Pre-deployment checklist
Before starting the deployment setup, use this checklist to ensure that:
- You and your organization agree on the scope of the deployment.
- You are aware of permissions that Semgrep needs to provide certain functions.
- You have access to the resources needed to carry out the deployment.
Ensure that your infrastructure meets all the Prerequisites to run Semgrep.
Stakeholders and deployment team
For medium-to-large teams, typically with more than 10 developers, coordinating with other departments before starting the deployment is crucial to an efficient roll-out. A complete deployment ensures that your licenses are fully used.
Here are some teams or departments that may be responsible for parts of your Semgrep deployment:
Department | Tasks related to deployment |
---|---|
Infrastructure | SSO, CI/CD, and source code manager (SCM) configuration. |
Engineering | Repository ownership, displaying findings to developers in PRs or MRs. |
IT | Firewall or VPN configuration. |
Scope
Scope refers to the breadth of deployment integration within your organization. The more users and repositories you onboard to Semgrep, the more crucial training becomes for security champions within your organization.
Ensure that all stakeholders agree on:
- Which users and departments will use Semgrep.
- Which repositories you will scan with Semgrep.
- How frequently you run Semgrep scans, such as daily or weekly, and at what time. This may affect other processes, such as PR approvals.
- A timeframe for deployment. You may divide this into phases.
Deployment times vary greatly depending on your processes and size.
Monorepos may take longer to finish scanning. Semgrep provides several options to improve performance, including piecemeal scanning of the monorepo. See Scanning a monorepo in parts for more information.
Roles
Semgrep provides two roles: admin
and member
.
For single-user deployments, you are the sole admin
of your deployment.
For multi-user deployments, determine the following:
- The administrators (
admins
) that own the Semgrep deployment. - For
members
, ensure that they have a sign-in method:- SSO
- GitHub Cloud
- GitLab Cloud
Required permissions and access
The following checklist breaks down permissions required by Semgrep features.
Feature | Permission required |
---|---|
Run Semgrep continuously in your CI workflows. | Adding or making changes to CI jobs. This includes committing configuration files for each repository. |
Defining environment variables and storing secrets. | |
Manage user authentication with SSO. | Viewing and editing of SSO configurations. |
Receive Slack notifications. | Being a Slack workspace owner; alternatively, coordinate with the team responsible. |
Send pull or merge requests to your SCM. | Editing firewall or VPN allowlist for self-hosted repositories. |
SCM-specific required permissions
- GitHub
- GitLab
- Bitbucket
GitHub
Feature | Permission required |
---|---|
Create CI jobs for repositories in bulk and detect GitHub repos automatically. | Installing GitHub apps. |
Pull request (PR) comments. | For GitHub Enterprise Server: Adding a personal access token (PAT) with assigned scopes. |
GPT-assisted triage and recommendations. | Code access. |
GitLab
Feature | Permission required |
---|---|
Merge request (MR) comments. | Create personal access tokens. |
GPT-assisted triage and recommendations. | Create personal or project-level access tokens. |
Code access. |
Bitbucket
Feature | Permission |
---|---|
Pull request (PR) comments. | Able to create repository variables. |
Appendices
Permissions
- Permissions for GitHub
- Permissions for GitLab
Permissions for GitHub
This section explains Semgrep AppSec Platform permissions that are requested in two different events:
- When you first sign in through GitHub.
- When you first add, integrate, or onboard your repositories to Semgrep AppSec Platform.
Permissions when signing in with GitHub
Semgrep AppSec Platform requests the following standard permissions set by GitHub when you first sign in. However, not all permissions are used by Semgrep AppSec Platform. Read the following list to see how Semgrep AppSec Platform uses permissions when signing in:
- Verify your GitHub identity
- Enables Semgrep AppSec Platform to read your GitHub profile data, such as your username.
- Know which resources you can access
- Semgrep does not use or access any resources when first logging in. However, you can choose to share resources at a later point to add repositories into Semgrep AppSec Platform.
- Act on your behalf
- Enables Semgrep AppSec Platform to perform certain tasks only on resources that you choose to share with Semgrep AppSec Platform. Semgrep AppSec Platform never uses this permission and never performs any actions on your behalf, even after you have installed
semgrep-app
. See When does a GitHub App act on your behalf? in GitHub documentation.
Permissions when adding your repositories into Semgrep AppSec Platform
The GitHub integration app is called semgrep-app
. This app is used to integrate Semgrep into user-selected GitHub repositories. It requires the following permissions:
- Reading metadata of the repositories you select
- Enables Semgrep AppSec Platform to list repository names on the project setup page.
- Reading the list of organization members
- Enables Semgrep AppSec Platform to determine who can manage your Semgrep organization based on your GitHub organization's members list.
- Reading and writing pull requests
- Enables Semgrep AppSec Platform to comment about findings on pull requests.
- Reading and writing actions
- Enables Semgrep AppSec Platform to cancel stuck jobs, rerun jobs, pull logs from jobs, and perform on-demand scanning.
- Reading GitHub Checks
- Facilitates debugging of Semgrep AppSec Platform when configured out of GitHub Actions.
- Reading and writing security events
- Enables integration with GitHub Advanced Security (for example, to show Semgrep results).
- Reading and writing secrets
- Enables automatically adding of the Semgrep AppSec Platform Token to your repository secrets when onboarding projects. Note: Semgrep cannot read the values of your existing or future secrets (only the names).
- Reading and writing 2 files
- Enables Semgrep AppSec Platform to configure itself to run in CI by writing to
.github/workflows/semgrep.yml
and.semgrepignore
files. - Reading and writing workflows
- Enables Semgrep AppSec Platform to configure itself to run in CI by writing to
.github/workflows/semgrep.yml
. GitHub allows writing to files within.github/workflows/
directory only if this permission is granted along with "Writing a single file." - Reading and writing pull requests
- Write permissions allow Semgrep AppSec Platform to leave pull request comments about findings. Read permissions allow Semgrep AppSec Platform to automatically remove findings when the pull request that introduced them is closed without merging.
Permissions for GitLab
Semgrep requires the following permissions (scopes) to enable the authentication of a session:
openid
email
profile
API
IP addresses
If you are behind a firewall, are using a virtual private network (VPN), or have network restrictions regarding access, you may need to add the following IP addresses to the ingress allowlist and egress allowlist:
# These IP addresses are inbound and outbound:
35.166.231.235
52.35.248.246
52.34.137.110
44.225.64.41
Semgrep versions
Many improvements to the Semgrep AppSec Platform experience only work with up-to-date Semgrep CLI versions. As such, Semgrep AppSec Platform only supports the 10 most recent minor versions of Semgrep CLI. For example, if the latest release was 0.160.0, all versions greater than 0.150.0 are supported, while earlier versions, such as 0.159.0, can be deprecated or can result in failures.
To update Semgrep, see Update Semgrep.
Docker users: use the latest tag to ensure you are up-to-date.
Semgrep AppSec Platform session details
- The time before you need to reauthenticate to Semgrep AppSec Platform is 7 days.
- A Semgrep AppSec Platform session token is valid for 7 days.
- This session timeout is not configurable.
- Semgrep AppSec Platform does not use cookies; instead it uses
localStorage
to store access tokens. The data inlocalStorage
expires every 7 days.
Additional resources
Check out How to introduce Semgrep to your organization from Trail of Bits for tips on how to evaluate and deploy Semgrep for your org.