Scan for secrets
Semgrep Secrets allows you to detect and triage leaked secrets and credentials and save time by prioritizing which secrets to rotate based on whether they're active and in use.
This document guides you through:
- Enabling Semgrep Secrets
- Viewing your results and triaging your findings
- Setting up PR comments and notifications
Language and environment support
Semgrep Secrets can scan repositories using any programming language and supports the posting of PR and MR comments to GitHub, GitLab, and Bitbucket.
Enable Semgrep Secrets
You have completed a Semgrep core deployment.
- Log into Semgrep AppSec Platform.
- Click Settings.
- On the Deployment tab, click the Secrets toggle to enable.
Once you've enabled Secrets for your organization, all Semgrep scans include secret scanning. There are no additional steps to take.
Scan your repository
After you've enabled Semgrep Secrets, you can:
- Manually trigger a full scan of your repository through your CI provider
- Start a scan from the CLI (Semgrep recommends that you run CLI scans only on feature branches, not main branches)
- Wait for your scheduled Semgrep full scan
- Open a pull request or merge request and wait for Semgrep to scan the branch automatically
Upgrade your rules
If you're using Semgrep Code rules to identify leaked credentials, you'll see prompts in Semgrep AppSec Platform indicating that there's an improved version that utilizes Semgrep Secrets' feature set, primarily its validators, which can validate whether the detected credential is active, and improvements in detecting and hiding false positives.
You can see individual findings for which there is a Semgrep Secrets rule upgrade in Semgrep AppSec Platform's Findings page. The findings are tagged with a label that says Secrets version available! Click to see rule(s).
To see the rules you're using for which there is Secrets rule upgrade in Semgrep AppSec Platform:
- Sign in to Semgrep AppSec Platform.
- Go to Rules > Policies > Code.
- Under Available rule upgrades, ensure that you've selected Secrets.
Next steps
- Learn how to view and triage secrets in Semgrep AppSec Platform
Additional information
- Learn more about the structure of rules for Semgrep Secrets, as well as how to manage your rules using Semgrep AppSec Platform.
- Learn how to write custom validators for your Semgrep Secrets rules.
Not finding what you need in this doc? Ask questions in our Community Slack group, or see Support for other ways to get help.