Upgrade to Unified Policies: Semgrep’s latest version of Policies unifies policies across finding types, allows you to assign different policies to different projects, and adds conditional logic. See Unified Policies for more information.
Validation state policies
policies allow you to define the rules Semgrep Secrets uses to scan your code, how to handle invalid findings, including those that have been revoked or were never functional, and how to handle validation errors when attempting to determine if a secret is a legitimate credential that can be used to access a resource. Findings in different validation states may also have different severities, based on the risk associated with valid credentials as compared with invalid credentials. See Secrets findings: severity for more detail on this behavior.Global rule behavior
The Global rule behavior tab allows you to view and manage the rules Semgrep Secrets uses for scanning. This page consists of the following elements:- The Filters pane displays the filters you can use to select and perform operations on rules in bulk. See Filters for more information.
- The Rules pane displays the rules that Semgrep scans use to detect leaked secrets and allows you to edit their assigned rule modes. You can make these edits on individual rules or through the bulk editing of many rules. You can also use the Search for rule names or ids box. See Rules list for more information.
Filters
The Filters pane displays the filters you can use to select and perform operations on rules in bulk.Available filters
Available filters
Rules list
The following columns appear on the rule entries list:Rules list columns
Rules list columns
Rule modes
Semgrep Secrets provides three rule modes. These can be used to trigger workflow options whenever Semgrep Secrets identifies a finding based on the rule.Manage rules
Turn off rules
1
In Semgrep AppSec Platform, go to Rules & policies > Policies > Secrets.
2
Select either:
- The top Number Matching Rules checkbox to select all rules.
- Individual checkboxes next to rules.
3
Click Change modes(Number), then click Disabled.
Add custom rules
To add custom rules, use the Semgrep Editor. See Semgrep Secrets rule structure and sample.Invalid findings
You can define how Semgrep handles findings that it categorizes as invalid. Invalid findings include secrets that, during validation, were identified as revoked or were never functional. When Semgrep identifies an invalid finding, you can choose to view the finding in Semgrep AppSec Platform, have Semgrep leave a comment in the pull request or merge request, or have the Semgrep scan fail with an exit code of1.
See Rule modes for more information on the modes available.
Validation errors
You can define how Semgrep handles validation errors that occur when there are difficulties reaching the secrets provider or when Semgrep receives an unexpected response from the API. When Semgrep encounters a validation error, you can choose to view the associated finding in Semgrep AppSec Platform, have Semgrep leave a comment in the pull request or merge request, or have the Semgrep scan fail with an exit code of1.
See Rule modes for more information on the modes available.
Slack notification policies
If you are an admin for your Semgrep organization, you can view, create, edit, or delete Slack notification policies. These policies allow you to notify developers of Secrets findings on Slack while managing noise and ensuring that developers are only notified based on the conditions you set. You can configure the following:- Scope: These are the projects (repositories) that are affected by the policy.
- Conditions: The conditions under which actions are performed. These conditions are typically attributes of a finding, such as severity or validation.
- Actions: Actions that are performed on the defined scope when conditions are met.
PREREQUISITESThis feature requires either the:
semgrep:latestDocker image- Semgrep CLI version 1.101.0 and later
Create a policy
1
In Semgrep AppSec Platform, go to Rules & policies > Policies > Secrets.
2
Click Create policy.
3
Provide a name.
4
Define the Scope of the policy:i. Click the drop-down box to select between All Projects, , or tag.ii. If you select or tag, a second drop-down box appears. Choose the projects or project tags to finish defining the scope.
5
Define the conditions of the policy. See Policy conditions for more information. You can create more than one condition by clicking Add condition.
- For each condition, you can select multiple values by clicking on the plus sign () on the same row. The policy is applied when any of those values are met (
OR). - Each additional condition is additive. The policy is applied when all conditions are met (
AND).
6
Define the actions of the policy, and select which channels should receive notifications when the policy is triggered. This list is populated by the channels you have subscribed to. To change this list, follow the steps listed in Receive Slack notifications.
7
Click Create.
8
Enable the policy by clicking the toggle to enable a policy. This applies the policy to future scans.
Policy scopes
A policy’s scope can consist of tags or projects, but not both. If you need to create a policy with both tags and projects, you must make another policy. If a project or project tag that’s included in a policy scope gets deleted, it is removed from the policy scope. If all projects or all project tags are deleted for a given policy, you must edit the policy for it to be applied to a valid scope.Policy conditions
The following table lists available conditions and their values:View your policy
1
In Semgrep AppSec Platform, go to Rules & policies > Policies > Secrets.
2
Under Slack notification policies, click the name of your policy or the three-dot ellipsis () > Edit policy to see additional details.
Edit a policy
1
Go to Rules & Policies > Policies > Secrets, and find the policy you want to edit.
2
Click the three-dot (…) button > Edit policy for the policy. This takes you to the policy definition page.
3
Make your changes.
4
Click Save.
Turn on or off a policy
1
Go to Rules & Policies > Policies > Secrets, and find the policy you want to turn on or off.
2
Turn off or on the Enable policy toggle.
3
Click Save.
Delete a policy
1
Go to Rules & Policies > Policies > Secrets, and find the policy you want to delete.
2
Click the three-dot (…) button > Delete policy.
3
Click Remove to confirm..
INFO:deleting a policy does not remove existing notifications.
Block a pull request or merge request through rule modes
Semgrep enables you to set a workflow action based on the presence of a finding. Workflow actions include:- Failing a CI job. Semgrep returns exit code
1, and you can use this result to set up additional checks to enforce a block on a pull request (PR) or merge request (MR). - Leaving a PR or MR comment.
- Notifying select channels, such as private Slack channels or webhooks.
Troubleshooting: no pull request or merge request comments for Semgrep Secrets
Troubleshooting: no pull request or merge request comments for Semgrep Secrets
If you’re encountering issues getting PR comments for Semgrep Secrets:
- Make sure the rule is in Comment or Block mode
- Review the PR or MR comments guide for your SCM
- Explore other reasons you may not see PR or MR comments