Resolve findings through the Semgrep web app
This guide explains how you can view and triage findings in bulk through the Semgrep AppSec Platform web app.
- Not all organizations allow developers to use the AppSec Platform; ask your security team if you have access.
- When triaging through Semgrep AppSec Platform, developers typically triage findings specific to their branch. Avoid triaging findings in branches that are not yours to triage.
Prerequisites
You must have an existing Semgrep org account. See Sign in to Semgrep.
Ignore findings in bulk
- Sign in to Semgrep AppSec Platform.
- Click Code for SAST findings, Secrets for secrets findings, or Supply Chain for SCA findings. You are taken to a page with all the findings for that product.
- Click on Projects and branches, then click the drop-down arrow to view open branches, which is listed by its unique ID. For example, GitHub branches are represented by their PR number.
- Click your branch. This filters the displayed findings to those specific to your PR or MR.
- Click the findings you want to triage, then click Triage.
- In the drop-down box, select a new Status, typically Ignored.
- Optional: include a comment as to why you ignored a finding.
Appendix: triage statuses
Click to view all triage statuses.
| Status | Description |
|---|---|
| Open | Findings are open by default. A finding is open if it was present the last time Semgrep scanned the code and has not been ignored. An open finding represents a match between the code and a rule enabled in the repository. Open findings require action, such as rewriting the code to eliminate the detected vulnerability. |
| Reviewing | Indicates that the finding requires investigation to determine what the next steps in the triage process should be. |
| Fixing | Findings for which you have decided to fix. Commonly used to indicate that these findings are tracked in Jira or assigned to developers for further work. |
| Fixed | Fixed findings were detected in a previous scan but are no longer detected in the most recent scan of that same branch due to changes in the code. |
| Ignored | Findings that are ignored are present in the code but have been labeled as unimportant. Ignore findings that are false positives or deprioritized issues. Mark findings as ignored through Semgrep AppSec Platform or by adding a nosemgrep code comment. You can also provide a reason for why you are ignoring a finding: False positive, Acceptable risk, No time to fix. |
Removed findings
Findings can also be removed. Semgrep considers a finding removed if it is not found in the most recent scan of the branch where Semgrep initially detected it due to any of the following conditions:
- The rule that detected the finding isn't enabled in the policy anymore.
- The rule that detected the finding was updated such that it no longer detects the finding.
- The file path where the finding appeared is no longer found. The file path was deleted, renamed, added to a
.semgrepignorefile, added to a.gitignorefile, or added to the list of ignored paths in Semgrep AppSec Platform. - For GitHub organization accounts: the PR or MR where the finding was detected has been closed without merging.
Your removed findings do not count toward the fix rate or the number of findings. The removed findings also do not appear in Semgrep AppSec Platform.
Findings triaged (ignored, reopened) in a specific branch, PR, or MR are also triaged in all other branches, PRs, and MRs of a particular repository. Additionally, if you filter for Git references (refs) on the Findings page, then triage a finding, the finding is also automatically triaged in all other branches, PRs, MRs, and refs.
Not finding what you need in this doc? Ask questions in our Community Slack group, or see Support for other ways to get help.