Set up GitLab merge request comments
- You have gained the necessary resource access and permissions required for deployment.
- You have created a Semgrep account and organization.
- You have connected your source code manager.
- Optionally, you have set up SSO.
- You have successfully added a Semgrep job to your CI workflow with diff-aware scanning.
Semgrep can create merge request (MR) comments in your GitLab repository. These comments provide a description of the issue detected by Semgrep and may offer possible solutions. These comments are a means for security teams, or any team responsible for creating standards to help their fellow developers write safe and standards-compliant code.
Automated comments on GitLab merge requests are displayed as follows:
Figure An inline GitLab merge request comment.
Conditions for MR comment creation
MR comments appear for the following types of scans under these conditions:
| Type of scan | Product name | Trigger condition | How to set up |
|---|---|---|---|
| Static application security testing (SAST) | Semgrep Code | A comment appears when a finding is generated by a rule in Comment or Block mode. This means you can fully customize what comments your developers receive. | Complete the steps in the following sections: |
| Software composition analysis (SCA) | Semgrep Supply Chain (SSC) | A comment appears only when the finding is reachable or when Semgrep detects a license violation. | Complete the steps in Confirm account connection and access to receive Supply Chain PR comments and enable dependency search to receive license violation PR comments. |
| Secrets | Semgrep Secrets | A comment appears on validated secrets. | This product is in beta. Contact support@semgrep.com to enable comments. |
Comments from Supply Chain scans include the following information:
- Risk
- A description of the vulnerability, including the types of attack it is vulnerable to.
- Fix
- Indicates what versions to upgrade to, if any, that resolves or eliminates the vulnerability.
- Reference
- A link to additional information about the vulnerability from GitHub Advisory Database and the National Vulnerability Database (NVD), if available.
Pull or merge requests with vulnerabilities detected by SSC are not blocked from merging.
Steps to set up MR comments
Prerequisites
In addition to finishing the previous steps in your deployment journey, it is recommended to have completed a full scan on your default branch for the repository in which you want to receive comments.
Confirm your Semgrep account's connection
MR comments are enabled by default for users who have connected their GitLab organization (org) to Semgrep AppSec Platform. Confirm that you have the correct connection and access:
- In your Semgrep AppSec Platform account, click Settings > Source code managers.
- Check that an entry for your GitLab org exists and is correct.
Create a personal access token (PAT)
Creating a PAT grants the API scope to Semgrep, which lets it post comments.
- In GitLab, go to Profile > Access Tokens, and then add a token with
apiscope. - Copy the token created in the previous step.
Once you have a GitLab PAT, you can provide it to Semgrep through Semgrep AppSec Platform's Settings > Source Code Managers tab. This tab is a central location that makes it easy for your teams to access and rotate the token if necessary. This is the recommended method, though there are two other options for providing your PAT to Semgrep:
- In the Network Broker configuration file: You can set a dummy token and assign the PAT in the Network Broker configuration file. This information is stored on your infrastructure, and you can manage it using the secret storage program of your choice.
- In the CI job's configuration file: This is helpful if you're using Gitlab's Project Access Tokens, which are generated on a per-project basis.
Click to learn how to use the Gitlab PAT in CI jobs.
For GitLab CI/CD users:
- Navigate to Your repository > Settings > CI/CD. The URL of the page where you are ends with:
/username/project/-/settings/ci_cd. - Under Variables click Expand, and then click Add variable.
- Enter PAT (change this placeholder name as necessary) in the Key field and paste the token value copied in step two to the Value field.
- Select the Mask variable checkbox option, and then clear the Protect variable checkbox option.
- Update your
.gitlab-ci.ymlfile with variableGITLAB_TOKENand value$PAT. Refer to the following sample, substituting the placeholderPATwith the name you created for this variable.
semgrep:
# A Docker image with Semgrep installed.
image: semgrep/semgrep
# Run the "semgrep ci" command on the command line of the docker image.
script: semgrep ci
rules:
# Scan changed files in MRs, (diff-aware scanning):
- if: $CI_MERGE_REQUEST_IID
# Scan mainline (default) branches and report all findings.
- if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
variables:
# Connect to Semgrep AppSec Platform through your SEMGREP_APP_TOKEN.
# Generate a token from Semgrep AppSec Platform > Settings
# and add it as a variable in your GitLab CI/CD project settings.
SEMGREP_APP_TOKEN: $SEMGREP_APP_TOKEN
# Receive inline MR comments (requires Semgrep AppSec Platform account)
GITLAB_TOKEN: $PAT
For other CI providers:
- In your CI provider's interface, define the value of the PAT as a secret. Refer to your CI provider's documentation for steps to do this.
- Define the environment variable
GITLAB_TOKENand assign the PAT to it.
For more configuration options, see GitLab CI Sample.
MR comments with multiple GitLab groups
If you're using Semgrep with multiple GitLab groups, ensure that you've completed the following steps to see MR comments for repositories associated with each of your groups:
- Required for users with GitLab self-managed plans and optional for users with GitLab Cloud plans: Create a Semgrep source code manager connection with each GitLab group by signing in to your Semgrep account, navigating to Settings > Source code managers, and adding an entry for each group. Note that you only need to add an entry for the parent group to onboard a parent group and all of its subgroups.
- Add the
GITLAB_TOKENenvironment variable to your CI configuration. You can setGITLAB_TOKENto the GitLab PAT that grants access to all of your GitLab groups, if possible, or you can use a different GitLab PAT for each of your GitLab groups.
Define environment variables needed for other CI providers
For CI providers aside from GitLab CI/CD, additional environment variables must be set:-
SEMGREP_PR_IDis set to the MR number of the pull request on GitLab CI/CD. SEMGREP_REPO_NAMEis set to the repository name.SEMGREP_REPO_URLis set to the repository URL where your project is viewable online.
These values do not have to be fixed or hardcoded. They can be variables passed to the job. For more information, see Sample CI configurations.
Configure comments for Semgrep Code
In addition to setting up the connection between Semgrep and GitLab, you must assign rules to Comment or Block mode. This customization enables you to:
- Manage the amount of MR comments your developers receive.
- Ensure that only rules that meet your criteria, such as high severity or high confidence rules, produce comments visible to developers, reducing noise.
The following instructions are also applicable when enabling MR comments for Semgrep Secrets.
Set rules to Comment or Block mode
The following instructions let you customize what findings or security issues your developers see as comments in their PRs:
- In your Semgrep AppSec Platform account, click Rules > Policies. You are taken to the Policies page. Under Modes , you can quickly see if you have existing rules in either Comment or Block mode.
- Optional: Use the filters to quickly find rules to set to Comment or Block.
- Click the checkbox of the rules you want to set. You can use Ctrl + Click to select rules in bulk.
- Click Change modes.
- Click either Block or Comment.
You have successfully configured MR comments for Semgrep Code.
Rules in Block mode fail the CI job that runs on the MR. Depending on your workflow, this may prevent your MR from merging.
Receive comments in your VPN or on-premise SCM
Ensure that you've onboarded all of your GitLab groups to Semgrep.
If you are behind a firewall, are using a virtual private network (VPN), or have network restrictions regarding access, you may need to add the following IP addresses to the ingress allowlist and egress allowlist:
# Ingress IP addresses (from Semgrep to your infrastructure)
# and egress IP addresses (from your infrastructure to Semgrep)
35.166.231.235
52.35.248.246
52.34.137.110
44.225.64.41
Additional egress IP addresses
You must also add CloudFront IP addresses to your egress allowlist. Refer to Locations and IP address ranges of CloudFront edge servers for a list of IP addresses.
Test your configuration
Test that you are able to receive findings by manually triggering a scan through your CI provider.
Receiving PR or MR comments may require additional steps depending on the custom configuration of your VPN or SCM (for example, if you use a static IP without a hostname). Reach out to Semgrep support through the Semgrep Community Slack or send an email to support@semgrep.com for any concerns.
You've set up MR comments! Enable optional features provided in the following sections, or see Next steps.
Optional features
Enable autofix in GitLab repositories
Autofix is a Semgrep feature in which rules contain suggested fixes to resolve findings.
To enable autofix for all projects in your Semgrep AppSec Platform organization, follow these steps:
- In Semgrep AppSec Platform, click Settings on the left sidebar.
- Click Autofix toggle.
Dataflow traces in MR comments
Figure. An inline GitLab pull request comment with dataflow traces.
With dataflow traces, Semgrep Code can provide you with a visualization of the path of tainted, or untrusted, data in specific findings. This path can help you track the sources and sinks of the tainted data as they propagate through the body of a function or a method. For general information about taint analysis, see Taint tracking.
When running Semgrep Code from the command line, you can pass in the flag
--dataflow-traces to use this feature.
You can view dataflow traces in:
- Semgrep AppSec Platform by going to Semgrep Code's Findings page. For more details, see Path of tainted data in Semgrep Code.
- The PR or MR comments created by Semgrep Code running in your CI/CD system. To enable
this feature, see:
- GitHub users: Dataflow traces in PR comments
- GitLab users: Dataflow traces in MR comments
Get cross-file findings
To get cross-file (interfile) findings in your organization, follow the steps in Perform cross-file analysis.
View the path of tainted data in MR comments
To enable dataflow traces in your CI pipeline, fulfill the following prerequisites:
- Set up Semgrep to post GitLab merge request comments, as described on this page.
- To obtain meaningful results of dataflow traces in MR comments, use cross-file analysis while scanning your repositories. To enable cross-file analysis, see Perform cross-file analysis.
- Not all Semgrep rules or rulesets make use of taint tracking. Ensure that you have a ruleset, such as the default ruleset added in your Policies. If this ruleset is not added, go to https://semgrep.dev/p/default, and then click Add to Policy. You can add rules that use taint tracking from Semgrep Registry.
Disable MR comments for Supply Chain findings
By default, Semgrep comments include both Semgrep Code and Semgrep Supply Chain (SSC) findings information. However, if you would like to disable PR or MR comments for reachable SSC findings, you can do so as follows:
- Sign in to Semgrep AppSec Platform.
- Go to Settings > Deployment and navigate to the Supply Chain (SCA) section.
- Click PR/MR comments to disable commenting.
Disabling PR/MR comments doesn't disable notifications regarding license policy violations.
Next steps
You've finished setting up a core deployment of Semgrep 🎉.
- Explore recommended tasks after deployment in Beyond core deployment.
Additional references
Not finding what you need in this doc? Ask questions in our Community Slack group, or see Support for other ways to get help.