Skip to main content
  • Semgrep App
  • Community Tier
  • Team & Enterprise Tier

Managing findings in Semgrep App

A finding is the core result of Semgrep analysis. Findings are generated when a Semgrep rule matches a piece of code.

Semgrep App Findings page
Figure 1. Screenshot of findings page.

A finding can be categorized in two ways:

  1. Finding categorization based on the issue or code it detects:

    • Anti-patterns
    • Security vulnerabilities (such as dangerous function usage)
    • Business or logic bugs
    • Matches based on your own custom rules (such as organization-specific authentication logic)

    Semgrep rules provide a metadata schema to identify common categories such as the above. Semgrep findings include a message field that describes the security issue or bug found in matching code. Additionally, findings can provide a fix field that fixes the issue by creating a suggestion within your source code management (SCM) tool, such as GitHub or GitLab.

  2. Finding categorization based on the validity of the match:

    True positive
    Rules are written to match a certain code pattern. A true positive is a genuine match. The rule is capturing the code as intended.
    False positive
    A false positive is a mismatch between the intended purpose of the rule and the code it matched. A finding is generated but does not meet the rule's intended need. Rules with a high false positivity rate are said to be noisy.
    False negative
    A false negative is a finding that should have been found by a rule, but was not. This can happen for two reasons:

Working with findings​

After a finding is generated, developers can:

  • Fix the issue detected by the finding. This is Semgrep's primary goal. In this case, the rule produces a true positive finding (such as a security issue) as intended and developers must change or address the code such that the rule no longer matches it.
  • View the Semgrep rule and the matching code. For developers aiming to understand their team's security posture, Semgrep provides a top-level report view through the Dashboard and a list view of findings in the Findings page that can be filtered by repository, rule, branch, or triage action.
  • Triage the finding. If the finding is not useful or important, deprioritize it through triage. Triage actions include ignoring and reopening. Triaging a finding to ignore it is one method to handle false positives without changing the rule or code. To triage a finding, see Managing finding status
  • Remove the rule or code that generated the finding. There are cases where Semgrep scans a file not meant for scanning or when a rule is irrelevant. You can remove the rule from the Rule board or add the file to the ignore list. To remove a rule, see Removing rules or rulesets.
  • Create a Jira ticket from the finding (for Enterprise/Team Tier users.) For findings that require more extensive refactoring, users can create a ticket in Jira through Semgrep App to track its resolution.
tip
  • An additional method to address false positives is to improve the rule. Create test cases to ensure that the rule performs as intended.
  • If a rule from Semgrep Registry is useful but also captures too many false positives, you can reach out to support@semgrep.dev. This helps rule-writing efforts and improves the quality of rules that you run.
  • Additionally, you can report rules with a high false positive rate from your SCM if you have enabled Semgrep App to leave comments in PRs. Semgrep App provides a link after each comment for users to indicate if the finding is a false positive.

Understanding retention periods​

The Semgrep App Finding page displays findings across all projects connected to Semgrep App. It is updated after every scan. Scans are initiated through your CI/CD pipeline, such as GitHub actions. The retention period of these findings varies based on your organization’s tier:

Retention periodTier availability
30-day findings retentionCommunity (Free)
5 years retentionTeam/Enterprise

Viewing data on the Findings page​

  1. Sign in to Semgrep App.
  2. Click Findings on the left sidebar.

Understanding the Findings page​

The Findings page consists of:

  • Findings filter panel: Panel which lets you filter for different findings.
  • Findings information: Gives you details about findings. Each finding in the list includes rule name, Rule Board action column description, link to findings detail page, rule message, repository name, link to Git branch name, link to the reported file, and reported line of code. Findings information panel
    Figure 2. Findings information panel.

Triaging findings​

Triaging means prioritizing a finding based on a policy or criteria set by your team or organization. While severity is a factor in triage, your organization may define additional criteria based on coding standards, business, or product goals.

Semgrep App uses the logic specified in the table below to automatically mark findings as either fixed or removed when a finding is no longer present in the code. You can also ignore findings in Semgrep App directly through triage or bulk triage.

The triage statuses are as follows:

StatusDescription
OpenFindings are open by default. A finding is open if it was present the last time Semgrep scanned the code and it has not been ignored. An open finding represents a match between the code and a rule that is enabled in the repository. Open findings require action, such as rewriting the code to eliminate the detected vulnerability.
IgnoredFindings that are ignored are present in the code, but have been labeled as unimportant. Ignore findings that are false positives or deprioritized issues. Mark findings as ignored through Semgrep App (see Managing finding status) or by adding a code comment (see nosemgrep comments).
Fixed

Fixed findings were detected in a previous scan, but are no longer detected in the most recent scan of that same branch.

To change the state of a finding to fixed:

  1. Fix the code so the rule does not match it.
  2. Edit the Semgrep rule so it no longer matches the code.

Findings can also be removed. A removed finding does not count towards the fix rate or the number of findings. The removed finding also does not appear in the Semgrep App. A finding is removed if it is not found in the most recent scan of the branch where it was detected due to any of the following conditions:

  • The rule isn't enabled on the repository anymore.
  • The file path where the finding appeared is no longer found (it was deleted, renamed, added to a .semgrepignore, added to a .gitignore or added to the list of ignored paths in Semgrep App).
  • The PR or MR where the finding was detected has been closed without merging.

Filtering findings​

Filtering allows you to easily isolate groups of findings for ease in triaging and identifying related groups of issues. The following criteria are available for filtering:

FilterDescription
StatusFilter for different findings triage states. Refer to the following table to understand triage states.
ProjectsFilter by repositories connected to Semgrep App.
BranchesFilter by findings in different branches.
RulesFilter by rules or rulesets that are included in your Rule Board. More than one rule can be selected for filtering.
RulesetsFilter by name of the ruleset where rules that matched the code belong.
ActionsFilter by monitoring, commenting, or blocking rules in your Rule Board.
SeverityFilter by the severity of a finding. Possible values:
  • Low
  • Medium
  • High

To filter through all findings:

  1. Click the filter criteria drop-down box.
  2. Enable displayed checkbox or write in a field value by which the findings are filtered.
  3. The page then refreshes to reflect the additional criteria.
  4. Additional values may be selected to further refine your filter.

Managing finding status​

To manage, change, open or ignore findings, follow the the triage processes described below. Screenshot of Semgrep App triage menu
Figure 3. Findings page triage menu.

Ignoring findings​

Ignoring multiple findings​

To ignore multiple findings, follow these steps:

  1. On the Findings page, click the Status filter, and then select Open status to see all open findings.
  2. Perform one of these steps:
    • Select all findings by clicking on the header row checkbox that states Showing X open findings. You can navigate to succeeding pages and add other results to the current selection.
    • Select more findings by clicking on their checkboxes.
  3. Click the Triage button.
  4. Optional: Select a reason of why you are ignoring a finding. Choose either: False positive, Acceptable risk, No time to fix
  5. Select Ignored from the dropdown menu.
  6. Click Save.
Ignoring individual findings​

To ignore individual findings, follow these steps:

  1. On the Semgrep App Findings page, click the Status filter, and then select Open status to see all open findings.
  2. Next to a finding you want to ignore, click the Ignore .
  3. Optional: Select a reason of why you are ignoring a finding. Choose either: False positive, Acceptable risk, No time to fix
  4. Click Save.
  5. Optional: Select whether you want to ignore all findings in Just this file, This directory, or Parent directory. This step is accessible only with permission to modify policies or repository settings.
  6. Optional: Enable the checkbox to: Remove this rule from Rule board. This removes the related rule that matched the finding.
  7. Click Done.
note

If you ignore all findings in Just this file, This directory, or Parent directory in the fifth step of the procedure above, these files or directories are added to .semgrepignore file. For more information, see Ignoring files, folders, or parts of code.

Reopening findings​

Reopening multiple findings​

To open findings, follow these steps:

  1. On the Findings page, click the Status filter, and then select Ignored or Fixed status to see all ignored or fixed findings.
  2. Perform one of these steps:
    • Select all findings by clicking on the header row checkbox that states Showing X open findings. You can navigate to succeeding pages and add other results to the current selection.
    • Select relevant findings one by one by clicking on their checkboxes.
  3. Click the Triage button.
  4. In the Triage state dropdown menu, select Reopened.
  5. Click Save.
Reopening individual findings​

To open individual findings, follow these steps:

  1. On the Findings page, click the Status filter, and then select Ignored or Fixed status to see all ignored or fixed findings.
  2. Next to a finding you want to ignore, click the Reopen .
  3. Optional: Add a note.
  4. Click Save.

Fixing a finding​

To fix a finding:

  1. Update, or refactor the code such that the Semgrep rule pattern no longer matches the code.

Removing a rule​

To remove a rule from the Rule board:

  1. In Semgrep App, click Rule board.
  2. Click the ruleset that contains the rule.
  3. Click the Remove ruleset icon next to the rule you're deleting.
  4. Click Save.
info
  • Individual rules within rulesets can only be disabled, not deleted. To disable an individual rule in Rule board, click the toggle to disable the rule.
  • When you remove a rule from the Rule Board, all associated findings on Findings page and Dashboard page are removed also.

You can also remove a rule on the Findings page, to do so, follow these steps:

  1. Go to the Semgrep App Findings page.
  2. Next to a finding with status Open, click the Ignore .
  3. Optional: Select a reason of why you are ignoring a finding. Choose either: False positive, Acceptable risk, No time to fix
  4. Click Save.
  5. Optional: Select whether you want to ignore all findings in Just this file, This directory, or Parent directory.
  6. Enable the checkbox to: Remove this rule from Rule board. This removes the related rule that matched the finding.

Viewing and adding comments to finding's history​

To view and add comments to history of a finding:

  1. Click the Finding details icon next to the finding’s status.
  2. Find the comments in the History section. Semgrep App finding details page
    Figure 4. Findings details page.

Ignoring findings through comments​

Triage your Semgrep App findings displayed as comments in GitHub PRs by replying with another comment.

Prerequisites
  • A private GitHub.com repository. This feature is not enabled for public GitHub.com repositories or Github Enterprise public and private repositories.
  • GitHub Semgrep App installed in the repository that is also added as a project in Semgrep App. For more information, see Getting started with Semgrep in continuous integration (CI).

To enable triage through comments, follow these steps:

  1. In Semgrep App, go to your organization's Settings page.
  2. Enable the Triage via comment toggle.

To triage a finding in GitHub, follow these steps:

  1. Find an open comment created by Semgrep App in GitHub PR: Screenshot of Semgrep App comment in GitHub
    Figure 5. Screenshot of Semgrep App comment in GitHub.
  2. In the comment, reply with:
    /semgrep ignore <reason>
  3. Substitute the colored placeholder <reason> with any text that can help to understand why the status of a comment is ignored.
info

Ignoring a finding through a comment in GitHub changes the status of the finding to ignored in the Semgrep App. See Findings page documentation for more details. The GitHub conversation itself is not automatically resolved by this process.

tip

You can also reopen a finding that was previously ignored. To do so, in step 2. of the procedure above, use /semgrep open. For /semgrep open the reason field is optional.

Creating Jira tickets from findings​

Semgrep supports the creation of Jira tickets from a finding. This enables developers and project managers to create relevant issues within their project or bug-tracking environment. This feature is available to Team/Enterprise Tier users.

To create a ticket:

  1. Set up a Jira integration through the Integrations guide.
  2. Click the three-dot icon of the entry.
  3. Click Create issue with Jira.

Deduplicating findings​

Semgrep App scans are performed on both mainline (trunk) and non-mainline branches. Semgrep App generates findings on a per-branch basis. Duplicate findings arise due to scans occurring on the same code in different branches.

There are two types of scans:

Full scan
Scans the repository in its entirety. It is recommended to perform full scans on mainline branches, such as `master` or `main`. This scan is performed on a scheduled basis.
Diff-aware scan
Diff-aware scans are performed on non-mainline branches, such as in pull requests and merge requests. Diff scans traverse the repository's files based on the commit where the branch diverged from the mainline branch (or diverged from the last commit that was fully scanned?)

If a finding is fixed in one branch (such as main) but open in another (such as production), and the code fixes are present in both branches, initiate a scan through your CI job or SCM tool on the branch(es) with open findings to have Semgrep mark the findings as fixed.

See also​

Additional references​


Find what you needed in this doc? Join the Slack group to ask the maintainers and the community if you need help.