Managing CI policy

Semgrep Community and Semgrep Team provide infrastructure for managing Semgrep across many projects. Create policies from their web UI and apply those policies to projects in a many-to-many mapping. A policy is a simple collection of rules and a definition of what to do with rule results: fail the Semgrep CI run and/or send non-blocking notifications to third-party services like Slack.

Sample policy with rules set to send notifcations and block builds

Creating policy

To create a policy, visit Manage > Policies and select “New Policy.”

Policies are often broken down by problem area (e.g., xss), application type (e.g., prod-python-backend), or blocking status (e.g., notify-only). There is no right way to group rules, and it changes team-to-team and organization-to-organization.

Editing policy

Any rule, ruleset, or pattern can be added to a policy. Look for the “Add to Policy” button.

A ruleset with an "Add to Policy" button visible

To remove or edit the settings for a rule, ruleset, or pattern, go to Manage > Policies and select the relevant policy. You can then remove the item using the deletion x or change its notification settings through the ”Send Notification” and “Block CI” checkboxes.

Policy with deletion button active

Downloading policy

To locally test and run a policy, select your policy at Manage > Policies and use the “Download YAML” button. This YAML file can then be run locally via:

$ semgrep --config <path/to/yaml> <path/to/code>

Info

See Getting started for instructions on downloading and running Semgrep locally.

Notifications

To receive notifications via third-party services, like Slack or email:

  1. Visit Manage > Notifications to configure the services
  2. From Manage > Policies, select the policy you’d like to configure and select “Send Notification” for the relevant rules, ruleset, or pattern.

When Semgrep CI next runs and finds a result, the configured services will receive the finding.