Skip to main content

Create a Semgrep account and set up organizations

Your deployment journey
  • Add the rest of your organization (org) members to Semgrep.
  • Configure Semgrep to scan repositories in other source code managers, such as Bitbucket.
Using SSO for your initial sign-in

Alternatively, reach out to sales@semgrep.com to set up SSO. This removes the need to sign in through a GitHub or GitLab account if you don't have one.

Semgrep AppSec Platform

Semgrep AppSec Platform is used to manage all Semgrep Pro products, where you can:

  • View and manage your Semgrep findings.
  • Customize how Semgrep scans your code.
  • Manage the users associated with your Semgrep organization.
  • Set up alerts and notifications, including Slack alerts, emails, and pull request or merge request comments pushed to your source code manager

Initial sign in to Semgrep AppSec Platform

The following steps walk you through creating a user account and your first organization:

To sign in using your GitHub account:

  1. Go to the Semgrep login page and click Sign in with GitHub.
  2. Provide your credentials to sign in to GitHub.
  3. Follow the on-screen prompts to grant Semgrep the needed permissions and proceed.
  4. Provide an organization name when prompted. This organization name is typically the name of the org in GitHub that you want to connect Semgrep to. For individual users, this can also be a personal account.
  5. After you are redirected back to Semgrep AppSec Platform, click Accept to accept Semgrep's Terms of Service.

You have successfully created an account and your first organization.

Set up organizations

Organizations (orgs) in Semgrep enable users to share access to, and management of, Semgrep resources such as findings and reports.

Semgrep organizations can be connected to equivalent GitHub, GitLab, and SSO organizations, which enables users from those organizations to easily join your Semgrep deployment through their existing credentials.

Next steps for GitHub and GitLab users

Next steps for Bitbucket and Azure Repos users

  • To add members to your Semgrep organization, set up SSO authentication.
  • You can also opt to scan a repository instead.

Appendices

note

These sections are helpful, but are not necessary to set up a deployment.

How Semgrep organizations work

Users can have more than one organization, and an organization can consist of one or many user accounts. Users must belong to at least one organization when they first sign in to Semgrep.

Organizations can be as small as a single user in a department, or encompass whole companies.

By default, orgs do not manage any authentication or repositories. You add resources and users to an org by connecting to an SCM or SSO, or setting up a Semgrep scan.

Once you have connected to your SSO or SCM, any team member from your GitHub, Gitlab, or SSO organization can sign in to Semgrep. This includes developers not part of your security team. To control which resources they are able to see or what policies they can change, configure their role through user access control features.

Create additional orgs

After you create your first org, you can create multiple orgs to group related resources together:

  1. In Semgrep AppSec Platform, click the drop-down box with your organization name, located at the sidebar.
  2. Click Add org.
  3. Click Create an organization.
  4. In the popup, provide an Organization display name.

Organization setup examples

The following examples illustrate what a completed organizational set-up can look like.

Single-user organization in GitLab

  • In this example, a single GitLab user, john-doe, has a Semgrep org account with the same name.
  • He has set up his CI workflow to scan repo-A and repo-B in his GitLab account. The CI job sends scan results (findings) to Semgrep AppSec Platform.
  • This is similar to a personal account in GitHub or GitLab.

A simple example of a single-user, single-org setup. Figure. A simple example of a single-user, single-org setup (a personal account).

Enterprise org with SSO and multiple orgs in GitHub

In this example, a parent-company has multiple subsidiaries, and wants to use SSO for user authentication:

  • Each subsidiary is its own GitHub organization.
  • The security team is responsible for all subsidiaries in parent-company. Thus, the security team is a part of all subsidiaries.
  • The parent-company enforces SSO for all of its subsidiaries.
  • Here, membership and repository scanning are separately managed by two different services.

The Semgrep deployment could look like this:

  • Each GitHub org has a corresponding Semgrep org.
  • The security team has configured SSO for each Semgrep org.
    • This means that team-member-R can also access subsidiary-1-org. The resources they are able to view or change can be constrained through roles.

A complex organization setup using SSO and multiple GitHub orgs. Figure. A complex organization setup using SSO and multiple GitHub orgs.

Join an existing org

This section is for team members who have been invited to join a Semgrep organization.

To join an existing org in GitHub or GitLab:

  1. Sign in to Semgrep AppSec Platform with the account credentials specified by your admin.
  2. Follow the on-screen prompts to grant Semgrep the needed permissions and proceed.
  3. Click Join an existing organization.

Delete an existing org

Reach out to support@semgrep.com to delete an organization.