Skip to main content

Connect a source code manager

Your deployment journey

Linking a source code manager provides the following benefits:

  • Allows the Semgrep org membership to be managed by GitHub or GitLab.
  • For GitHub users:
    • Provides Semgrep access to post PR or MR comments.
    • For GitHub Actions users: Enables you to add a Semgrep CI job to repositories in bulk.
  • Allows you to scan and manage your Azure DevOps and Bitbucket projects in Semgrep AppSec Platform.
  • Allows the Semgrep platform to generate hyperlinks to code in findings.

If your organization uses both GitHub and GitLab to manage source code, log in with the source code manager that you would prefer to use to manage Semgrep org membership. You can still scan repositories from other sources, including Azure DevOps and Bitbucket, though you will need to use a separate SSO provider to manage the authentication of your users in such cases.

The process to connect a source code manager depends on whether your SCM tool is cloud-hosted by the service provider, hosted on-premise, or hosted as a single tenant by the service provider.

Connect to cloud-hosted orgs

If you opted to scan a GitHub or GitLab repository when you initially signed in, you may have already performed these steps and can skip to Next steps.

  1. Sign in to Semgrep AppSec Platform.
  2. Optional: If you have created more than one Semgrep account, select the account you want to make a connection for by clicking on the Navigation bar > Your account name > The account you want to connect.
  3. From the Navigation bar, click Settings > Source code managers.
  4. Click Connect to GitHub.
  5. Review the permissions requested by Semgrep, then click Continue.
  6. Click the organization you want to install Semgrep on.
  7. Choose to authorize and install Semgrep for All repositories or Only select repositories.
  8. Click Install and authorize.
  9. After a successful link, you are signed out of Semgrep AppSec Platform automatically, as your credentials have changed after linking an organization.
  10. Sign back in to Semgrep AppSec Platform.

Connect to on-premise orgs and projects

This section is applicable to users on a GitHub Enterprise Server plan.

The Semgrep App for GitHub Enterprise (GHE) creates a connection between Semgrep and orgs in your GHE deployment. There are two primary installation steps:

  1. Install the Semgrep App for the first time using the GHE organization (org) that "owns" the app.
  2. Install the app for additional GHE orgs.

Initial Semgrep App installation

If your deployment contains many orgs, you must choose an org among your accounts that acts as the owner of the Semgrep App. As the owner, this org controls the settings and permissions granted to the app.

Ensure that you have selected the intended owner by viewing the account name in the navigation bar:


Choose another account by clicking the account name and selecting an account from the drop-down box. Then, perform the following steps to set up the connection:

  1. Sign in to Semgrep AppSec Platform.
  2. Click Settings > Source code managers > Add > GitHub Enterprise.
  3. In the Connect your GitHub Organization dialog box, provide:
    • The Name of your GitHub Organization
    • The URL to access your deployment
  4. Click Connect to save your changes.
  5. In the Add GitHub App page that you're redirected to, ensure that:
    • You've selected Organization.
    • The GitHub Organization name is populated; if not, enter the name of your org.
    • You've selected the Use for multiple GitHub orgs (Enterprise-public app) checkbox.
  6. Select the features you'd like enabled. Enabling PR comments, Assistant recommendations, and Semgrep Managed Scans requires you to grant Semgrep Code Access, while enabling only PR comments does not.
  7. Review the permissions for the app; as the app owner, note that you can change these permissions later.
  8. Click Register GitHub App to proceed.
  9. You are taken to your GHE instance and asked to name your app. You can choose whatever name you'd like, but Semgrep recommends that you name it something that indicates that this is the Semgrep GHE app.
  10. After you name your app, choose the GHE org to which you want it installed.
  11. Select the org that you want to act as the owner of the app, and click Install.
  12. Wait for the installation to complete. When done, you will be redirected to Semgrep.
  13. Verify the installation by navigating to Settings > Source code managers. Ensure that the entry for your SCM shows a Connected badge.
  14. In GHE, you should see the app listed as installed on the GitHub Apps page. GHE showing installed Semgrep App You can click Configure to choose the repositories to which the app has access. Additionally, you can go to App settings to customize the permissions granted to the app. GitHub Apps page showing App settings link
  15. If you have additional GHE orgs you'd like to add, you can do so by repeating steps 2-15.

At this point, you've successfully installed the GHE Semgrep App on the owner GHE org. In the future, other members of your GHE instance can install the app on their GHE orgs using the public link if they have the proper permissions. You can get the public link from GHE by going to GitHub Apps > App settings.

App installation page

Install the app for subsequent GHE orgs

You can install the Semgrep app onto additional GHE orgs at any time. To do so:

  1. Go to the public link for the app shared with you by your admin. Click Install. App installation page
  2. Choose the GHE org to which you want the app installed, and click Install. Org list
  3. In the popup confirmation message, click Install. GitHub installation prompt
  4. The GHE org should now be listed under Source code managers.

You have successfully connected Semgrep to your GitHub Enterprise Server.

Next steps

  • Optional: See SSO authentication to set up user management through SSO.
  • You are ready to scan your org's repositories with Semgrep.

Not finding what you need in this doc? Ask questions in our Community Slack group, or see Support for other ways to get help.