Skip to main content
Semgrep Secrets generates a finding when a rule matches a piece of code in your codebase. You can use Semgrep AppSec Platform’s Secrets page to view all of the findings generated by Semgrep Secrets after it scans your codebase.

View findings

To view your findings in Semgrep AppSec Platform:
2
In the Navigation bar, click Secrets.
By default, Semgrep displays your Priority findings. Priority findings are defined as valid secrets with critical or high severity. You can switch to the All tab at any point to view all findings identified by Semgrep Secrets. Both the Priority findings view and the All findings view display high-level information about your findings. Each finding in the list includes information such as finding age, code location, project, branch, and validation status.
LOCAL SCANSFindings from local scans are differentiated from their remote counterparts through their slugs. Remote repositories are identified as ACCOUNT_NAME/REPOSITORY_NAME, while local repositories are identified by default as local_scan/REPOSITORY_NAME.

Custom Priority tab

Semgrep admins can create a custom priority definition to change the findings shown on the Priority tab. To do so:
2
In the Navigation bar, click Code. Ensure that you’re viewing the Priority.
3
Using the provided filters, set your parameters for priority findings.
4
Click Save.
5
You’ll see a dialog window asking you to confirm that you want the changes saved for everyone. Click Save to proceed.
This change applies to the entire Semgrep organization. You cannot have separate priority definitions for individual users or teams.

Filter findings

Regardless of whether you use the Priority findings view or the All findings view, there are multiple grouping and filtering options available to you.

Time period

The time period filters allow you to see which vulnerabilities were opened, fixed, or triaged during a certain period of time. The time period filter is not additive; it is a filter operation that precedes other filters on the page. For example, if you select Last triaged and select the status Status Open filter, no findings appear because, by definition, there are no triaged findings that are also open. The following filters are available:
  • Triage state update action:
    • Opened in
    • Triaged in
    • Fixed in
  • Time period:
    • Last day
    • Last 7 days
    • Last 30 days
    • Last 3 months
    • Last 6 months
    • Last year
    • All time

Project

The filter allows you to search for findings associated with the selected projects.

Status

The Status filter allows you to search for findings in the selected statuses. See Triage status for additional information.

Severity

The Severity filter allows you to view findings of particular severities. Secrets finding severity is derived from the corresponding rule severity, as is the case for other Semgrep findings. However, Semgrep Secrets rules may provide different severities based on validation state and environment. For example, an invalid secret may be assigned Medium severity, a valid secret for a sandbox environment may be assigned High severity, and a valid secret in a production environment may be assigned Critical severity. This reflects the different risk levels associated with each situation. Possible values:
  • Low
  • Medium
  • High
  • Critical

Additional filters

Semgrep offers additional filters that you can use to narrow down your results. The following filters are available:

Triage statuses

Triage is the prioritization of a finding based on policies or criteria set by your team or organization, such as severity, coding standards, business goals, and product goals. Semgrep AppSec Platform uses the logic specified in the table below to automatically mark findings as either fixed or removed when they are no longer present in the code. You can manually Ignore findings or set them as To fix or Reviewing in Semgrep AppSec Platform directly through triage or bulk triage actions. The triage statuses are as follows:

Validation

Refers to whether or not a secret is active and can be used to grant resources or authentication, or if a secret is inactive.
  • Confirmed valid: Semgrep made an HTTP request using the secret, and it returned an HTTP status code of 200 or similar and some indication of valid access. For example, a service can include a "message": "ok" in the response body.
  • Confirmed invalid: Semgrep made an HTTP request using the secret and it returned an HTTP status code of 401 or similar.
  • Validation error: Semgrep made an HTTP request using the secret, but either the network request could not be made, a timeout occurred, or the HTTP status code returned a different HTTP status code. In this case, the Semgrep Team recommends manually reviewing the finding.
  • No Validator: The rule does not have a validator. The Semgrep Team recommends manually reviewing the finding.

Repository visibility

Refers to whether or not the repository is a public repository or private. This is detected through your source code manager.
INFOSemgrep supports visibility detection only for GitHub repositories.

Group and sort findings

By default, Semgrep displays your findings using the Group by Rule view. This view shows your findings grouped by the rule Semgrep used to match the code. Your findings are shown sorted by severity, but you can opt to sort by number of findings for a given rule. To view findings individually, click Group & sort > No grouping. Findings are displayed based on the date they were found, with the most recent finding listed at the top.

Export findings

You can export findings to a CSV file. Semgrep can export up to 10,000 most recent findings. To export more than 10,000 findings, you must use the API. Semgrep exports all findings to the CSV file regardless of the filters you apply on the page. Export findings by navigating to the product page and clicking the icon near the Group & Sort filters.
The following fields are exclusive to Code scans:The following fields are exclusive to Supply Chain scans:The following fields are exclusive to Secrets scans:

View details about a specific finding

To view in-depth information about a specific finding, select the finding whose details you want to view. Then:
  • If the default Group by Rule is enabled, click the Details icon on the card of the finding.
  • If the No grouping view is enabled, click the header hyperlink on the card of the finding.
The finding’s details page displays in-depth information about the finding. It also allows you to perform actions such as updating the finding’s status as needed, viewing links to any integrations available, such as associated Jira tickets, and communicating with your team regarding the finding. For example, you can add notes to the finding that anyone with access to the finding can see. See View findings’ details for more information.

Next steps