Skip to main content
  • Semgrep Cloud Platform
  • Team & Enterprise Tier

Enabling GitHub pull request comments

Prerequisites
  • Pull request (PR) comments can only be enabled through Semgrep Cloud Platform (SCP). Create an account to set up PR comments.
  • To receive alerts and notifications, you must add or onboard a project (repository) to Semgrep Cloud Platform for scanning.

Pull request comments are created when:

  1. Semgrep finds a result in CI.
  2. The Semgrep GitHub App has permissions to post inline PR comments.

Automated comments on GitHub pull requests are displayed as follows:

Screenshot of a GitHub PR comment Figure An inline GitHub pull request comment.

Semgrep Cloud Platform uses the permissions requested by the Semgrep GitHub App to leave PR comments. You can verify that you have granted these permissions by visiting either https://github.com/organizations/<your_org_name>/settings/installations or https://github.com/organizations/<your_org_name>/<your_repo_name>/settings/installations.

If you are using GitHub Actions to run Semgrep, no extra changes are needed to get PR comments. If you are using another CI provider, in addition to the environment variables you set after following sample CI configurations you need to ensure that the following environment variables are correctly defined:

  • SEMGREP_PR_ID is set to the PR number of the pull request on GitHub (for example, 2901)
  • SEMGREP_REPO_NAME is set to the repository name (for example, returntocorp/semgrep)
  • SEMGREP_REPO_URL is set to the repository URL where your project is viewable online (for example, https://github.com/returntocorp/semgrep)
info

Only rules in the Comment and Block columns of your Policies create PR comments.

Enabling autofix in GitHub repositories

Autofix is a Semgrep feature in which rules contain suggested fixes to resolve findings.

To enable autofix for all projects in your Semgrep Cloud Platform organization, follow these steps:

  1. In Semgrep Cloud Platform, click Settings on the left sidebar.
  2. Click Autofix toggle.

Dataflow traces in PR comments

Screenshot of a GitHub PR comment with dataflow traces Figure An inline GitHub pull request comment with dataflow traces.

Semgrep Code can provide you with a visualization of the path of untrusted (tainted) data in specific findings. Findings that display tainted data can help you to track the sources and sinks of the tainted data as they propagate through a body of a function or a method. For general information about taint analysis, see Taint tracking documentation.

With Semgrep Pro Engine, Semgrep Code can display findings that show the propagation of tainted data across multiple files. To get such findings, follow the required steps in Enabling Semgrep Pro Engine documentation.

This feature is also called dataflow traces, and an underlying CLI command is --dataflow-traces.

You can view dataflow traces in:

Viewing the path of tainted data in PR comments

To enable dataflow traces feature in your CI pipeline, fulfill the following prerequisites:

Prerequisites
  • Enable GitHub pull request Semgrep comments, as described on this page.
  • To obtain meaningful results of dataflow traces in PR comments, use Semgrep Pro Engine while scanning your repositories to display cross-file (interfile) findings. To enable Semgrep Pro Engine, see Semgrep Pro Engine overview.
  • Not all Semgrep rules or rulesets make use of taint tracking. Ensure that you have a ruleset that does, such as the default ruleset, added in your Policies. If this ruleset is not added, go to https://semgrep.dev/p/default, and then click Add to Policies. You can add rules that use taint tracking from Semgrep Registry.

Find what you needed in this doc? Join the Semgrep Community Slack group to ask the maintainers and the community if you need help, or check out other ways to get help.