Skip to main content

Resolve findings in your pull or merge request

Findings resolution involves the assessment of a finding, then either fixing or ignoring it. You can fix or triage findings from your source code manager (SCM); fixing or triaging (ignoring) does not require a Semgrep AppSec Platform account.

Findings are primarily presented to developers through pull request (PR) or merge request (MR) comments. These findings are generated from rules that your AppSec team has vetted or approved.

Findings from these rules are meant to be fixed or remediated rather than ignored unless the finding is a false positive.

In typical coding workflows, it is recommended to fix or ignore findings as part of your code review process; the results of triage or remediation in your SCM are synchronized with Semgrep AppSec Platform.

However, if you have accumulated many findings to ignore, it may be faster to perform bulk triage actions in Semgrep AppSec Platform. See Resolve findings through the Semgrep web app.

Prerequisites and optional features

  • The procedures described in this guide rely on PR or MR comments. Ensure that your security team has enabled this feature.
  • To receive AI-assisted remediation, your security team must enable the Semgrep Assistant feature.

Your SCM is the most common environment in which to fix findings. Semgrep provides several features to help you fix findings quickly.

Parts of a PR or MR comment

Semgrep findings are typically posted in your PR or MR. The following image displays the parts of a Semgrep PR comment in GitHub; this example appears in a similar form in GitLab and other SCMs:

An example of a PR comment with various sections annotated. Figure. An example of a PR comment with various sections annotated.

A - Block indicator
This appears if a finding fails the CI job. Organizations typically block PRs or MRs with failed jobs.
B - Finding description
A human-written description always appears in a PR or MR comment, describing why your code is flagged. References may also be included to help you learn more about the finding.
C - Dataflow graph
Some Code findings have a dataflow graph, which indicates that the finding was detected through taint analysis. The dataflow graph provides the lines of code identifying sources, sinks, and traces of unsanitized data flowing through your program. You can click the links on the boxes to take you to the lines of code.
D - Resolution or remediation section
Various options are provided to help your resolve the finding. Depending on the type of finding, resolution options may vary.
E - Ignore instructions
Click to view instructions about how to ignore the finding by replying to the comment.

Resolve findings

Different types of findings require different remediations. The following sections describe how Semgrep can help you resolve a finding.

Autofix

Some Semgrep Code findings provide an autofix, which can be human-written or generated by Semgrep Assistant. The fix can be committed directly, such as by clicking Commit suggestion in GitHub repositories. This is the fastest way to fix a finding.

All Semgrep-supported SCMs provide this feature.

GitHub PR comment with fix suggestion. Figure. GitHub enables you to commit the suggestion from Semgrep directly, fixing the finding.

info

If a line of code contains several findings, Semgrep does not provide the autofix or Commit suggestion feature to prevent fixes from conflicting.

Semgrep Assistant remediations

Semgrep Assistant provides the following AI-powered security recommendations:

  • Step-by-step instructions.
  • AI-written code fixes if a human-written autofix is not available and a code fix can resolve the finding.
  • "Safe to ignore" suggestions.

PR comment with an AI-written fix. Figure. PR comment with an AI-written fix and step-by-step instructions.

Semgrep Assistant suggesting that a finding is safe to ignore. Figure. Semgrep Assistant suggesting that a finding is safe to ignore.

Ignore findings

If the finding is a false positive, acceptable risk, or similar, you can choose to ignore the finding. You can ignore findings directly from your SCM by replying to the finding comment.

  1. Find an open comment created by Semgrep AppSec Platform in your pull request or merge request: Screenshot of Semgrep AppSec Platform comment in GitHub

  2. In a subsequent comment, reply with the action you want to take. You must provide a reason to help the reader understand why the finding has been triaged as ignored:

    CommentDescription
    /fp <REASON>Triage a finding as Ignored with the triage reason false positive.
    /ar <REASON>Triage a finding as Ignored with the triage reason acceptable risk.
    /other <REASON>Triage a finding as Ignored without specifying the reason; the triage reason value is set to No triage reason.
    /open <REASON>Reopen a finding that has been triaged as Ignored. The comment is optional.
    /remember <REASON>Add Assistant Memories.

A completed triage flow. Figure. A completed triage flow.

Re-run a job or workflow

After resolving or triaging the findings in your PR or MR, you must re-run the Semgrep job or workflow. See the following list for a link to your CI provider's documentation:

Appendix: triage statuses

Click to view all triage statuses.
StatusDescription
OpenFindings are open by default. A finding is open if it was present the last time Semgrep scanned the code and has not been ignored. An open finding represents a match between the code and a rule enabled in the repository. Open findings require action, such as rewriting the code to eliminate the detected vulnerability.
ReviewingIndicates that the finding requires investigation to determine what the next steps in the triage process should be.
FixingFindings for which you have decided to fix. Commonly used to indicate that these findings are tracked in Jira or assigned to developers for further work.
FixedFixed findings were detected in a previous scan but are no longer detected in the most recent scan of that same branch due to changes in the code.
IgnoredFindings that are ignored are present in the code but have been labeled as unimportant. Ignore findings that are false positives or deprioritized issues. Mark findings as ignored through Semgrep AppSec Platform or by adding a nosemgrep code comment. You can also provide a reason for why you are ignoring a finding: False positive, Acceptable risk, No time to fix.

Removed findings

Findings can also be removed. Semgrep considers a finding removed if it is not found in the most recent scan of the branch where Semgrep initially detected it due to any of the following conditions:

  • The rule that detected the finding isn't enabled in the policy anymore.
  • The rule that detected the finding was updated such that it no longer detects the finding.
  • The file path where the finding appeared is no longer found. The file path was deleted, renamed, added to a .semgrepignore file, added to a .gitignore file, or added to the list of ignored paths in Semgrep AppSec Platform.
  • For GitHub organization accounts: the PR or MR where the finding was detected has been closed without merging.

Your removed findings do not count toward the fix rate or the number of findings. The removed findings also do not appear in Semgrep AppSec Platform.

Findings triaged across refs

Findings triaged (ignored, reopened) in a specific branch, PR, or MR are also triaged in all other branches, PRs, and MRs of a particular repository. Additionally, if you filter for Git references (refs) on the Findings page, then triage a finding, the finding is also automatically triaged in all other branches, PRs, MRs, and refs.

Not finding what you need in this doc? Ask questions in our Community Slack group, or see Support for other ways to get help.