• Deployment
• Semgrep Assistant

Enable Semgrep Assistant

This article walks you through enabling Semgrep Assistant for your deployment.

Prerequisites

• You have completed a Semgrep core deployment.
• You have set rules to Comment or Block mode in your Policies page.

Azure DevOps Cloud

Semgrep Assistant extends standard Semgrep capabilities by providing contextually aware AI-generated suggestions. Building that context requires Azure DevOps permissions, specifically code access granted through an access token you generate through Azure DevOps. Ensure that the token has the following scopes:

• Code: Read & write
• Pull Request Threads: Read & write

You can provide this token to Semgrep by adding Azure DevOps as a source code manager.

Semgrep recommends using a service account, not a personal account, to generate the personal access token provided to Semgrep. Regardless of whether you use a personal or service account, the account must be assigned the Owner or Project Collection Administrator role for the organization.

Bitbucket Cloud

Semgrep Assistant extends standard Semgrep capabilities by providing contextually aware AI-generated suggestions. Building that context requires Bitbucket permissions, specifically code access granted through an access token you generate through Bitbucket. Your token must be a Workspace Access Token, which are available to users with a Bitbucket Cloud Premium plan or higher. The token must have the following scopes:

• Projects: Read
• Repositories: Read
• Pull requests: Read & Write
• Webhooks: Read and write

You can provide this token to Semgrep by adding Bitbucket as a source code manager.

GitHub

Semgrep Assistant extends normal Semgrep capabilities by providing contextually aware AI-generated suggestions. In order to build that context, it requires GitHub permissions in addition to the standard permissions required for Semgrep.

Semgrep Assistant requires read access to your code in GitHub. This is done through a private Semgrep GitHub app that you install during Assistant setup. This private Semgrep GitHub app:

• Is fully under your control so you can revoke access or specific permissions at any time by visiting Settings > Applications in GitHub.
• Only accesses source code repositories on a file-by-file basis; it does not need or request org-level access to your codebase.
• Can be configured to limit its scope to specific repositories. You do not need to give read access to all repositories in your GitHub organization.

Enable Assistant

1. Sign in to Semgrep AppSec Platform.
2. Click Settings.
3. In the Assistant section, click the Allow code snippets in AI prompts toggle. This launches the Set up Semgrep Assistant prompt.
4. Select a source code manager (SCM) by clicking github.com.
5. Semgrep provides you with information on why Assistant requires access to your source code. Click Accept & Enable Assistant to proceed.
6. You are redirected to the page where you can add a GitHub Private App that grants Semgrep read access to your code.
   1. Enter your GitHub information. Select whether you're installing the app on an organization or Personal Account, and provide its name.
   2. Click Review permissions to see the permissions requested by Semgrep.
   3. Click Register GitHub App to proceed.
   4. When prompted, click Continue to allow redirection to GitHub to finalize app creation. Follow the instructions to finish creating and installing a private semgrep-app.
7. You are redirected to Semgrep AppSec Platform's Source Code Managers page. Navigate back to the Deployment page. Under the Assistant section, verify that all of the features are enabled:
   1. Allow code snippets in AI prompts: Required for Semgrep to auto-triage findings, provide AI remediation guidance, and tag findings with code context.
   2. Weekly priority emails: Enable weekly emails to all organization admins with information on Assistant's top three backlog tasks across all findings.
   3. Noise filter for Code PR/MR comments: Enable the filtering of findings flagged as false positives. You can choose to suppress any PR or MR comments Semgrep might push, or you can choose to show developers information regarding false positives using PR or MR comments.
   4. Remediation: Enable Assistant-generated autofix suggestions in comments from Assistant. You can also set the minimum confidence level for Assistant-written fixes if the Semgrep rule doesn't include a human-written autofix.

GitLab

Semgrep Assistant extends normal Semgrep capabilities by providing contextually aware AI-generated suggestions. In order to build that context, it requires GitLab permissions in addition to the standard permissions required for Semgrep.

Semgrep Assistant requires the API scope to run in both GitLab SaaS and GitLab self-managed instances. This can be specified at either the project access token level or personal access token level.

• You can revoke project access tokens or personal access tokens at any time.
• Semgrep Assistant only accesses source code repositories (projects) on a file-by-file basis; it does not need or request org-level access to your codebase.
• The token can be configured to limit its scope to specific projects or individuals. You do not need to give read access to all projects in your GitLab organization.

Enable Assistant

1. Sign in to Semgrep AppSec Platform using your GitLab account.
2. Click Settings.
3. In the Assistant section, click the Allow code snippets in AI prompts toggle. This launches the Set up Semgrep Assistant prompt.
4. Follow the on-screen instructions to complete the setup process.
5. Navigate back to the Deployment page. Under the Assistant section, verify that all of the features are enabled:
   1. Allow code snippets in AI prompts: Required for Semgrep to auto-triage findings, provide AI remediation guidance, and tag findings with code context.
   2. Weekly priority emails: Enable weekly emails to all organization admins with information on Assistant's top three backlog tasks across all findings.
   3. Noise filter for Code PR/MR comments: Enable the filtering of findings flagged as false positives. You can choose to suppress any PR or MR comments Semgrep might push, or you can choose to show developers information regarding false positives using PR or MR comments.
   4. Remediation: Enable Assistant-generated autofix suggestions in comments from Assistant. You can also set the minimum confidence level for Assistant-written fixes if the Semgrep rule doesn't include a human-written autofix.

Once you have enabled Semgrep Assistant, you can customize your deployment by enabling or disabling the Assistant features that best fit your software development lifecycle.

---

Not finding what you need in this doc? Ask questions in our Community Slack group, or see Support for other ways to get help.