Skip to main content

Pre-deployment checklist

Before starting the deployment setup, use this checklist to ensure that:

  • You and your organization agree on the scope of the deployment.
  • You are aware of permissions that Semgrep needs to provide certain functions.
  • You have access to the resources needed to carry out the deployment.
info

Ensure that your infrastructure meets all the Prerequisites to run Semgrep.

Stakeholders and deployment team

For medium-to-large teams, typically with more than 10 developers, coordinating with other departments before starting the deployment is crucial to an efficient roll-out. A complete deployment ensures that your licenses are fully used.

Here are some teams or departments that may be responsible for parts of your Semgrep deployment:

DepartmentTasks related to deployment
InfrastructureSSO, CI/CD, and source code manager (SCM) configuration.
EngineeringRepository ownership, displaying findings to developers in PRs or MRs.
ITFirewall or VPN configuration.

Scope

Scope refers to the breadth of deployment integration within your organization. The more users and repositories you onboard to Semgrep, the more crucial training becomes for security champions within your organization.

Ensure that all stakeholders agree on:

  • Which users and departments will use Semgrep.
  • Which repositories you will scan with Semgrep.
  • How frequently you run Semgrep scans, such as daily or weekly, and at what time. This may affect other processes, such as PR approvals.
  • A timeframe for deployment. You may divide this into phases.

Deployment times vary greatly depending on your processes and size.

On scheduling scans

Monorepos may take longer to finish scanning. Semgrep provides several options to improve performance, including piecemeal scanning of the monorepo. See Scanning a monorepo in parts for more information.

Roles

Semgrep provides two roles: admin and member.

For single-user deployments, you are the sole admin of your deployment.

For multi-user deployments, determine the following:

  • The administrators (admins) that own the Semgrep deployment.
  • For members, ensure that they have a sign-in method:
    • SSO
    • GitHub Cloud
    • GitLab Cloud

Required permissions and access

The following checklist breaks down permissions required by Semgrep features.

FeaturePermission required
Run Semgrep continuously in your CI workflows.Adding or making changes to CI jobs. This includes committing configuration files for each repository.
Defining environment variables and storing secrets.
Manage user authentication with SSO.Viewing and editing of SSO configurations.
Receive Slack notifications.Being a Slack workspace owner; alternatively, coordinate with the team responsible.
Send pull or merge requests to your SCM.Editing firewall or VPN allowlist for self-hosted repositories.

SCM-specific required permissions

GitHub

FeaturePermission required
Create CI jobs for repositories in bulk and detect GitHub repos automatically.Installing GitHub apps.
Pull request (PR) comments.For GitHub Enterprise Server: Adding a personal access token (PAT) with assigned scopes.
GPT-assisted triage and recommendations.Code access.

Appendices

Permissions

Permissions for GitHub

This section explains Semgrep AppSec Platform permissions that are requested in two different events:

  • When you first sign in through GitHub.
  • When you first add, integrate, or onboard your repositories to Semgrep AppSec Platform.
Permissions when signing in with GitHub

Semgrep AppSec Platform requests the following standard permissions set by GitHub when you first sign in. However, not all permissions are used by Semgrep AppSec Platform. Read the following list to see how Semgrep AppSec Platform uses permissions when signing in:

Verify your GitHub identity
Enables Semgrep AppSec Platform to read your GitHub profile data, such as your username.
Know which resources you can access
Semgrep does not use or access any resources when first logging in. However, you can choose to share resources at a later point to add repositories into Semgrep AppSec Platform.
Act on your behalf
Enables Semgrep AppSec Platform to perform certain tasks only on resources that you choose to share with Semgrep AppSec Platform. Semgrep AppSec Platform never uses this permission and never performs any actions on your behalf, even after you have installed semgrep-app. See When does a GitHub App act on your behalf? in GitHub documentation.
Permissions when adding your repositories into Semgrep AppSec Platform

The GitHub integration app is called semgrep-app. This app is used to integrate Semgrep into user-selected GitHub repositories. It requires the following permissions:

Reading metadata of the repositories you select
Enables Semgrep AppSec Platform to list repository names on the project setup page.
Reading the list of organization members
Enables Semgrep AppSec Platform to determine who can manage your Semgrep organization based on your GitHub organization's members list.
Reading and writing pull requests
Enables Semgrep AppSec Platform to comment about findings on pull requests.
Reading and writing actions
Enables Semgrep AppSec Platform to cancel stuck jobs, rerun jobs, pull logs from jobs, and perform on-demand scanning.
Reading GitHub Checks
Facilitates debugging of Semgrep AppSec Platform when configured out of GitHub Actions.
Reading and writing security events
Enables integration with GitHub Advanced Security (for example, to show Semgrep results).
Reading and writing secrets
Enables automatically adding of the Semgrep AppSec Platform Token to your repository secrets when onboarding projects. Note: Semgrep cannot read the values of your existing or future secrets (only the names).
Reading and writing 2 files
Enables Semgrep AppSec Platform to configure itself to run in CI by writing to .github/workflows/semgrep.yml and .semgrepignore files.
Reading and writing workflows
Enables Semgrep AppSec Platform to configure itself to run in CI by writing to .github/workflows/semgrep.yml. GitHub allows writing to files within .github/workflows/ directory only if this permission is granted along with "Writing a single file."
Reading and writing pull requests
Write permissions allow Semgrep AppSec Platform to leave pull request comments about findings. Read permissions allow Semgrep AppSec Platform to automatically remove findings when the pull request that introduced them is closed without merging.

IP addresses

If you are behind a firewall, are using a virtual private network (VPN), or have network restrictions regarding access, you may need to add the following IP addresses to the ingress allowlist and egress allowlist:

# These IP addresses are inbound and outbound:
35.166.231.235
52.35.248.246
52.34.137.110
44.225.64.41

Semgrep versions

Many improvements to the Semgrep AppSec Platform experience only work with up-to-date Semgrep CLI versions. As such, Semgrep AppSec Platform only supports the 10 most recent minor versions of Semgrep CLI. For example, if the latest release was 0.160.0, all versions greater than 0.150.0 are supported, while earlier versions, such as 0.159.0, can be deprecated or can result in failures.

To update Semgrep, see Update Semgrep.

Docker users: use the latest tag to ensure you are up-to-date.

Semgrep AppSec Platform session details

  • The time before you need to reauthenticate to Semgrep AppSec Platform is 7 days.
  • A Semgrep AppSec Platform session token is valid for 7 days.
  • This session timeout is not configurable.
  • Semgrep AppSec Platform does not use cookies; instead it uses localStorage to store access tokens. The data in localStorage expires every 7 days.

Additional resources

Check out How to introduce Semgrep to your organization from Trail of Bits for tips on how to evaluate and deploy Semgrep for your org.