Skip to main content
  • Semgrep Cloud Platform
  • Community Tier
  • Team & Enterprise Tier

Getting started with Semgrep Cloud Platform

Semgrep Cloud Platform (SCP) enables you to run scans continuously on multiple repositories by integrating with your GitHub, GitLab, or BitBucket SaaS repositories.

Semgrep uses rules to scan code. Matches found based on those rules are called findings. A Semgrep rule encapsulates pattern-matching logic and data-flow analysis used to find vulnerabilities such as code violations, security issues, or outdated libraries.

Semgrep Cloud Platform can scan the following targets:

  • First-party code - Scan first-party code through the use of Semgrep OSS Engine or Semgrep Code, SAST (Static Application Security Testing) tools.
  • Third-party code - Scan dependencies through the use of Semgrep Supply Chain, an SCA (Software Composition Analysis) tool.
info

Many improvements to the Semgrep Cloud Platform experience only work with up-to-date Semgrep CLI versions. For this reason, Semgrep Cloud Platform only supports the 10 most recent minor versions of Semgrep CLI. For example, if the latest release was 0.114.0, all versions greater than 0.104.0 are supported while earlier versions, such as 0.103.0 can be deprecated or can result in failures.

For Docker users: Use the latest tag to ensure you are up-to-date.

Semgrep Cloud Platform supports code scanning from:

  • Local command-line interfaces (CLI).
  • GitHub, GitLab, and BitBucket through continuous integration (CI).

Diagram of Semgrep Cloud Platform flow

Benefits of using Semgrep Cloud Platform

Semgrep Cloud Platform with Semgrep Code

Semgrep Code, a SAST tool, enables you to scan your first-party code through the use of rules. Many rules are available from Semgrep Registry, an open-source, community-driven repository of rules. You can also write your own rules to customize Semgrep for your team's specific practices, or publish rules for the community. You can use Semgrep Code from your CLI or with Semgrep Cloud Platform.

Using Semgrep Code with Semgrep Cloud Platform provides you with the Rule Board, where you can determine which rules Semgrep uses and what action Semgrep undertakes when it generates a finding. The Rule Board can block pull requests (PRs) or merge requests (MRs) from merging until findings are resolved. This behavior helps to prevent vulnerable code from shipping to widely-accessible environments, such as production or staging servers.

Semgrep Cloud Platform enables you to deploy, configure, and manage Semgrep in your continuous integration (CI) environment. Semgrep Cloud Platform supports the upload of findings from CLI scans as well. For more information, see Getting started with Semgrep OSS Engine.

Semgrep Cloud Platform with Semgrep Supply Chain

Semgrep Supply Chain, an SCA (Software Composition Analysis) tool, enables you to scan third-party code (also known as dependency scanning), detecting vulnerabilities through the use of reachability analysis. Semgrep's security research team regularly writes rules for emerging vulnerabilities. You can use Semgrep Supply Chain from your CLI or with Semgrep Cloud Platform.

Using Semgrep Supply Chain with Semgrep Cloud Platform provides users with the Vulnerabilities page, wherein users can easily view, triage, and remediate vulnerabilities. Users are also kept up-to-date with the most recent rules through the Advisory page.

Prerequisite

Semgrep Supply Chain is available for users that have a Semgrep Supply Chain Team License. Contact sales@semgrep.com for more information.

Signing in to Semgrep Cloud Platform

Signing in to Semgrep Cloud Platform requires either a GitHub or GitLab account. Semgrep Cloud Platform supports Single Sign-On (SSO) on Team or Enterprise tiers. This guide focuses on GitHub and GitLab sign-ins. See SSO Configuration for information on single sign-on.

Prerequisite

A GitHub or GitLab SaaS account. The account is used to confirm your identity.

To sign in to Semgrep with a GitHub account:

  1. Click the following link: Sign into Semgrep.
  2. Select Sign in with GitHub. You are redirected to the GitHub sign in page if you are not currently signed in.
  3. Sign in with your credentials.
  4. You are redirected back to Semgrep Cloud Platform.
  5. Click Accept to accept Semgrep's Terms of Service.
  6. Optional: Fill out the survey and click Complete or click Skip to omit this step.

You are now signed in to Semgrep Cloud Platform with a personal account.

Requested permissions for GitHub and GitLab

Permissions for GitHub

This section explains Semgrep Cloud Platform permissions that are requested in two different events:

  • When you first sign in through GitHub.
  • When you first add, integrate, or onboard your repositories to Semgrep Cloud Platform.
Permissions when signing in with GitHub

Semgrep Cloud Platform requests the following standard permissions set by GitHub when you first sign in. However, not all permissions are used by Semgrep Cloud Platform. Read the following list to see how Semgrep Cloud Platform uses permissions when signing in:

Verify your GitHub identity
Enables Semgrep Cloud Platform to read your GitHub profile data, such as your username.
Know which resources you can access
Semgrep does not use or access any resources when first logging in. However, you can choose to share resources at a later point in order to add repositories into Semgrep Cloud Platform.
Act on your behalf
Enables Semgrep Cloud Platform to perform certain tasks only on resources that you choose to share with Semgrep Cloud Platform. Semgrep Cloud Platform never uses this permission and never performs any actions on your behalf, even after you have installed semgrep-app. See When does a GitHub App act on your behalf? in GitHub documentation.
Permissions when adding your repositories into Semgrep Cloud Platform

The GitHub integration app is called semgrep-app. This app is used to integrate Semgrep into user-selected GitHub repositories. It requires the following permissions:

Reading metadata of the repositories you select
Enables Semgrep Cloud Platform to list repository names on the project setup page.
Reading the list of organization members
Enables Semgrep Cloud Platform to determine who can manage your Semgrep organization based on your GitHub organization's members list.
Reading and writing pull requests
Enables Semgrep Cloud Platform to comment about findings on pull requests.
Reading and writing actions
Enables Semgrep Cloud Platform to cancel stuck jobs, rerun jobs, pull logs from jobs, and perform on-demand scanning.
Reading GitHub Checks
Facilitates debugging of Semgrep Cloud Platform when configured out of GitHub Actions.
Reading and writing security events
Enables integration with GitHub Advanced Security (for example, to show Semgrep results).
Reading and writing secrets
Enables automatically adding of the Semgrep Cloud Platform Token to your repository secrets when onboarding projects. Note: We cannot read the values of your existing or future secrets (only the names).
Reading and writing 2 files
Enables Semgrep Cloud Platform to configure itself to run in CI by writing to .github/workflows/semgrep.yml and .semgrepignore files.
Reading and writing workflows
Enables Semgrep Cloud Platform to configure itself to run in CI by writing to .github/workflows/semgrep.yml. GitHub allows writing to files within .github/workflows/ directory only if this permission is granted along with "Writing a single file".
Reading and writing pull requests
Write permissions allow Semgrep Cloud Platform to leave pull request comments about findings. Read permissions allow Semgrep Cloud Platform to automatically remove findings when the pull request that introduced them is closed without merging.

Next steps

Starting a SAST scan with Semgrep Code

To start a SAST scan on your codebase, see Getting started with Semgrep Code. Semgrep Code provides a free Community tier for up to 20 collaborators.

Starting an SCA scan with Semgrep Supply Chain

To start an SCA scan for your third-party dependencies, contact sales@semgrep.com.

Additional resources

Semgrep Cloud Platform session details

  • The time before you need to reauthenticate to Semgrep Cloud Platform is 7 days.
  • A Semgrep Cloud Platform session token is valid for 7 days.
  • This session timeout is not configurable.
  • Semgrep Cloud Platform does not use cookies; instead it uses localStorage to store access tokens. The data in localStorage expires every 7 days.
Find what you needed in this doc? Join the Semgrep Community Slack group to ask the maintainers and the community if you need help.