• Deployment
• Semgrep AppSec Platform

Enable Azure pull request comments

Your deployment journey

• You have gained the necessary resource access and permissions required for deployment.
• You have created a Semgrep account and organization.
• You have connected your source code manager.
• Optionally, you have set up SSO.
• You have successfully added a Semgrep job to your CI workflow with diff-aware scanning.

Semgrep can create pull request (PR) comments in your Azure DevOps repository. These comments provide a description of the issue detected by Semgrep and may offer possible solutions. These comments are a means for security teams, or any team responsible for creating standards, to help their fellow developers write safe and standards-compliant code.

Automated comments on Azure DevOps pull requests are displayed as follows:

Figure. An inline Azure DevOps pull request comment.

Conditions for PR comment creation

PR comments appear for the following types of scans under these conditions:

Type of scan	Product name	Trigger condition	How to set up
Static application security testing (SAST)	Semgrep Code	A comment appears when a finding is generated by a rule in Comment or Block mode. This means you can fully customize what comments your developers receive.	Complete the steps in the following sections: Confirm your Semgrep account's connection and access to your source code manager. Configure comments for Semgrep Code.
Software composition analysis (SCA)	Semgrep Supply Chain (SSC)	A comment appears only when the finding is reachable or when Semgrep detects a license violation.	Complete the steps in Confirm account connection and access to receive Supply Chain PR comments and enable dependency search to receive license violation PR comments.
Secrets	Semgrep Secrets	A comment appears on validated secrets.	This product is in beta. Contact support@semgrep.com to enable comments.

Comments from Supply Chain scans include the following information:

Risk

A description of the vulnerability, including the types of attack it is vulnerable to.

Fix

Indicates what versions to upgrade to, if any, that resolves or eliminates the vulnerability.

Reference

A link to additional information about the vulnerability from GitHub Advisory Database and the National Vulnerability Database (NVD), if available.

info

Pull or merge requests with vulnerabilities detected by SSC are not blocked from merging.

Steps to set up PR comments

Prerequisites

Semgrep currently supports repositories hosted by Azure DevOps Cloud.

In addition to finishing the previous steps in your deployment journey, it is recommended to have completed a full scan on your default branch for the repository in which you want to receive comments.

Confirm your Semgrep account's connection

PR comments are enabled by default for users who have connected their Azure DevOps organization (org) to Semgrep AppSec Platform. Confirm that you have the correct connection and access:

1. In your Semgrep AppSec Platform account, click Settings > Source code managers.
2. Check that an entry for your Azure DevOps org exists and is correct.

Configure comments for Semgrep Code

In addition to setting up the connection between Semgrep and Azure, you must assign rules to Comment or Block mode. This customization enables you to:

• Manage the amount of PR comments your developers receive.
• Ensure that only rules that meet your criteria, such as high severity or high confidence rules, produce comments visible to developers, reducing noise.

The following instructions are also applicable when enabling PR comments for Semgrep Secrets.

Set rules to Comment or Block mode

The following instructions let you customize what findings or security issues your developers see as comments in their PRs:

1. In your Semgrep AppSec Platform account, click Rules > Policies. You are taken to the Policies page. Under Modes , you can quickly see if you have existing rules in either Comment or Block mode.
2. Optional: Use the filters to quickly find rules to set to Comment or Block.
3. Click the checkbox of the rules you want to set. You can use Ctrl + Click to select rules in bulk.
4. Click Change modes.
5. Click either Block or Comment.

You have successfully configured PR comments for Semgrep Code.

tip

Rules in Block mode fail the CI job that runs on the PR. Depending on your workflow, this may prevent your PR from merging.

info

Only rules set to the Comment and Block rule modes in the Policies page create PR comments.

In the Azure Pipelines configuration file, export the SEMGREP_REPO_URL and SEMGREP_REPO_NAME variables to enable PR comments and ensure that findings and related data are accurately labeled with your project's information. Note that the namespace that's a part of the variable's value follows the format {organization}/{project}:

# example
export SEMGREP_REPO_URL="https://dev.azure.com/{organization}/{project}/_git/{project}"

Click to see a sample workflow file

pool:
  vmImage: ubuntu-latest
variables:
  - group: Semgrep_Variables
steps:
  - checkout: self
    clean: true
    fetchDepth: 100000
    persistCredentials: true
  - script: >
      python -m pip install --upgrade pip

      pip install semgrep

      if [ $(Build.SourceBranchName) = "main" ]; then
          echo "Semgrep full scan"
          semgrep ci
      elif [ $(System.PullRequest.PullRequestId) -ge 0 ]; then
          echo "Semgrep diff scan"
          export SEMGREP_PR_ID=$(System.PullRequest.PullRequestId)
          export SEMGREP_REPO_URL="https://dev.azure.com/{organization}/${SYSTEM_TEAMPROJECT}/_git/${BUILD_REPOSITORY_NAME}"
          export SEMGREP_REPO_NAME="{organization}/${SYSTEM_TEAMPROJECT}/${BUILD_REPOSITORY_NAME}"
          export SEMGREP_BASELINE_REF='origin/main'
          export AZURE_TOKEN=$(System.AccessToken)
          git fetch origin main:origin/main
          semgrep ci 
      fi
  - task: Bash@3
    inputs:
      targetType: inline
      script: |
        # this is inline code
        env | sort

Disable PR comments for Supply Chain findings

By default, Semgrep comments include both Semgrep Code and Semgrep Supply Chain (SSC) findings information. However, if you would like to disable PR or MR comments for reachable SSC findings, you can do so as follows:

1. Sign in to Semgrep AppSec Platform.
2. Go to Settings > Deployment and navigate to the Supply Chain (SCA) section.
3. Click PR/MR comments to disable commenting.

Disabling PR/MR comments doesn't disable notifications regarding license policy violations.

Next steps

You've finished setting up a core deployment of Semgrep 🎉.

• Explore recommended tasks after deployment in Beyond core deployment.

Additional references

• Why am I not receiving PR or MR comments?
• Why did the comments on a PR or MR not appear inline?

---

Not finding what you need in this doc? Ask questions in our Community Slack group, or see Support for other ways to get help.