Skip to main content

Support and availability

Semgrep Multimodal: See the list of supported source code managers.

Automatic analysis

Semgrep Multimodal auto-analyzes findings that meet the following criteria:
  • Full scans: All new findings that have Critical or High severity AND High or Medium confidence are auto-analyzed
  • Diff-aware scans (pull request and merge request scans): Up to 10 new findings are automatically analyzed per scan. AI-powered detection does not support diff-aware scans.

Features

AI-powered detection scans

With Semgrep Multimodal’s AI-powered detection, you can automatically identify complex business logic flaws, such as insecure direct object references (IDORs) and broken authorization. Semgrep’s AI-powered detection combines the precision of static analysis with the contextual reasoning of large language models (LLMs). For instructions on enabling and running an AI-powered scan, see Scan with AI-powered detection.

Explanation

Semgrep Multimodal explains why a finding is a true positive by connecting the rule’s message to the code that triggered it. It highlights the relevant lines of code along with the surrounding context and describes how the rule applies in this specific case. For security rules, Multimodal also connects the finding back to the threat model, showing the potential risk and why the code behavior matters. The explanation helps you understand not just which rule triggered a finding, but why the code is considered problematic. On the finding’s Details page:
  • Semgrep Multimodal’s explanation appears in the Finding description tab.
  • The rule that triggered the finding is described in the Rule description tab.
  • The exact lines of code that caused the finding are displayed in the Your code tab. Click a line to highlight the relevant code in context.
For true positive findings, the same Multimodal-generated explanations are also included in pull request or merge request comments. A brief summary appears in the default view. Expand More details about this to view the full Multimodal-generated explanation. Note that Multimodal-generated explanations are not available for custom rules or community rules.

Remediation

Semgrep Multimodal can provide remediation guidance and Suggested fix for Semgrep Code findings. For AI-generated code changes, use Autofix. For deterministic inline code changes in pull request or merge request comments, use Rule-defined fix.

Guidance

With Multimodal enabled, pull request or merge request comments from Semgrep include step-by-step remediation instructions for the finding identified by Semgrep Code. Semgrep also displays remediation information on Semgrep AppSec Platform’s Findings page under Your code & fix in the finding’s details page.
Semgrep only waits for a limited amount of time for Multimodal guidance before posting a PR or MR comment, since comments are time-sensitive. If guidance is missing from the PR or MR comment because it was not yet available, it should still be present on Semgrep AppSec Platform’s Findings page for the finding.

Suggested fix

Semgrep Multimodal’s Suggested fix includes suggestions on how to fix Semgrep Code findings when it identifies a true positive. Suggested fix provides an explanation of the finding and guidance on how to remediate it. It does not include inline code diffs. Multimodal customizes the suggestions it provides based on any previous feedback and your rule customizations. For example, if you’ve created a custom rule that recommends a specific sanitizer, Multimodal will reference that sanitizer in its Suggested fix whenever the rule is triggered. Suggested fix is available in Semgrep AppSec Platform’s Findings page under Suggested fix in the finding’s details. You can set the minimum Suggested fix confidence level required to display Multimodal suggestions on Semgrep AppSec Platform’s Settings page. To display the maximum number of available suggestions, set confidence level to low.
If many new issues are found in a given scan, Multimodal auto-triage and Suggested fix may not run on every issue.

Autofix (beta)

Autofix uses AI to generate proposed code changes for Semgrep Code and Supply Chain findings. Enable Semgrep Autofix to automatically create pull requests or merge requests with those changes.

Component tags

Component tags use AI to categorize a finding based on its function, such as:
  • Payments
  • User authentication
  • Infrastructure
By categorizing your code through component tags, Semgrep Multimodal can help you prioritize high-risk issues, such as remediating a code finding related to payments or user authentication. Component tags can be viewed in Semgrep AppSec Platform’s Findings page.

Auto-triage

Semgrep Multimodal uses AI’s understanding of programming languages and libraries, and your code and triage history, to auto-triage findings and suggest whether a finding can safely be ignored. For every recommendation to ignore a finding, Semgrep also provides guidance with an explanation on why this is the case. Auto-triage recommendations are available in Semgrep AppSec Platform’s Findings page when you filter for findings that Multimodal suggests should be ignored, and in the finding’s details. Multimodal’s suggestions to ignore findings are also surfaced in PR or MR comments, so developers can triage an issue directly without leaving their PR or MR.

Weekly priority emails

Semgrep sends weekly emails with information on Multimodal’s top three backlog tasks across all findings. Unlike other Multimodal features, these suggestions can include information for all Semgrep products that you have enabled. The emails are sent out on Monday to all organization admins.

Noise filtering (beta)

Noise filtering increases developer velocity by reducing interruptions from potential false positives. With Noise Filtering, Multimodal evaluates each finding to determine if it’s a true positive using additional context. If Multimodal thinks a finding may be a false positive, it prevents a PR comment from being posted in the developer workflow. Security teams can review filtered findings at any time on Semgrep’s Code > Pre-production page. Semgrep also allows you to agree or disagree with the filtering. If you agree with the suggestion, Semgrep closes the finding, but if you disagree, Semgrep reopens the finding. Multimodal is over 95% accurate in categorizing Semgrep Code findings as false positives.

Memories

Memories allows AppSec teams and developers to tailor Multimodal’s remediation guidance to their organization’s standards and defaults on a per-project, per-rule basis. When Multimodal provides a Suggested fix, you can provide feedback by adding custom instructions. For example, if the code contains a hardcoded secret, Multimodal might suggest using an SDK that handles credentialing. However, if your company prefers to use a different secrets manager, you can provide this information to Multimodal. Multimodal then generates remediation guidance that works with your specific secrets manager in the future.

Upgrade guidance (beta)

Semgrep Supply Chain’s dependency upgrade guidance uses AI to analyze if a finding can be safely upgraded or if upgrading the package can cause breaking changes. Semgrep’s Autofix capability can then create a PR to upgrade the package. Read more about Upgrade guidance and Autofix.

Reliability

Multimodal supports fallback between model providers to ensure optimal performance and reliability. OpenAI is the primary provider in most cases, with automatic fallback to Amazon Bedrock as needed. Semgrep’s fallback decisions are based on an internal ranking system informed by ongoing research. Semgrep ranks models by performance and dynamically selects the best available from your enabled options. Enabling additional model providers for your Semgrep organization can improve performance in some scenarios, while removing them could result in reduced performance.