You have set rules to Comment or Block mode in your Policies page.
Azure DevOps Cloud
Bitbucket Cloud
GitHub
GitLab
Building context for Semgrep Multimodal requires Azure DevOps permissions, specifically code access granted through an access token you generate through Azure DevOps. Ensure that the token has the following scopes:
Code: Read & write
Pull Request Threads: Read & write
You can provide this token to Semgrep by adding Azure DevOps as a source code manager.Semgrep recommends using a service account, not a personal account, to generate the personal access token provided to Semgrep. Regardless of whether you use a personal or service account, the account must be assigned the Owner or Project Collection Administrator role for the organization.
Go to Settings > Global, and click the Semgrep Multimodal toggle to enable.
3
The Set up Semgrep Multimodal dialog appears. Click Accept & Enable Semgrep Multimodal to proceed.
After enabling Semgrep Multimodal, you can configure the AI provider and enable additional features:
Scan with AI-powered detection: Run AI-powered scans to identify complex business logic flaws, such as insecure direct object references (IDORs) and broken authorization issues. Enabling Semgrep Multimodal does not automatically run AI-powered scans.
Weekly priority emails: Send weekly summary emails to organization admins highlighting the top three backlog priorities across all findings.
Noise filter for Code PR/MR comments: Filter out findings identified as false positives. You can choose to suppress PR or MR comments entirely or display informational comments indicating that a finding is a false positive.
Suggested fix: Enable Multimodal-generated autofix suggestions in PR and MR comments. You can also set a minimum confidence threshold for AI-generated fixes when a rule does not include a human-authored autofix.
Building context for Semgrep Multimodal requires additional Bitbucket permissions, specifically code access granted through an access token you generate through Bitbucket. Your token must be a Workspace Access Token, which are available to users with a Bitbucket Cloud Premium plan or higher. The token must have the following scopes:
Go to Settings > Global, and click the Semgrep Multimodal toggle to enable.
3
The Set up Semgrep Multimodal dialog appears. Click Accept & Enable Semgrep Multimodal to proceed.
After enabling Semgrep Multimodal, you can configure the AI provider and enable additional features:
Scan with AI-powered detection: Run AI-powered scans to identify complex business logic flaws, such as insecure direct object references (IDORs) and broken authorization issues. Enabling Semgrep Multimodal does not automatically run AI-powered scans.
Weekly priority emails: Send weekly summary emails to organization admins highlighting the top three backlog priorities across all findings.
Noise filter for Code PR/MR comments: Filter out findings identified as false positives. You can choose to suppress PR or MR comments entirely or display informational comments indicating that a finding is a false positive.
Suggested fix: Enable Multimodal-generated autofix suggestions in PR and MR comments. You can also set a minimum confidence threshold for AI-generated fixes when a rule does not include a human-authored autofix.
Find the entry for GitHub. If you have the Private app installed, Semgrep displays a message underneath this label that reads Enables Autotriage, Managed Scans, and Auto-scan.
If you don’t have the Private app installed, the Install button is shown to you. To install the private app:
Click Install to launch the Add GitHub App page.
Review the information provided, and click Register GitHub App to proceed.
The Continue to SCM dialog appears, since you must finish installing the app with GitHub. Click Continue to proceed.
Follow the prompts provided by GitHub to finish creating the app.
When done, GitHub redirects you back to Semgrep AppSec Platform.
Go to Settings > Global, and click the Semgrep Multimodal toggle to enable.
3
The Set up Semgrep Multimodal dialog appears. Click Accept & Enable Semgrep Multimodal to proceed.
After enabling Semgrep Multimodal, you can configure the AI provider and enable additional features:
Scan with AI-powered detection: Run AI-powered scans to identify complex business logic flaws, such as insecure direct object references (IDORs) and broken authorization issues. Enabling Semgrep Multimodal does not automatically run AI-powered scans.
Weekly priority emails: Send weekly summary emails to organization admins highlighting the top three backlog priorities across all findings.
Noise filter for Code PR/MR comments: Filter out findings identified as false positives. You can choose to suppress PR or MR comments entirely or display informational comments indicating that a finding is a false positive.
Suggested fix: Enable Multimodal-generated autofix suggestions in PR and MR comments. You can also set a minimum confidence threshold for AI-generated fixes when a rule does not include a human-authored autofix.
Upgrade Guidance & Autofix: Analyze dependency upgrades for potential breaking changes. When enabled, Semgrep displays indicators for safe upgrades and potential breaking changes in Supply Chain findings.
Semgrep Multimodal only accesses source code repositories (projects) on a file-by-file basis; it does not need or request org-level access to your codebase.
The token can be configured to limit its scope to specific projects or individuals. You do not need to give read access to all projects in your GitLab organization.
Go to Settings > Global, and click the Semgrep Multimodal toggle to enable.
3
The Set up Semgrep Multimodal dialog appears. Click Accept & Enable Semgrep Multimodal to proceed.
After enabling Semgrep Multimodal, you can configure the AI provider and enable additional features:
Scan with AI-powered detection: Run AI-powered scans to identify complex business logic flaws, such as insecure direct object references (IDORs) and broken authorization issues. Enabling Semgrep Multimodal does not automatically run AI-powered scans.
Weekly priority emails: Send weekly summary emails to organization admins highlighting the top three backlog priorities across all findings.
Noise filter for Code PR/MR comments: Filter out findings identified as false positives. You can choose to suppress PR or MR comments entirely or display informational comments indicating that a finding is a false positive.
Suggested fix: Enable Multimodal-generated autofix suggestions in PR and MR comments. You can also set a minimum confidence threshold for AI-generated fixes when a rule does not include a human-authored autofix.
Upgrade Guidance & Autofix: Analyze dependency upgrades for potential breaking changes. When enabled, Semgrep displays indicators for safe upgrades and potential breaking changes in Supply Chain findings.
