Why do new rules keep appearing in Comment or Block mode?
Semgrep AppSec Platform Policies can contain both individual rules and rulesets, which are curated groups of rules recommended for particular purposes. All organizations start with two rulesets: the default ruleset, which is a good starter pack for security teams, and the comment ruleset, which is a good starter pack for developers.
As Semgrep adds new rules to improve coverage, some of these rules are also added to rulesets. If you add a ruleset to your organization's policies, any new rules added to the ruleset automatically become a part of your policies as well.
The default and comment rulesets are initially added in Monitor mode, where the findings generated by the rules are primarily intended for security teams to review. You can also add new rulesets to your policies from the Semgrep Registry.
When you add a ruleset through the registry, you can add it in any policy mode: Monitor, Comment, or Block. The mode you choose will determine the mode for future rules that are added to that ruleset.
Even if you later change some or all rules from a ruleset to a different mode, the default mode for the ruleset does not change. Therefore, when you add new rules to the ruleset, they are added in the original mode.
Change the default mode for a ruleset
To change the default mode for a ruleset, follow the same process as for adding a new ruleset to your policies and select the desired default mode.
After adding the ruleset in the default mode, you can then change any individual rule modes for rules that you prefer to keep in a different mode.
Not finding what you need in this doc? Ask questions in our Community Slack group, or see Support for other ways to get help.