Manage Semgrep Secrets rules using the Policies page
The Policies page visually represents the rules Semgrep Secrets uses for scanning.
To access the policies page for Semgrep Secrets:
- Log in to Semgrep AppSec Platform and navigate to Rules > Policies.
- Click Secrets.
Policies page structure
The Policies page consists of the following elements:
- Policies header
The top header contains the Validation State Policies button, which lets you define how Semgrep handles findings that it categorizes as invalid or results in a validation error.
- Filter pane
Displays filters to select and perform operations on rules in bulk quickly. See Filters for more information.
- Rules pane
The rules pane displays the rules that Semgrep scans use to detect leaked secrets and allows you to edit their assigned rule modes. You can make these edits either one by one or through the bulk editing of many rules. You can also use the Search for rule names or ids box. See Filters for more information.
Filters
The filter pane displays filters to select and perform operations on rules in bulk. The following filters are available:
Filter | Description |
---|---|
Modes | Filter by the workflow action Semgrep performs when a rule detects a finding. An additional filter, Disabled, is provided for rules you have turned off and are no longer included for scanning. |
Validation | Filter by whether the rule includes a validator or not. |
Type | Filter by the type of secret the rule addresses. Examples: AWS, Adobe, DigitalOcean, GitHub, GitLab. |
Source | Filter by Pro rules (authored by Semgrep) or by Custom rules (rules created by your organization) |
Severities | Filter by the severity level of the secret:
|
Analysis method | Filter based on whether Semgrep used Semantic or Generic analysis |
Rule entry reference
This section defines the columns of the rule entries in the Policies page:
Filter | Description |
---|---|
Rule name | Name of the rule Semgrep Secret uses for scanning. |
Labels | Metadata describing the rule, including the service for which the rule is applicable. |
Open findings | The number of open findings the rule detected across all scans. |
Fix rate | The percentage of findings that are fixed through changes to the code. |
Severity | The higher the severity, the more critical the issues that a rule detects. |
Confidence | Indicates confidence of the rule to detect true positives. |
Source | Indicates the origin of a rule.
|
Ruleset | The name of the ruleset the rule belongs to. |
Mode | Specifies what workflow action Semgrep performs when a rule detects a finding. An additional filter, Disabled, is provided for rules you have turned off and are no longer included for scanning. |
Rule modes
Semgrep Secrets provides three rule modes. These can be used to trigger workflow options whenever Semgrep Secrets identifies a finding based on the rule:
Rule mode | Description |
---|---|
Monitor | Rules in Monitor mode display findings only in:
|
Comment | Rules in Comment mode display findings in:
|
Block | Rules in Block mode cause the scan job to fail with an exit code of 1 if Semgrep Secrets detects a finding from these rules. You can use this result to enforce a block on the PR or MR. For example, GitHub users can enable branch protection and set the PR to fail if the Semgrep step fails. These rules display findings in:
|
If you're encountering issues getting PR comments for Semgrep Secrets:
- Make sure the rule is in Comment or Block mode
- Review the PR or MR comments guide for your SCM
- Explore other reasons you may not see PR or MR comments