Skip to main content

Semgrep Assistant overview

Semgrep Assistant provides AI-powered security recommendations to help you review, triage, and remediate your Semgrep findings.

Semgrep Assistant message in GitHub Figure. Semgrep Assistant detects the use of untrusted, unsanitized data.

Support and availability

Semgrep Assistant:

  • Primarily supports findings generated by Semgrep Code
  • Supports the same languages as Semgrep Code
  • Is available to users of the following source code managers (SCMs):
    • GitHub Cloud and GitHub Enterprise Server (self-hosted)
    • GitLab, including SaaS and self-managed plans
  • Requires the Semgrep AppSec Platform for its use

Features

Remediation

Semgrep Assistant can provide remediation advice and autofixes, or suggested fixes, for Semgrep Code findings.

Guidance

With Assistant enabled, every PR or MR comment Semgrep pushes includes remediation guidance with information on fixing the issue. Assistant's remediation guidance provides step-by-step instructions on how to remediate the finding identified by Semgrep Code.

PR comments with remediation advice Figure. PR comment displaying the rule message followed by a comment that contains Assistant-generated remediation guidance.

Semgrep also displays remediation information on Semgrep AppSec Platform's Findings page under Your code & fix in the finding's details page.

Findings detail with remediation advice Figure. Findings detail page with the Your code & fix section displaying the suggested fix.

Autofix

Semgrep Assistant can suggest autofix code snippets for Semgrep Code findings when it identifies a true positive. Assistant only suggests an autofix if the rule doesn't have a human-written autofix. You can set the minimum autofix confidence level required to display autofix suggestions from Semgrep Assistant on Semgrep AppSec Platform's Settings page. To receive as many Assistant suggestions as are available, set the minimum to low confidence.

Assistant customizes the code snippets it provides based on previous feedback, if any, and your rule customizations. For example, if you have a custom rule recommending a specific sanitizer, Assistant can recommend its use in the autofix suggestion for the issue in your code.

Autofixes are available in PR and MR comments, so developers can review and verify Semgrep's generated fixes before applying them.

Semgrep Assistant generating a potential fix in a comment Figure. Semgrep Assistant generates a potential fix in a PR comment.

Autofixes are also available on Semgrep AppSec Platform's Findings page under Your code & fix in the finding's details.

Semgrep Assistant showing a potential fix in Semgrep AppSec Platform Figure. Semgrep Assistant showing a potential fix in Semgrep AppSec Platform.

The finding's details include a link to the PR or MR with the autofix, so you can go directly to the PR or MR to commit the autofix.

info

If many new issues are found in a given scan, Assistant auto-triage and autofix may not run on every issue.

Component tags

Component tags use AI to categorize a finding based on its function, such as:

  • Payments
  • User authentication
  • Infrastructure

By categorizing your code through component tags, Semgrep Assistant can help you prioritize high-risk issues, such as remediating a code finding related to payments or user authentication.

Component tags can be viewed in Semgrep AppSec Platform's Findings page.

Semgrep Assistant Component tag list Figure. Semgrep AppSec Platform's Findings page showing the Component filter.

Auto-triage

Semgrep Assistant uses AI's understanding of programming languages and libraries, and your code and triage history, to auto-triage findings and suggest whether a finding can safely be ignored. For every recommendation to ignore a finding, Semgrep also provides guidance with an explanation on why this is the case.

Auto-triage recommendations are available in Semgrep AppSec Platform's Findings page when you filter for findings that Assistant suggests should be ignored, and in the finding's details.

Semgrep Assistant in the filtered Findings page Figure. Semgrep Assistant auto-triage in the Findings page.

Assistant's suggestions to ignore findings are also surfaced in PR or MR comments, so developers can triage an issue without switching contexts, as well as being sent through Slack.

Semgrep Assistant in a Slack notification Figure. Semgrep Assistant auto-triage in a Slack notification.

Memories (beta)

Assistant Memories allows AppSec teams and developers to tailor Assistant's remediation guidance to their organization's standards and defaults on a per-project, per-rule basis. When Assistant gives a suggested fix, you can provide feedback by adding custom instructions.

For example, if the code contains a hardcoded secret, Assistant might suggest using an SDK that handles credentialing. However, if your company prefers to use a different secrets manager, you can provide this information to Assistant. Assistant then generates remediation guidance that works with your specific secrets manager in the future.

Custom rules editor (beta)

Semgrep Assistant can help you write custom rules to find patterns and vulnerabilities specific to your codebase. The only information you need to provide is a prompt describing what you want the rule to do in English. However, if you provide an example of bad code and an example of good code, Semgrep uses this information for you to test the generated rule and provide context to the language model (LLM).

Not finding what you need in this doc? Ask questions in our Community Slack group, or see Support for other ways to get help.