Receive Slack notifications
The Semgrep Slack app enables Semgrep AppSec Platform to notify you of new findings after every scan. By receiving notifications within your Slack workspace, developers and security engineers can see findings without switching environments. This can lessen the friction between detecting a finding, triaging it, and resolving it.
You can select the channels in your Slack workspace that receive finding notifications. You can also choose to receive notifications only for certain repositories (projects) or Rule Modes. For example, you can choose to receive notifications only for findings generated by rules from the Blocking Rule Mode.
Install the Semgrep Slack App
- You must be a Slack Workspace Owner to set up the Semgrep Slack app.
- Single-tenant Semgrep AppSec Platform: Reach out to your Technical Account Manager (TAM) to ensure your instance has been configured for the Semgrep Slack app.
To install the Semgrep Slack app, follow these steps:
- In Semgrep AppSec Platform, go to Settings > Integrations.
- On the Integrations page, click Add Integration (or Setup First Integration if this is your first integration), and then select Slack.
- Click Allow.
Set up notifications for findings in Slack
To set up or subscribe to notifications for findings in your Slack workspace, perform the following steps:
- In your Slack workspace, find or create a channel for Semgrep notifications.
- If you use a private channel for notifications, first invite the Semgrep app by typing
@Semgrepin the channel. If the app is not invited to a private channel, it cannot send notifications there.
- In the selected Slack channel, enter the following command:
/semgrep_subscribe. - Optional: Enter the name of a specific project after
/semgrep_subscribeto receive findings for that specific project only. The project must be entered as it is shown in Semgrep AppSec Platform, typically:
/semgrep_subscribe ACCOUNT_NAME/REPOSITORY_NAME - Choose an organization in the list under Select target organization. The dialog box expands with additional options.
- Optional: Set up additional filters.
- For Semgrep users that receive both Semgrep Code findings and Semgrep Supply Chain vulnerabilities, you can select target scan types to subscribe to either Semgrep Code, Semgrep Supply Chain, or both.
- Select any number of policies to receive findings for under the Selected Policies field. By default, you are subscribed to all policies, including the Monitor policy. This can potentially result in many notifications (noise).
- Click Subscribe. If you did not specify a project after
/semgrep_subscribe, the channel is subscribed to findings from all your projects in Semgrep AppSec Platform. - Optional: To set up Slack notifications for additional workspaces, repeat steps 1 to 6. The Semgrep Slack integration is set up on a per-workspace basis.
You have successfully set up notifications for Semgrep findings. The Semgrep Slack app reports new findings after every scan but does not report findings that were previously discovered.
In your Slack workspace, create separate channels for either policies, repositories (projects), or types of findings depending on your business or development need. This ensures that developers receive only findings that are relevant to them.
Figure. A sample Slack message with Semgrep findings.
Remove notifications for findings in Slack
This operation removes or unsubscribes a channel from notifications. To uninstall the Semgrep Slack App, refer to Uninstall the Semgrep Slack App.
To remove or unsubscribe to notifications:
- In Slack, enter the channel that you want to unsubscribe from Semgrep findings.
- Type
/semgrep_unsubscribe. - Select the target organization to unsubscribe from.
- Click Unsubscribe.
You have unsubscribed from Semgrep finding notifications for that particular channel.
Change Slack notification settings
You can customize your notification settings at any time through the Semgrep App Home in your Slack workplace.
To view the Semgrep App Home:
- In your Slack workspace, click + Add apps in the sidebar under the Apps header.
- Click Semgrep. The Semgrep app appears as a button on the sidebar.
To change the settings:
- In your Slack workspace, click Semgrep under Apps in the Slack sidebar. This displays the Semgrep App Home.
- Click the three-dot menu of the channel to update.
- Click Manage filters.
Notification and alert de-duplication
Notifications are sent only the first time a given finding is detected.
When running a diff-aware scan, Semgrep doesn't notify you when a pull request has a finding that existed on the base branch already, even if that line is moved or re-indented.
Semgrep also tracks notifications that have already been sent, so subsequent scans of the same changes in a pull request won't result in duplicate notifications.
See Findings in CI for more information about how Semgrep tracks a finding through its lifetime.
Uninstall the Semgrep Slack App
This removes all Semgrep notifications in all channels in your Slack workspace.
- In Semgrep AppSec Platform, go to Settings > Integrations.
- On the Integrations page, find the Slack integration you want to remove.
- Click Remove integration > Remove.
Troubleshooting
Not receiving any findings
The following list describes possible ways to troubleshoot findings not appearing in your Slack workspace:
- Check if you have successfully set up your notifications.
- Check if your most recent scan has findings to send.
- Check your filters.
- Check if the channel is private. You must add the Semgrep Slack App to any private channel to subscribe to notifications in that channel.
Check notifications
To check that your notifications are set up, you can review notifications in two places:
- On the Integrations page, locate your Slack integration and expand Channels receiving Semgrep notifications.
- In your Slack workspace, click Semgrep under Apps in the Slack sidebar and review the channels under Notifications are being sent to the following channels.
- To send a test notification to a channel in this list, click the three-dot menu > Send Test Notification.
Check your filters
If you have set up any filter, such as filtering for a specific policy or project, all conditions of that filter must be present for the notification to be sent. Review your filters by following the steps in Changing Slack notification settings.
Permissions not up-to-date
You may receive a message from Semgrep Slack app stating that your token does not have up-to-date permissions. Clicking the link provided in the message to update the permissions typically resolves this issue.
However, if after updating the token, you still receive the same message, perform the following steps to revoke and refresh your access token:
- In your Slack workspace, click Semgrep under Apps in the Slack sidebar.
- Click Uninstall. This revokes your token.
- Go to Semgrep AppSec Platform > Settings > Integrations.
- Find the Slack entry for the workspace you revoked in step 2 and click Refresh Token.
- Follow the steps in the authentication flow to complete the token refresh.
You have refreshed your access token and updated your permissions.
Fixing dispatch_failed error
There are many possible causes for this error. Try the following fixes:
- Re-enter your last command or operation after a few minutes.
- Uninstall, and then reinstall your Semgrep Slack integration.
Fixing operation_timeout error
This error occasionally appears due to connection or service issues. To fix this issue, retry your last command or operation after a few minutes.
Slack permissions
The following table describes the purpose for each permission required to use the Semgrep Slack app.
| Permission | Slack description | Purpose |
| app_mentions:read | View messages that directly mention | Enables the Semgrep Slack app to respond when users mention it in the chat. |
| channels:read | View basic information about public channels in a workspace. | Basic channel information such as channel_id is used to ensure that Semgrep findings (results) are sent to the appropriate channel. |
| chat:write | Send messages as | Enables the Semgrep Slack app to send findings to channels. |
| chat:write.customize | Send messages as @Semgrep with a customized username and avatar. | Helps users identify Semgrep Slack app messages through the use of an image and username. |
| chat:write.public | Send messages to channels @Semgrep isn't a member of. | Enables users to invoke Semgrep Slack app features in any public channel using the slash command. |
| commands | Add shortcuts or slash commands that people can use. | Enables the Semgrep Slack app to register custom slash commands such as /semgrep_subscribe used for notification subscription. |
| emoji:read | View custom emoji in a workspace. | Allows Semgrep to support a workspace's custom emojis. |
| im:write | Start direct messages with people. | Allows users to interact with the Semgrep Slack app and use the slash commands in direct messages. |
| links:write | Show previews of URLs in messages. | Enables Semgrep Slack app to include links in messages. |
| users:read | View profile details about people in a workspace. | Enables Semgrep Slack app to correctly address users in messages. |
| users:write | Set presence for Semgrep. | Used by the Semgrep Slack app to interact with the workspace and enables users to add the Semgrep Slack app to relevant channels. |
| workflow.steps:execute | Add steps that people can use in Workflow Builder. | Enables Semgrep to make use of modals and drop-down boxes when a user creates or updates their notifications. |
| groups:read | View basic information about private channels that your Slack app has been added to. | Semgrep Slack app uses channels_id_changed to update its notifications configuration if the channel that receives findings is updated. This ensures that you are able to receive findings ever renaming a channel. |
| team:read | View the name, email domain, and icon for workspaces your slack app is connected to. | Semgrep Slack app uses team_name_changed to update its notifications configuration if the team name is updated. This ensures that you are able to receive findings notifications even after renaming your team. |
| channels:read | View basic information about public channels in a workspace. | Enables Semgrep Slack app to monitor if channels that receive Semgrep findings have been deleted or archived. |
Additional resources
Not finding what you need in this doc? Ask questions in our Community Slack group, or see Support for other ways to get help.