Connect a source code manager

Your deployment journey

• You have gained the necessary resource access and permissions required for deployment.
• You have created a Semgrep account and organization.

Linking a source code manager provides the following benefits:

• Allows the Semgrep org membership to be managed by GitHub or GitLab.
• For GitHub users:
  • Provides Semgrep access to post PR or MR comments.
  • For GitHub Actions users: Enables you to add a Semgrep CI job to repositories in bulk.

You can only connect your Semgrep organization to the source code manager that you originally logged in with. If your organization uses both GitHub and GitLab to manage source code, log in with the source code manager that you would prefer to use to manage Semgrep org membership. You can still scan repositories from other sources.

The process to connect a source code manager depends on whether your SCM tool is cloud-hosted by the service provider, hosted on-premise, or hosted as a single-tenant by the service provider.

Connect to cloud-hosted orgs

GitHub Cloud

1. Sign in to Semgrep AppSec Platform.
2. On the sidebar, click the organization account you want to make a connection for.
3. Click Settings > Source Code Managers.
4. Click Connect to GitHub.
5. Review the permissions requested by Semgrep, then click Continue.
6. Click the organization you want to install Semgrep on.
7. Choose to authorize and install Semgrep for All repositories or Only select repositories.
8. Click Install and authorize.
9. After a successful link, you are signed out of Semgrep AppSec Platform automatically, as your credentials have changed after linking an organization.
10. Sign back in to Semgrep AppSec Platform.

You have successfully connected an org in Semgrep AppSec Platform with an organization in your source code management tool.

GitLab Cloud

For users of GitLab cloud-hosted plans, a connection to GitLab is created automatically after adding a Semgrep job to GitLab CI/CD. No other steps are needed.

Connect to on-premise orgs

GitHub Enterprise Server

This section is applicable to users with GitHub Enterprise Server. The Semgrep team recommends connecting to your GitHub orgs using the Semgrep App instead of using a personal access token (PAT) whenever possible.

Semgrep App (Recommended)

The Semgrep App for GitHub Enterprise (GHE) creates a connection between Semgrep and orgs in your GHE deployment. There are two primary installation steps:

1. Install the Semgrep App for the first time using the GHE organization (org) that "owns" the app.
2. Install the app for additional GHE orgs.

Initial Semgrep App installation

If your deployment contains many orgs, you must choose an org in the deployment that will act as the owner of the Semgrep app. As the owner, this org controls the settings and permissions granted to the app.

1. Log in to Semgrep AppSec Platform.
2. Go to Settings > Source Code Managers, and click Add GitHub Enterprise.
3. In the popup window, provide:
   • The Name of your GitHub Organization
   • The URL to access your deployment
   • A random string in the Access token field; this field will be optional in the future
4. Click Connect to save your changes.
5. Refresh your browser. You should see a new entry under Source code managers that displays the GHE org and instance URL you entered. Click Create App.
6. In the popup window:
   1. Ensure that:
      • You've selected Organization
      • The GitHub Organization name is populated (if not, enter the name of your org)
      • You've selected the Use for multiple GitHub orgs (Enterprise-public app) checkbox
   2. Review the permissions for the app; as the app owner, note that you can change these permissions later.
   3. Click Create GitHub App to proceed. If this step is successful, the blue Create GitHub App button turns into a gray Created button.
7. Click Install under Step 4. You are taken to your GHE instance and asked to name your app. You can choose whatever name you'd like, but Semgrep recommends that you name it something that indicates that this is the Semgrep GHE app.
8. After you name your app, choose the GHE org to which you want it installed. Select the org that you want to act as the owner of the app, and click Install.
9. Wait for the installation to complete. When done, you will be redirected to Semgrep.
10. Verify the installation by navigating to Settings > Source Code Managers. Ensure that the entry for your SCM shows a gray Installed button.
11. In GHE, you should see the app listed as installed on the GitHub Apps page. You can click Configure to choose the repositories to which the app has access. Additionally, you can go to App settings to customize the permissions granted to the app.

At this point, you've successfully installed the GHE Semgrep App on the owner GHE org. In the future, other members of your GHE instance can install the app on their GHE orgs using the public link if they have the proper permissions. You can get the public link from GHE by going to GitHub Apps > App settings.

Install the app for subsequent GHE orgs

You can install the Semgrep app onto additional GHE orgs at any time. To do so:

1. Go to the public link for the app shared with you by your admin. Click Install.
2. Choose the GHE org to which you want the app installed, and click Install.
3. In the popup confirmation message, click Install.
4. The GHE org should now be listed under Source code organizations.

You have successfully connected Semgrep to your GitHub Enterprise Server.

PAT

Connect Semgrep and GitHub Enterprise Server by creating a PAT and setting it in Semgrep AppSec Platform:

1. Sign in to Semgrep AppSec Platform.
2. Click Settings > Source Code Managers > GitHub Enterprise Server.
3. Create a PAT by following the steps outlined in this guide to creating a PAT. Ensure that the PAT is created with the required scopes:
   • public_repo
   • repo:status
   • user:email
   • write:discussion
4. Return to Semgrep AppSec Platform and enter the personal access token generated into the Access token field.
5. Enter your GHE Server base URL into the URL field.
6. Ensure that your SCM integration successfully detects repositories by setting up a CI job. Do the following steps for each repository you want to scan:

   1. Commit a `semgrep.yml` configuration file into the `.github/workflows` folder. Refer to [Sample CI configurations](/docs/semgrep-ci/sample-ci-configs#github-actions) for a template you can copy and customize.
   2. The CI job starts automatically to establish a connection with Semgrep AppSec Platform. Upon establishing a connection, your repository appears in **Semgrep AppSec Platform > [Projects](https://semgrep.dev/orgs/-/projects)** page.

GitLab Self-Managed Plans

This section is applicable to users with subscriptions to any GitLab self-managed plan.

Connect Semgrep and GitLab Self-Managed by creating a PAT and setting it in Semgrep AppSec Platform:

1. Create a PAT by following the steps outlined in this guide to creating a PAT. Ensure that the PAT is created with the required api scope.
2. Sign in to Semgrep AppSec Platform.
3. Click Settings > Source Code Managers > Add GitLab Self-Managed and enter the personal access token generated into the Access token field.
4. Enter your GLSM base URL into the URL field.
5. Ensure that your SCM integration successfully detects repositories by setting up a CI job. Do the following steps for each repository you want to scan:
   1. Create or edit your .gitlab-ci.yml configuration file to add Semgrep as part of your GitLab CI/CD pipeline. Refer to Sample CI configurations for a template you can copy and customize.
   2. Commit the updated .gitlab-ci.yml file.
   3. The CI job starts automatically to establish a connection with Semgrep AppSec Platform. Alternatively, if it does not start automatically, start the job from the GitLab CI/CD interface. Upon establishing a connection, your repository appears in Semgrep AppSec Platform > Projects page.

Next steps

• Optional: If you want to set up SSO to manage your users, see SSO authentication.
• You are ready to start your first remote scan.