> ## Documentation Index
> Fetch the complete documentation index at: https://docs.semgrep.dev/llms.txt
> Use this file to discover all available pages before exploring further.

# Enable Semgrep Multimodal

> Semgrep Multimodal extends standard Semgrep capabilities by providing contextually aware AI-powered vulnerability detection and remediation suggestions.

This article walks you through enabling Semgrep Multimodal for your deployment.

<Note>
  **PREREQUISITES**

  * You have completed a [Semgrep core deployment](/deployment/core-deployment).
  * You have set rules to **Comment** or **Block** mode in your [<Icon icon="external-link" iconType="solid" /> Policies page](https://semgrep.dev/orgs/-/policies).
</Note>

<Tabs>
  <Tab title="Azure DevOps Cloud">
    Building context for Semgrep Multimodal requires Azure DevOps permissions, specifically code access granted through an access token you generate through Azure DevOps. Ensure that the token has the following scopes:

    * `Code: Read & write`
    * `Pull Request Threads: Read & write`

    You can provide this token to Semgrep by adding [Azure DevOps as a source code manager](/deployment/connect-scm#connect-to-cloud-hosted-orgs).

    Semgrep recommends using a service account, not a personal account, to [generate the personal access token](https://learn.microsoft.com/en-us/azure/devops/organizations/accounts/use-personal-access-tokens-to-authenticate) provided to Semgrep. Regardless of whether you use a personal or service account, the account must be assigned the **Owner** or **Project Collection Administrator** role for the organization.

    ### Enable Multimodal

    <Steps>
      <Step>
        Sign in to [Semgrep AppSec Platform](https://semgrep.dev/login).
      </Step>

      <Step>
        Go to **Settings > Global**, and click the **Semgrep Multimodal** toggle to enable.
      </Step>

      <Step>
        The **Set up Semgrep Multimodal** dialog appears. Click **Accept & Enable Semgrep Multimodal** to proceed.
      </Step>
    </Steps>

    After enabling Semgrep Multimodal, you can configure the [AI provider](https://semgrep.dev/orgs/-/settings/general/global) and enable additional features:

    * **[Scan with AI-powered detection](/semgrep-code/ai-powered-detection-concepts)**: Run AI-powered scans to identify complex business logic flaws, such as insecure direct object references (IDORs) and broken authorization issues. Enabling Semgrep Multimodal does not automatically run AI-powered scans.
    * **[Weekly priority emails](/semgrep-code/ai-powered-detection-concepts)**: Send weekly summary emails to organization admins highlighting the top three backlog priorities across all findings.
    * **[Suggested fix](/semgrep-multimodal/customize#suggested-fix)**: Includes suggestions on how to fix findings. You can also set a minimum confidence threshold for Suggested fix.
    * **[Autofix PR](/semgrep-code/triage-remediation/autofix)**: Automatically create AI-generated pull requests (PRs) to remediate findings.
    * **[Noise filter for Code PR/MR comments](/semgrep-appsec-platform/github-pr-comments#configure-comments-for-semgrep-code)**: Filter out findings identified as false positives. You can choose to suppress PR or MR comments entirely or display informational comments indicating that a finding is a false positive.
  </Tab>

  <Tab title="Bitbucket Cloud">
    Building context for Semgrep Multimodal requires additional Bitbucket permissions, specifically code access granted through an access token you generate through Bitbucket. Your token must be a [Workspace Access Token](https://support.atlassian.com/bitbucket-cloud/workspace-access-tokens/), which are available to users with a Bitbucket Cloud Premium plan or higher. The token must have the following scopes:

    * `Projects: Read`
    * `Repositories: Read`
    * `Pull requests: Read & Write`
    * `Webhooks: Read and write`

    You can provide this token to Semgrep by [adding Bitbucket as a source code manager](/deployment/connect-scm#connect-to-cloud-hosted-orgs).

    ### Enable Multimodal

    <Steps>
      <Step>
        Sign in to [Semgrep AppSec Platform](https://semgrep.dev/login).
      </Step>

      <Step>
        Go to **Settings > Global**, and click the **Semgrep Multimodal** toggle to enable.
      </Step>

      <Step>
        The **Set up Semgrep Multimodal** dialog appears. Click **Accept & Enable Semgrep Multimodal** to proceed.
      </Step>
    </Steps>

    After enabling Semgrep Multimodal, you can configure the [AI provider](https://semgrep.dev/orgs/-/settings/general/global) and enable additional features:

    * **[Scan with AI-powered detection](/semgrep-code/ai-powered-detection-concepts)**: Run AI-powered scans to identify complex business logic flaws, such as insecure direct object references (IDORs) and broken authorization issues. Enabling Semgrep Multimodal does not automatically run AI-powered scans.
    * **[Weekly priority emails](/semgrep-code/ai-powered-detection-concepts)**: Send weekly summary emails to organization admins highlighting the top three backlog priorities across all findings.
    * **[Suggested fix](/semgrep-multimodal/customize#suggested-fix)**: Includes suggestions on how to fix findings. You can also set a minimum confidence threshold for Suggested fix.
    * **[Autofix PR](/semgrep-code/triage-remediation/autofix)**: Automatically create AI-generated pull requests (PRs) to remediate findings.
    * **[Noise filter for Code PR/MR comments](/semgrep-appsec-platform/github-pr-comments#configure-comments-for-semgrep-code)**: Filter out findings identified as false positives. You can choose to suppress PR or MR comments entirely or display informational comments indicating that a finding is a false positive.
  </Tab>

  <Tab title="GitHub">
    In addition to the
    [<Icon icon="file-lines" iconType="regular" /> standard permissions required for Semgrep](/deployment/prepare/scm-permissions#permissions), Semgrep Multimodal requires [read access to your code in GitHub](https://docs.github.com/en/rest/overview/permissions-required-for-github-apps?apiVersion=2022-11-28). This is done through a **private Semgrep GitHub app** that you install.

    The private Semgrep GitHub app:

    * Is fully under your control so you can revoke access or specific permissions at any time by visiting **Settings > Applications** in GitHub.
    * Only accesses source code repositories on a file-by-file basis; it does not need or request org-level access to your codebase.
    * Can be configured to limit its scope to specific repositories. You do not need to give read access to all repositories in your GitHub organization.

    To verify that you have the private app installed:

    1. In [Semgrep AppSec Platform](https://semgrep.dev/login), go to **Settings > Source Code Managers**.
    2. Find the entry for GitHub. If you have the **Private app** installed, Semgrep displays a message underneath this label that reads **Enables Autotriage, Managed Scans, and Auto-scan**.
    3. If you *do not* have the **Private app** installed, the **Install** button is shown to you. To install the private app:
       1. Click **Install** to launch the **Add GitHub App** page.
       2. Review the information provided, and click **Register GitHub App** to proceed.
       3. The **Continue to SCM** dialog appears, since you must finish installing the app with GitHub. Click **Continue** to proceed.
       4. Follow the prompts provided by GitHub to finish creating the app.
       5. When done, GitHub redirects you back to Semgrep AppSec Platform.

    ### Enable Multimodal

    <Steps>
      <Step>
        Sign in to [Semgrep AppSec Platform](https://semgrep.dev/login).
      </Step>

      <Step>
        Go to **[Settings > Global](https://semgrep.dev/orgs/-/settings/general/global)**, and click the **Semgrep Multimodal** toggle to enable.
      </Step>

      <Step>
        The **Set up Semgrep Multimodal** dialog appears. Click **Accept & Enable Semgrep Multimodal** to proceed.
      </Step>
    </Steps>

    After enabling Semgrep Multimodal, you can configure the [AI provider](https://semgrep.dev/orgs/-/settings/general/global) and enable additional features:

    * **[Scan with AI-powered detection](/semgrep-code/ai-powered-detection-concepts)**: Run AI-powered scans to identify complex business logic flaws, such as insecure direct object references (IDORs) and broken authorization issues. Enabling Semgrep Multimodal does not automatically run AI-powered scans.
    * **[Weekly priority emails](/semgrep-code/ai-powered-detection-concepts)**: Send weekly summary emails to organization admins highlighting the top three backlog priorities across all findings.
    * **[Suggested fix](/semgrep-multimodal/customize#suggested-fix)**: Includes suggestions on how to fix findings in PR and MR comments. You can also set a minimum confidence threshold for Suggested fix.
    * **[Autofix PR](/semgrep-code/triage-remediation/autofix)**: Automatically create AI-generated pull requests (PRs) to remediate findings.
    * **[Noise filter for Code PR/MR comments](/semgrep-appsec-platform/github-pr-comments#configure-comments-for-semgrep-code)**: Filter out findings identified as false positives. You can choose to suppress PR or MR comments entirely or display informational comments indicating that a finding is a false positive.
    * **[Upgrade Guidance & Autofix](/semgrep-supply-chain/triage-and-remediation#upgrade-guidance-and-autofix-beta)**: Analyze dependency upgrades for potential breaking changes. When enabled, Semgrep displays indicators for safe upgrades and potential breaking changes in Supply Chain findings.
  </Tab>

  <Tab title="GitLab">
    To build context for Semgrep Multimodal, you must provide either a [project access token](https://docs.gitlab.com/ee/user/project/settings/project_access_tokens.html) or [personal access token](https://docs.gitlab.com/ee/user/profile/personal_access_tokens.html) with the **API scope**.

    * You can revoke [project access tokens](https://docs.gitlab.com/ee/user/project/settings/project_access_tokens.html#revoke-a-project-access-token) or [personal access tokens](https://docs.gitlab.com/ee/user/profile/personal_access_tokens.html#revoke-a-personal-access-token) at any time.
    * Semgrep Multimodal only accesses source code repositories (projects) on a file-by-file basis; it does not need or request org-level access to your codebase.
    * The token can be configured to limit its scope to specific projects or individuals. You do not need to give read access to all projects in your GitLab organization.

    ## Enable Multimodal

    <Steps>
      <Step>
        Sign in to [Semgrep AppSec Platform <Icon icon="external-link" iconType="solid" />](https://semgrep.dev/login) using your GitLab account.
      </Step>

      <Step>
        Go to **Settings > Global**, and click the **Semgrep Multimodal** toggle to enable.
      </Step>

      <Step>
        The **Set up Semgrep Multimodal** dialog appears. Click **Accept & Enable Semgrep Multimodal** to proceed.
      </Step>
    </Steps>

    After enabling Semgrep Multimodal, you can configure the [AI provider](https://semgrep.dev/orgs/-/settings/general/global) and enable additional features:

    * **[Scan with AI-powered detection](/semgrep-code/ai-powered-detection-concepts)**: Run AI-powered scans to identify complex business logic flaws, such as insecure direct object references (IDORs) and broken authorization issues. Enabling Semgrep Multimodal does not automatically run AI-powered scans.
    * **[Weekly priority emails](/semgrep-code/ai-powered-detection-concepts)**: Send weekly summary emails to organization admins highlighting the top three backlog priorities across all findings.
    * **[Suggested fix](/semgrep-multimodal/customize#suggested-fix)**: Includes prose-based suggestions on how to fix findings. You can also set a minimum confidence threshold for Suggested fix.
    * **[Autofix PR](/semgrep-code/triage-remediation/autofix)**: Automatically create AI-generated pull requests (PRs) to remediate findings.
    * **[Noise filter for Code PR/MR comments](/semgrep-appsec-platform/github-pr-comments#configure-comments-for-semgrep-code)**: Filter out findings identified as false positives. You can choose to suppress PR or MR comments entirely or display informational comments indicating that a finding is a false positive.
    * **[Upgrade Guidance & Autofix](/semgrep-supply-chain/triage-and-remediation#upgrade-guidance-and-autofix-beta)**: Analyze dependency upgrades for potential breaking changes. When enabled, Semgrep displays indicators for safe upgrades and potential breaking changes in Supply Chain findings.
  </Tab>
</Tabs>
