Skip to main content

Managing findings


A finding is the core result of Semgrep's analysis. Findings are generated when a Semgrep rule matches a piece of code. After matching, a finding can make its way through 3 parts of the Semgrep ecosystem: Semgrep CLI, Semgrep in CI, and Semgrep Cloud Platform.

Semgrep CLI

Semgrep command line findings are produced by a specific rule matching a piece of code. Multiple rules can match the same piece of code, even if they are effectively the same rule. For example, consider the following rule and code snippet:

- id: finding-test
pattern: $X == $X
message: Finding test 1
languages: [python]
severity: WARNING
- id: finding-test
pattern: $X == $X
message: Finding test 2
languages: [python]
severity: WARNING
print(1 == 1)

Running Semgrep

semgrep --quiet --config test.yaml

Running Semgrep produces the following findings:
severity:warning rule:finding-test: Finding test 1
1:print(1 == 1)
severity:warning rule:finding-test: Finding test 2
1:print(1 == 1)

For more information on writing rules, see Rule syntax.

Semgrep CI

Semgrep CI, designed to continuously scan commits and builds, improves on Semgrep findings to track the lifetime of an individual finding. When configured to perform a diff scan, it will only show new findings relative to some specified baseline commit.

In the code, a Semgrep CI finding is defined by a 4-tuple:

(rule ID, file path, syntactic context, index)

These states correspond to:

  1. rule ID: The rule's ID within the Semgrep ecosystem.
  2. file path: The filesystem path where the finding occurred.
  3. syntactic context: The lines of code corresponding to the finding.
  4. index: An index into identical findings within a file. This is used to disambiguate findings if the same syntactic context occurs multiple times in the same file.

Semgrep Cloud Platform

Semgrep Cloud Platform builds on CI findings to track status and provide additional context for managing findings within your organization. A finding can occupy one of four statuses in Semgrep Cloud Platform: OPEN, IGNORED, FIXED, REMOVED.

Finding status

You can manage finding status through triage in Semgrep Cloud Platform's Findings page. The finding statuses are as follows:

OpenFindings are open by default. A finding is open if it was present the last time Semgrep scanned the code and it has not been ignored. An open finding represents a match between the code and a rule that is enabled in the repository. Open findings require action, such as rewriting the code to eliminate the detected vulnerability.
IgnoredFindings that are ignored are present in the code, but have been labeled as unimportant. Ignore findings that are false positives or deprioritized issues. Mark findings as ignored through Semgrep Cloud Platform (see Managing finding status or by adding a code comment (see nosemgrep comments.

Fixed findings were detected in a previous scan, but are no longer detected in the most recent scan of that same branch.

To change the state of a finding to fixed:

  1. Fix the code so the rule does not match it.
  2. Edit the Semgrep rule so it no longer matches the code.

Findings triaged across refs

Findings triaged (ignored, reopened) in a specific branch, PR, or MR are also triaged in all other branches, PRs, and MRs of a specific repository. In addition, if you filter for any other Git references (refs) on the Findings page, and then triage a finding, it is also automatically triaged in all other branches, PRs, MRs, and refs.

Findings can also be removed. A removed finding does not count towards the fix rate or the number of findings. The removed finding also does not appear in the Semgrep Cloud Platform. A finding is removed if it is not found in the most recent scan of the branch where it was detected due to any of the following conditions:

  • The rule isn't enabled on the repository anymore.
  • The file path where the finding appeared is no longer found (it was deleted, renamed, added to a .semgrepignore, added to a .gitignore or added to the list of ignored paths in Semgrep Cloud Platform).
  • For GitHub organization accounts: the PR or MR where the finding was detected has been closed without merging.

Find what you needed in this doc? Join the Semgrep Community Slack group to ask the maintainers and the community if you need help, or check out other ways to get help.