Quickstart for Semgrep Managed Scans
Semgrep Managed Scans (beta) is the fastest method to scan repositories at scale with Semgrep. Instead of adding Semgrep to your CI/CD pipeline, which requires a configuration file for each repository, Semgrep handles the scan process for all of the repositories you add.
Supported source code managers
Semgrep Managed Scans is available for GitHub-hosted (GitHub.com) and GitHub Enterprise Server plans.
Semgrep Managed Scans is in private beta for users with GitLab Cloud and GitLab self-managed plans. Contact your Semgrep account executive or email the Support team at support@semgrep.com to obtain access.
Add repositories to Semgrep Managed Scans
- GitHub
- GitLab
Requirements
To enable and use this feature, you must grant Semgrep Read access to your code. Steps are provided in Add repositories to Semgrep Managed Scans.
Read access is permitted through a private Semgrep app that you create and register yourself. See Managed Scans > Security for more information on how Semgrep handles your code.
Prerequisites
Admin access to your GitHub organization.
Add a repository
- Navigate to Semgrep AppSec Platform, and sign up by clicking on Sign in with GitHub. Follow the on-screen prompts to grant Semgrep the necessary permissions and proceed.
- Provide the Organization display name you'd like to use, then click Create new organization.
- When asked Where do you want to scan? click GitHub.
- Follow the steps in the Connect GitHub to Semgrep page. These steps install a public GitHub app, which handles PR comments, and a private GitHub app, which handles code access. You are able to select which repositories these apps have access to, and have full control over removing them or revoking their permissions.
- Click Set up projects. You are taken to the Enable Managed Scans for repos page.
- Select all the repositories you want to add to Semgrep Managed Scans for scanning.
- Click Enable Managed Scans. You are taken to the Projects page as your scans begin.
Requirements
Read access is granted through an access token that you generate on GitLab. You can provide this token by adding GitLab as a source code manager.
Prerequisites
Admin access to your GitLab organization.
Add a repository
- Navigate to Semgrep AppSec Platform, and sign up by clicking on Sign in with GitLab. Follow the on-screen prompts to proceed.
- When prompted, click Scan new project > Semgrep Managed Scan.
- In the Enable Managed Scans for repos page, select the repositories you want to add to Semgrep Managed Scans.
- Click Enable Managed Scans. The Enable Managed Scans dialog appears. By default, Semgrep runs both full and diff-aware scans.
- Click Enable. You are taken to the Projects page as your scans begin.
You have finished setting up a Semgrep managed scan.
Here are some behaviors and characteristics of a managed scan:
- After enabling Managed Scans, Semgrep performs a full scan in batches on all the repositories that have been added to it.
- Once a repository has been added to Semgrep AppSec Platform, it becomes a project. A project in Semgrep AppSec Platform includes all the findings, history, and scan metadata of that repository.
- Projects scanned through Managed Scans are tagged with
managed-scan.
Next steps
Once a scan has finished, you can view your findings by clicking any of the following on the navigation menu:
- Code for SAST findings
- Secrets for secrets findings
- Supply Chain for SCA findings
To learn more about how Semgrep manages your scans, read the in-depth Semgrep Managed Scans documentation.
Not finding what you need in this doc? Ask questions in our Community Slack group, or see Support for other ways to get help.