Bringing more Semgrep capabilities to BitBucket and Azure DevOps
At Semgrep, we often hear from AppSec professionals about the challenges of integrating security products seamlessly into the developer workflow. Typically, tools flag numerous findings with limited context, forcing developers to switch into using security tools to investigate, leading to inefficiencies.
To address these challenges and continue helping AppSec empower developers to address security issues regularly, we’re excited to announce the expansion of Semgrep's capabilities to include Atlassian BitBucket Cloud, BitBucket Data Center, and Microsoft Azure DevOps in our suite of supported source code management tools (SCMs).
What’s New
Semgrep Code PR comments
Semgrep now supports PR comments for BitBucket Cloud, BitBucket Data Center, and Azure DevOps. This feature allows developers to see security findings directly within their pull requests, reducing the need for context switching and enabling quicker remediation.
Semgrep Secrets PR comments
In addition to security vulnerabilities found by Semgrep Code, Semgrep Secrets can also run in BitBucket and Azure DevOps, leaving PR comments when hard-coded secrets or credentials are detected in a pull request. Using Secrets’ validation, developers can be notified in PRs when high-priority, active secrets findings are detected.
Semgrep Supply Chain PR comments
We’ve introduced license violation PR comments, ensuring that developers are always using compliant dependencies. This feature is now available for both BitBucket and Azure DevOps.
Tracing vulnerabilities, directly to the source
Findings generated from BitBucket and Azure DevOps now feature hyperlinks (commit URL, branch URL, line of code URL, etc.) across all parts of the Semgrep AppSec platform. This enhancement ensures that AppSec professionals can quickly navigate to the relevant parts of their codebase to get more context about the issues.
Network Broker
The Semgrep Network Broker supports BitBucket Data Center connectivity starting from version 0.20.0. This will allow customers with self-hosted instances to seamlessly use these features. Semgrep Network Broker facilitates secure access between Semgrep and your private network, allowing Semgrep to interact with on-premise resources without exposing them to the public internet.
Conclusion
PR comments and hyperlinks significantly enhance the developer experience by providing immediate context and actionable insights directly within the PR workflow. This integration reduces the time developers spend switching between tools and accelerates the remediation process.
These new features align with Semgrep’s mission to provide secure guardrails rather than gates, enabling developers to write secure code without hindering their productivity. By integrating security seamlessly into the developer workflow, we help organizations shift left and address security issues early in the development lifecycle.
For more details regarding these features, please refer to our documentation:
We look forward to seeing how these enhancements help our users achieve their security goals. Feel free to reach out with any questions or feedback!
