Managing CI policy
Semgrep Community and Semgrep Team provide infrastructure for managing Semgrep across many projects. Create policies from their web UI and apply those policies to projects in a many-to-many mapping. A policy is a simple collection of rules and a definition of what to do with rule results: fail the Semgrep CI run and/or send non-blocking notifications to third-party services like Slack.
To create a policy, visit Manage > Policies and select “New Policy.”
Policies are often broken down by problem area (e.g.,
xss), application type (e.g.,
prod-python-backend), or blocking status (e.g.,
notify-only). There is no right way to group rules, and it changes team-to-team and organization-to-organization.
Any rule, ruleset, or pattern can be added to a policy. Look for the “Add to Policy” button.
To remove or edit the settings for a rule, ruleset, or pattern, go to Manage > Policies and select the relevant policy. You can then remove the item using the deletion
x or change its notification settings through the ”Send Notification” and “Block CI” checkboxes.
To locally test and run a policy, select your policy at Manage > Policies and use the “Download YAML” button. This YAML file can then be run locally via:
$ semgrep --config <path/to/yaml> <path/to/code>
See Getting started for instructions on downloading and running Semgrep locally.
To receive notifications via third-party services, like Slack or email:
- Visit Manage > Notifications to configure the services
- From Manage > Policies, select the policy you’d like to configure and select “Send Notification” for the relevant rules, ruleset, or pattern.
When Semgrep CI next runs and finds a result, the configured services will receive the finding.