Support and availability
Semgrep Multimodal:- Primarily supports findings generated by Semgrep Code
- Supports the same languages as Semgrep Code
- Requires the Semgrep AppSec Platform
Automatic analysis
Semgrep Multimodal auto-analyzes findings that meet the following criteria:- Full scans: All new findings that have Critical or High severity AND High or Medium confidence are auto-analyzed
- Diff-aware scans (pull request and merge request scans): Up to 10 new findings are automatically analyzed per scan. AI-powered detection does not support diff-aware scans.
Features
AI-powered detection scans
With Semgrep Multimodal’s AI-powered detection, you can automatically identify complex business logic flaws, such as insecure direct object references (IDORs) and broken authorization. Semgrep’s AI-powered detection combines the precision of static analysis with the contextual reasoning of large language models (LLMs). For instructions on enabling and running an AI-powered scan, see Scan with AI-powered detection.Explanation
Semgrep Multimodal explains why a finding is a true positive by connecting the rule’s message to the code that triggered it. It highlights the relevant lines of code along with the surrounding context and describes how the rule applies in this specific case. For security rules, Multimodal also connects the finding back to the threat model, showing the potential risk and why the code behavior matters. The explanation helps you understand not just which rule triggered a finding, but why the code is considered problematic. On the finding’s Details page:- Semgrep Multimodal’s explanation appears in the Finding description tab.
- The rule that triggered the finding is described in the Rule description tab.
- The exact lines of code that caused the finding are displayed in the Your code tab. Click a line to highlight the relevant code in context.
Remediation
Semgrep Multimodal can provide remediation guidance and Suggested fix for Semgrep Code findings. For AI-generated code changes, use Autofix. For deterministic inline code changes in pull request or merge request comments, use Rule-defined fix.Guidance
With Multimodal enabled, pull request or merge request comments from Semgrep include step-by-step remediation instructions for the finding identified by Semgrep Code. Semgrep also displays remediation information on Semgrep AppSec Platform’s Findings page under Your code & fix in the finding’s details page.Semgrep only waits for a limited amount of time for Multimodal guidance before posting a PR or MR comment, since comments are time-sensitive. If guidance is missing from the PR or MR comment because it was not yet available, it should still be present on Semgrep AppSec Platform’s Findings page for the finding.
Suggested fix
Semgrep Multimodal’s Suggested fix includes suggestions on how to fix Semgrep Code findings when it identifies a true positive. Suggested fix provides an explanation of the finding and guidance on how to remediate it. It does not include inline code diffs. Multimodal customizes the suggestions it provides based on any previous feedback and your rule customizations. For example, if you’ve created a custom rule that recommends a specific sanitizer, Multimodal will reference that sanitizer in its Suggested fix whenever the rule is triggered. Suggested fix is available in Semgrep AppSec Platform’s Findings page under Suggested fix in the finding’s details. You can set the minimum Suggested fix confidence level required to display Multimodal suggestions on Semgrep AppSec Platform’s Settings page. To display the maximum number of available suggestions, set confidence level to low.If many new issues are found in a given scan, Multimodal auto-triage and Suggested fix may not run on every issue.
Autofix (beta)
Autofix uses AI to generate proposed code changes for Semgrep Code and Supply Chain findings. Enable Semgrep Autofix to automatically create pull requests or merge requests with those changes.Component tags
Component tags use AI to categorize a finding based on its function, such as:- Payments
- User authentication
- Infrastructure