feedback, depending on the level of detail in the feedback and the finding’s unique context. If Multimodal creates a new memory, it will use the memory to assess if similar findings are safe to ignore and hide from developers. To triage and create a memory (Semgrep automatically attempts to create a memory during triage if possible):

Identify the specific finding you want to modify, and open up its finding details page.

Click Ignore, select an Ignore reason, and provide Comments on why you’re triaging the finding as Ignore.

Click Ignore. Multimodal attempts to create a memory using the information you provide. If Multimodal successfully creates a memory for you, you’ll see a link to the list of memories for your organization in the dialog that appears.

Permissions:

Automatic generation of memories: if you are an admin user, Multimodal tries to generate active memories from your triage feedback.
If you are a non-admin user, such as a manager, Multimodal creates a suggested memory that needs an admin to activate it.

View and edit memories

Navigate to Rules & Policies > Memories.

There are two tabs on the Memories page for your review:

The Active tab displays a list of memories that Multimodal is actively using to generate triage advice
The Suggested tab displays a list of memories Multimodal has generated based on past triage actions and developer feedback. For each suggestion, you can:
- Activate the suggested memory to inform Multimodal’s advice on current and future findings
- Edit the memory, then activate it
- Delete the suggested memory

Only users assigned the admin role in Semgrep can activate suggested memories.

Remove memories

Navigate to Rules * Policies > Memories.

Identify the memory you would like to delete, then click the icon to remove the memory.

Select your AI provider

By default, Semgrep Multimodal uses OpenAI and AWS Bedrock with Semgrep’s API keys. Semgrep evaluates available models from multiple providers and selects the most performant option for each Multimodal feature, based on the providers enabled for your organization. For optimal results, keep both OpenAI and AWS Bedrock enabled. Enabling additional model providers can further improve performance. You can opt to:

Use OpenAI with your own API key
Use your own AWS Bedrock account
Use Azure OpenAI
Use Google Gemini.
Use xAI.

OpenAI API with your own key

If you want complete control over how OpenAI handles your data, you can use your OpenAI API key instead of Semgrep’s. To provide your OpenAI API key:

Click the icon next to AI provider.

Select Your OpenAI API key, and provide your API key.

Click Save to proceed. By switching from Semgrep’s key to your key, note that you lose access to the following:

Semgrep’s fine-tuned models that can increase the quality of results.
Semgrep’s Zero Data Retention agreement that prevents OpenAI from saving input or output data.
Semgrep paying for the cost of your AI usage.

Your own AWS Bedrock account

If you want to keep all data within your AWS account, you can use your own AWS Bedrock instance:

Click the icon next to AI provider.

Select AWS Bedrock then Your AWS account

Provide your AWS IAM role details.

Note that the IAM role that is being used must have access to the AmazonBedrockLimitedAccess AWS IAM Permissions preset. Semgrep constantly evaluates new models for Multimodal features and frequently swaps out requested models, so it is recommended to always have the most recent models in Bedrock enabled. Currently, Multimodal is using the model ARN us.anthropic.claude-sonnet-4-20250514-v1:0

Azure OpenAI

To use Azure OpenAI with Semgrep Multimodal, you must retrieve the endpoint URL and API key for your model from Azure, then provide it to Semgrep.

To retrieve the endpoint URL and API key from Azure:
1. Log in to Azure OpenAI Studio.
2. Navigate to Deployments, and select the deployment you want to use.
3. In Endpoint, find and copy both the Target URI and the API key. You will provide both values to Semgrep.
To configure Semgrep to use Azure OpenAI:
1. Sign in to Semgrep AppSec Platform and navigate to Settings > Global.
2. Click the icon next to AI provider.
3. Select Azure OpenAI.
4. Paste the Target URI you copied from Azure into Your Azure OpenAI Endpoint.
5. Paste the API key you copied from Azure into Your Azure OpenAI API key.
6. Click Save to proceed.

NOTEAs of May 2025, the best model for noise filtering is o3-mini, which performs better than o4-mini. The best model for other Semgrep Multimodal features is gpt-4.1. You cannot have multiple Azure OpenAI models active at a given time, but you can switch to a different one by repeating these configuration steps using the Target URI and API key for the new model.

Google Gemini

To use Google Gemini with Semgrep Multimodal:

Click the icon next to AI provider.

Select Google Gemini.

Paste in your API key.

Click Save to proceed.

Semgrep Multimodal only supports Google Gemini with Google AI Studio, not Vertex AI.

xAI

To use xAI with Semgrep Multimodal, you must retrieve the endpoint URL and API key from xAI, then provide it to Semgrep.

Click the icon next to AI provider.

Select xAI.

Paste in your API key and API endpoint.

Click Save to proceed.

Documentation Index

​Remediation

​Weekly priority emails

​Noise filtering

​Add Memories

​Add a memory

​Add a memory based on Multimodal’s suggested fix

​Add memory during triage and receive memory suggestions from Multimodal

​View and edit memories

​Remove memories

​Select your AI provider

​OpenAI API with your own key

​Your own AWS Bedrock account

​Azure OpenAI

​Google Gemini

​xAI

Remediation

Weekly priority emails

Noise filtering

Add Memories

Add a memory

Add a memory based on Multimodal’s suggested fix

Add memory during triage and receive memory suggestions from Multimodal

View and edit memories

Remove memories

Select your AI provider

OpenAI API with your own key

Your own AWS Bedrock account

Azure OpenAI

Google Gemini

xAI