Semgrep Assistant overview

Semgrep Assistant provides GPT-4-powered security recommendations to help you review, triage, and remediate your Semgrep findings.

Figure. Semgrep Assistant detects a false positive.

Support and availability

Semgrep Assistant supports findings generated by Semgrep Code, Semgrep Supply Chain, and Semgrep Secrets. It requires Semgrep AppSec Platform and is not available on the Semgrep CLI.

Semgrep Assistant is available to users of the following source code managers (SCMs):

• GitHub Cloud
• GitLab, including SaaS and self-managed plans

Semgrep Assistant does not support the use of GitHub Enterprise Server (self-hosted).

Language support

Semgrep Assistant supports the same languages as Semgrep Code.

Features

Component tags

Component tags use GPT-4 to categorize a finding based on its function, such as:

• Payments
• User authentication
• Infrastructure

By categorizing your code through component tags, Semgrep Assistant can help you prioritize high-risk issues, such as remediating a code finding related to payments or user authentication.

Component tags are available in SCP's Findings page.

Auto-triage

Semgrep Assistant uses GPT-4's understanding of programming languages and libraries, and your code and triage history, to auto-triage findings and suggest whether a finding can safely be ignored. For every recommendation to ignore a finding, Semgrep also provides guidance with an explanation on why this is the case.

Auto-triage recommendations are available in SCP's Findings page when you filter for findings that Assistant suggests should be ignored, and in the finding's details.

Figure. Semgrep Assistant auto-triage in the Findings page.

Assistant's suggestions to ignore findings are also surfaced in PR or MR comments, so developers can triage an issue without switching contexts, as well as being sent through Slack.

Figure. Semgrep Assistant auto-triage in a Slack notification.

Autofix Semgrep Code findings

Semgrep Assistant can suggest autofix code snippets for Semgrep Code findings when it identifies a true positive. Assistant only suggests an autofix if the rule doesn't have a human-written autofix. Assistant customizes the code snippets it provides based on previous feedback, if any, and your rule customizations. For example, if you have a custom rule that recommends a specific sanitizer, Assistant can recommend its use in the autofix suggestion for the issue in your code.

You can set the minimum autofix confidence level required to display autofix suggestions from Semgrep Assistant in Semgrep AppSec Platform's Settings page.

Autofixes are available in PR and MR comments, so developers can review and verify Semgrep's generated fixes before they're applied.

Figure. Semgrep Assistant generates a potential fix in a PR comment.

Autofixes are also available in Semgrep AppSec Platform's Findings page under Your code in the finding's details.

Figure. Semgrep Assistant showing a potential fix in Semgrep AppSec Platform.

The finding's details also include a link to the PR or MR with the autofix, so you can go directly to the PR or MR to commit the autofix.

Priority inbox

Semgrep sends weekly emails with information on Assistant's top three backlog tasks across all findings. Unlike other Assistant features, these suggestions can include information for all Semgrep products that you have enabled. The emails are sent out on Monday to all organization admins.

This information is also available in Semgrep AppSec Platform on the Dashboard page under Assistant recommended tasks.

Figure. Semgrep Assistant's priority inbox Dashboard view.

Custom rules editor (beta)

Semgrep Assistant can help you write custom rules to find patterns and vulnerabilities specific to your codebase. The only information you need to provide is a prompt describing what you want the rule to do in English. However, if you provide an example of bad code and an example of good code, Semgrep uses this information for you to test the generated rule and provide context to the language model (LLM).

Privacy and legal considerations

Semgrep uses API permissions to access code on your pre-selected GitHub or GitLab repositories.

• Semgrep Assistant logs and stores the GPT prompts and responses for the sake of performance evaluation, which includes source code snippets.
• Semgrep Assistant sends relevant lines of code to OpenAI's API, where currently, the "relevant lines of code" means lines that are part of the Semgrep finding, plus 10 lines of context on each side. Semgrep, Inc. is likely to expand this, potentially to the entire file, as we learn how to pass more useful context.
• Semgrep stores and retains GPT's responses based on these code snippets for up to 6 months. Semgrep, Inc. will update you with at least a 30-day notice if we make any changes to the retention policy.
• Semgrep, Inc. is a paying customer of OpenAI and has a Data Protection Agreement signed with them (provided upon request by contacting support. The code snippets we upload are persisted by OpenAI temporarily, following their data usage policies at Open AI API data Usage Policies.
• Semgrep, Inc. takes the following steps to protect data that is processed by AI since Assistant requires the sharing of code snippets with a third party:
  • Semgrep shares code snippets with OpenAI without identifying the customer or repository name.
  • Semgrep only shares the code necessary to enlist the help of GPT in automating the resolution of each specific alert.
  • Semgrep only accesses source code repositories on a file-by-file basis; it does not need or request org-level access to your codebase.
• When using Semgrep Assistant, source code does leave your repository; Assistant submits part of the file with a finding to OpenAI for processing by a GPT model. OpenAI is not allowed to use the submitted code to train its models.
• Regarding your data privacy, none of your personal information is shared with OpenAI as a part of the Semgrep Assistant feature.
• Semgrep, Inc. and OpenAI do not obtain any rights to your source code. Your source code remains yours, and Semgrep or OpenAI accesses it to the limited extent necessary to provide the Semgrep Assistant service. Once the results are returned to you, Semgrep Assistant deletes the shared snippets. OpenAI retains copies of the content sent to them for a maximum of 30 days to monitor for abuse, as indicated in their API Data Usage Policies.
• Because Semgrep Assistant accesses OpenAI's services through the API, OpenAI does not use any of the code provided to them to improve their services (see Section 3(c) of their Terms of Use).
• To a limited extent, using Semgrep Assistant changes the terms of your agreement with Semgrep, Inc. Specifically, sharing code snippets with Semgrep Assistant as part of this feature expands the scope of the data to which you grant Semgrep, Inc. a limited license to provide services to you (see Section 5.1 of our Subscriber Agreement).

For more details, see the Semgrep Assistant FAQ.

Provide feedback

Semgrep Assistant prompts you for feedback whenever it suggests that a finding is a false positive. Because Assistant content is generated by language models (LLMs), your feedback helps the Semgrep team improve Assistant.

• In Semgrep AppSec Platform, the Assistant recommendation appears under Activity for a finding, along with Agree and ignore or Disagree buttons.
• In Slack notifications, Agree and Disagree buttons appear under the Assistant recommendation message.
• In GitHub pull requests, you can leave feedback using /semgrep assistant agree|disagree.

If Semgrep Assistant suggests that a finding is a true positive and supplies an autofix suggestion, there is no automated mechanism to leave feedback on this outcome. Feel free to contact the Semgrep team using one of the methods below to let us know your thoughts!

Next steps

Learn how to enable Semgrep Assistant for your deployment.

---

Not finding what you need in this doc? Ask questions in our Community Slack group, or see Support for other ways to get help.