Enable Bitbucket Data Center pull request comments
- You have gained the necessary resource access and permissions required for deployment.
- You have created a Semgrep account and organization.
- You have connected your source code manager.
- Optionally, you have set up SSO.
- You have successfully added a Semgrep job to your CI workflow with diff-aware scanning.
Semgrep can create pull request (PR) comments in your Bitbucket repository. These comments provide a description of the issue detected by Semgrep and may offer possible solutions. They are a means for security teams, or any team responsible for creating standards to help their fellow developers write safe and standards-compliant code.
Automated comments on Bitbucket pull requests are displayed as follows:
Figure. Bitbucket Data Center pull request comments.
Conditions for PR comment creation
PR comments appear for the following types of scans under these conditions:
| Type of scan | Product name | Trigger condition | How to set up |
|---|---|---|---|
| Static application security testing (SAST) | Semgrep Code | A comment appears when a finding is generated by a rule in Comment or Block mode. This means you can fully customize what comments your developers receive. | Complete the steps in the following sections: |
| Software composition analysis (SCA) | Semgrep Supply Chain (SSC) | A comment appears based on the conditions you explicitly set in a Supply Chain policy or when Semgrep detects a license violation. | To receive Supply Chain comments, complete the steps in Confirm account connection and access and set up a policy. To receive license violation comments, enable dependency search. |
| Secrets | Semgrep Secrets | A comment appears when a finding is generated by a rule in Comment or Block mode. A comment also appears for invalid findings and validation errors if these conditions are set to Comment or Block mode. | Complete the steps in the following sections: |
Comments from Supply Chain scans include the following information:
- Risk
- A description of the vulnerability, including the types of attack it is vulnerable to.
- Fix
- Indicates what versions to upgrade to, if any, that resolves or eliminates the vulnerability.
- Reference
- A link to additional information about the vulnerability from its source, such as the GitHub Advisory Database and the National Vulnerability Database (NVD), if available.
Enable PR comments in Bitbucket
Prerequisites
In addition to finishing the previous steps in your deployment journey, it is recommended that you complete a full scan on your default branch for the repository in which you want to receive comments.
- You must have a Bitbucket Data Center HTTP access token. Ensure that the token HTTP access token that you create has been granted Project write permissions. You'll provide this token to your CI provider during the setup process.
- Semgrep has been tested with Bitbucket Data Center v8.19. If you are using a different version of BBDC and there are issues, please contact support@semgrep.com.
Confirm your Semgrep account's connection
Confirm that you have the correct connection and access:
- In your Semgrep AppSec Platform account, click Settings > Source code managers.
- Check that an entry for your Bitbucket project exists and is correct.
Configure comments for Semgrep Code
In addition to setting up the connection between Semgrep and Bitbucket, you must assign rules to Comment or Block mode. This customization enables you to:
- Manage the amount of PR comments your developers receive.
- Ensure that only rules that meet your criteria, such as high severity or high confidence rules, produce comments visible to developers, reducing noise.
Set rules to Comment or Block mode
The following instructions let you customize what findings or security issues your developers see as comments in their PRs:
- In your Semgrep AppSec Platform account, click Rules > Policies to enter the Policies page. Under Modes , you can quickly see if you have existing rules in either Comment or Block mode.
- Optional: To configure Semgrep Secrets rules, click the Secrets tab.
- Optional: Use the filters to quickly find rules to set to Comment or Block.
- Click the checkbox of the rules you want to set. You can use Ctrl + Click to select rules in bulk.
- Click Change modes.
- Click either Block or Comment.
You have successfully configured PR comments for Semgrep Code.
Rules in Block mode fail the CI job that runs on the PR. Depending on your workflow, this may prevent your PR from merging.
Configure comments for Semgrep Secrets
In addition to setting up the connection between Semgrep and Bitbucket, you must assign rules to Comment or Block mode. This customization enables you to:
- Manage the amount of PR comments your developers receive.
- Ensure that only rules that meet your criteria, such as high severity or high confidence rules, and result in findings involving valid secrets produce comments visible to developers, reducing noise.
Set rules to Comment or Block mode
The following instructions let you customize what findings or security issues your developers see as comments in their PRs:
- In Semgrep AppSec Platform, go to Rules > Policies > Secrets.
- Under Modes , you can see if you have existing rules in either Comment or Block mode. You can also use the filters to find rules you want to set to Comment or Block.
- Click the checkbox of the rules you want to set. You can use Ctrl + Click to select rules in bulk.
- Click Change modes.
- Click either Block or Comment.
You have successfully configured PR comments for Semgrep Secrets.
Validation state policies
Validation state policies allow you to define how Semgrep handles the following issues:
- Invalid findings: the secret has been revoked, was never functional, or used for a custom or private endpoint that Semgrep can't communicate with. For example, a Semgrep rule that tests GitHub credentials may return an invalid finding if Semgrep can't communicate with an on-premise deployment.
- Validation errors: Semgrep was unable to reach the secrets provider to test the validity of the credential, or Semgrep received an unexpected response from the API
To edit the policy for invalid secrets and errors:
- In Semgrep AppSec Platform, go to Rules > Policies > Secrets.
- Click Validation State Policies.
- Choose the mode, either Comment or Block, that you want Semgrep to set for Invalid findings.
- Choose the mode, either Comment or Block, that you want Semgrep to set for Validation errors.
Rules in Block mode fail the CI job that runs on the PR. Depending on your workflow, this may prevent your PR from merging.
Configure comments for Semgrep Supply Chain
To configure comments for Supply Chain, you must define a Supply Chain policy. This policy lets you set the specific conditions, such as transitivity and reachability, that trigger a comment. These conditions are unique to Supply Chain findings.
See the Policies documentation for more information.
Disable PR comments for Supply Chain findings
By default, Semgrep comments include both Semgrep Code and Semgrep Supply Chain (SSC) findings information. However, if you would like to disable PR or MR comments for reachable SSC findings, you can do so as follows:
- Sign in to Semgrep AppSec Platform.
- Go to Settings > Deployment and navigate to the Supply Chain (SCA) section.
- Click PR/MR comments to disable commenting.
Disabling PR/MR comments doesn't disable notifications regarding license policy violations.
Next steps
You've finished setting up a core deployment of Semgrep 🎉.
- Explore recommended tasks after deployment in Beyond core deployment.
Additional references
Not finding what you need in this doc? Ask questions in our Community Slack group, or see Support for other ways to get help.