Quickstart for Semgrep Managed Scans
Semgrep Managed Scans (beta) is the fastest method to scan repositories at scale with Semgrep. Instead of adding Semgrep to your CI/CD pipeline, which requires a configuration file for each repository, Semgrep handles the scan process for all of the repositories you add.
Supported source code managers
Semgrep Managed Scans is in public beta for all existing Semgrep AppSec Platform users with:
- Hosted GitHub (GitHub.com) and GitHub Enterprise Server plans
- GitLab Cloud and GitLab self-managed plans and a Premium or Ultimate subscription
- Azure DevOps Cloud repositories
Add repositories to Semgrep Managed Scans
- Azure DevOps
- GitHub
- GitLab
Prerequisites
Admin access to your Azure DevOps organization.
Requirements
Read access is granted through an access token you generate on Azure DevOps. You can provide this token by adding Azure DevOps as a source code manager.
Semgrep recommends setting up and configuring Semgrep with an Azure DevOps service account, not a personal account. Regardless of whether you use a personal or service account, the account must be assigned the Owner or Project Collection Administrator role for the organization. During setup and configuration, you must provide a personal access token generated by this account. The scopes you must assign to the token include:
Project and Team: Read & write
Code: Read
Pull Request Threads: Read & write
Service Hooks: Read & manage
Add a repository
- Sign in to Semgrep AppSec Platform
- Navigate to Projects, and click Scan new project > Semgrep Managed Scan.
- In the Enable Managed Scans for repos page, select the repositories you want to add to Semgrep Managed Scans.
- Click Enable Managed Scans. The Enable Managed Scans dialog appears. By default, Semgrep runs both full and diff-aware scans.
- Click Enable. You are taken to the Projects page as your scans begin.
Prerequisites
Admin access to your GitHub organization.
Requirements
To enable and use this feature, you must grant Semgrep Read access to your code. Steps are provided in Add repositories to Semgrep Managed Scans.
Read access is permitted through a private Semgrep app that you create and register yourself. See Managed Scans > Security for more information on how Semgrep handles your code.
Add a repository
- Navigate to Semgrep AppSec Platform, and sign up by clicking on Sign in with GitHub. Follow the on-screen prompts to grant Semgrep the necessary permissions and proceed.
- Provide the Organization display name you'd like to use, then click Create new organization.
- When asked Where do you want to scan? click GitHub.
- Follow the steps in the Connect GitHub to Semgrep page. These steps install a public GitHub app, which handles PR comments, and a private GitHub app, which handles code access. You are able to select which repositories these apps have access to, and have full control over removing them or revoking their permissions.
- Click Set up projects. You are taken to the Enable Managed Scans for repos page.
- Select all the repositories you want to add to Semgrep Managed Scans for scanning.
- Click Enable Managed Scans. You are taken to the Projects page as your scans begin.
Prerequisites
Admin access to your GitLab organization.
Requirements
Read access is granted through an access token that you generate on GitLab. You can provide this token by adding GitLab as a source code manager.
Add a repository
- Navigate to Semgrep AppSec Platform, and sign up by clicking on Sign in with GitLab. Follow the on-screen prompts to proceed.
- When prompted, click Scan new project > Semgrep Managed Scan.
- In the Enable Managed Scans for repos page, select the repositories you want to add to Semgrep Managed Scans.
- Click Enable Managed Scans. The Enable Managed Scans dialog appears. By default, Semgrep runs both full and diff-aware scans.
- Click Enable. You are taken to the Projects page as your scans begin.
You have finished setting up a Semgrep managed scan.
Here are some behaviors and characteristics of a managed scan:
- After enabling Managed Scans, Semgrep performs a full scan in batches on all the repositories that have been added to it.
- Once a repository has been added to Semgrep AppSec Platform, it becomes a project. A project in Semgrep AppSec Platform includes all the findings, history, and scan metadata of that repository.
- Projects scanned through Managed Scans are tagged with
managed-scan
.
Next steps
Once a scan has finished, you can view your findings by clicking any of the following on the navigation menu:
- Code for SAST findings
- Secrets for secrets findings
- Supply Chain for SCA findings
To learn more about how Semgrep manages your scans, read the in-depth Semgrep Managed Scans documentation.
Not finding what you need in this doc? Ask questions in our Community Slack group, or see Support for other ways to get help.