Bringing more Semgrep capabilities to BitBucket and Azure DevOps

We’re excited to announce the expansion of Semgrep's capabilities to include Atlassian BitBucket Cloud, BitBucket Data Center, and Microsoft Azure DevOps in our suite of supported source code management tools (SCMs).

Vivek Khimani
Andy Huang
August 16th, 2024
Share

Bringing more Semgrep capabilities to BitBucket and Azure DevOps

At Semgrep, we often hear from AppSec professionals about the challenges of integrating security products seamlessly into the developer workflow. Typically, tools flag numerous findings with limited context, forcing developers to switch into using security tools to investigate, leading to inefficiencies.

To address these challenges and continue helping AppSec empower developers to address security issues regularly, we’re excited to announce the expansion of Semgrep's capabilities to include Atlassian BitBucket Cloud, BitBucket Data Center, and Microsoft Azure DevOps in our suite of supported source code management tools (SCMs).

What’s New

Semgrep Code PR comments

Semgrep now supports PR comments for BitBucket Cloud, BitBucket Data Center, and Azure DevOps. This feature allows developers to see security findings directly within their pull requests, reducing the need for context switching and enabling quicker remediation.

Semgrep Code PR comments in Bitbucket

Semgrep Secrets PR comments

In addition to security vulnerabilities found by Semgrep Code, Semgrep Secrets can also run in BitBucket and Azure DevOps, leaving PR comments when hard-coded secrets or credentials are detected in a pull request. Using Secrets’ validation, developers can be notified in PRs when high-priority, active secrets findings are detected.

Secret finding in BitBucket PR comment

Semgrep Supply Chain PR comments

We’ve introduced license violation PR comments, ensuring that developers are always using compliant dependencies. This feature is now available for both BitBucket and Azure DevOps.

Semgrep Supply Chain license comment in Bitbucket PR

Tracing vulnerabilities, directly to the source

Findings generated from BitBucket and Azure DevOps now feature hyperlinks (commit URL, branch URL, line of code URL, etc.) across all parts of the Semgrep AppSec platform. This enhancement ensures that AppSec professionals can quickly navigate to the relevant parts of their codebase to get more context about the issues.

Semgrep AppSec Platform traceable links

Network Broker

The Semgrep Network Broker supports BitBucket Data Center connectivity starting from version 0.20.0. This will allow customers with self-hosted instances to seamlessly use these features. Semgrep Network Broker facilitates secure access between Semgrep and your private network, allowing Semgrep to interact with on-premise resources without exposing them to the public internet.

Conclusion

PR comments and hyperlinks significantly enhance the developer experience by providing immediate context and actionable insights directly within the PR workflow. This integration reduces the time developers spend switching between tools and accelerates the remediation process.

These new features align with Semgrep’s mission to provide secure guardrails rather than gates, enabling developers to write secure code without hindering their productivity. By integrating security seamlessly into the developer workflow, we help organizations shift left and address security issues early in the development lifecycle.

For more details regarding these features, please refer to our documentation:

We look forward to seeing how these enhancements help our users achieve their security goals. Feel free to reach out with any questions or feedback!

About

Semgrep lets security teams partner with developers and shift left organically, without introducing friction. Semgrep gives security teams confidence that they are only surfacing true, actionable issues to developers, and makes it easy for developers to fix these issues in their existing environments.