- Semgrep Cloud Platform
- Team & Enterprise Tier
Set up GitHub pull request comments
- You have gained the necessary resource access and permissions required for deployment.
- You have created a Semgrep account and organization.
- For GitHub and GitLab users: You have connected your source code manager.
- Optionally, you have set up SSO.
- You have successfully added a Semgrep job to your CI workflow with diff-aware scanning.
Semgrep can create pull request (PR) comments in your GitHub repository. These comments provide a description of the issue detected by Semgrep and may offer possible solutions. These comments are a means for security teams, or any team responsible for creating standards to help their fellow developers write safe and standards-compliant code.
Automated comments on GitHub pull requests are displayed as follows:
Figure An inline GitHub pull request comment.
Conditions for PR comment creation
PR comments appear for the following types of scans under these conditions:
|Type of scan
|How to set up
|Static application security testing (SAST)
|A comment appears when a finding is generated by a rule in Comment or Block mode. This means you can fully customize what comments your developers receive.
|Complete the steps in the following sections:
|Software composition analysis (SCA)
|Semgrep Supply Chain (SSC)
|A comment appears only when the finding is reachable.
|Complete the steps in Confirm account connection and access.
|Semgrep Secrets (beta)
|A comment appears on validated secrets.
|This product is in beta.
Contact email@example.com to enable comments.
Comments from Supply Chain scans include the following information:
- A description of the vulnerability, including the types of attack it is vulnerable to.
- Indicates what versions to upgrade to, if any, that resolves or eliminates the vulnerability.
- A link to additional information about the vulnerability from GitHub Advisory Database and the National Vulnerability Database (NVD), if available.
Pull or merge requests with vulnerabilities detected by SSC are not blocked from merging.
Steps to set up PR comments
In addition to finishing the previous steps in your deployment journey, it is recommended to have completed a full scan on your default branch for the repository in which you want to receive comments.
Confirm your Semgrep account's connection to GitHub
Confirm that you have the correct connection and access:
- In your SCP account, click Settings > Source code managers.
- Check that an entry for your GitHub org exists and is correct.
Confirm repository access
Ensure that Semgrep's GitHub app (
semgrep-app) has sufficient permissions to post PR comments:
- Navigate to your
- For personal accounts, navigate to the following URL
- For organization accounts, navigate to the following URL, substituting YOUR_ORG_NAME with the name of your account:
- For personal accounts, navigate to the following URL
- On the
semgrep-approw, click Configure.
- Check that you have granted the following permission:
Read and write access to actions, pull requests, secrets, security events, and workflows.
- Under Repository access, check that you have included the repositories that you added to Semgrep Cloud Platform. Review the following examples:
Figure Permissions for all repositories.
Figure Permissions for select repositories. Ensure the repositories you have onboarded to Semgrep Cloud Platform are selected.
For GitHub Actions users, no further steps need to be undertaken. Continue setting up Semgrep Code PR comments by setting rules to Comment or Block mode.
Required environment variablesFor CI providers aside from GitHub Actions, additional environment variables must be set:
SEMGREP_PR_IDis set to the PR number of the pull request on GitHub Actions.
SEMGREP_REPO_NAMEis set to the repository name.
SEMGREP_REPO_URLis set to the repository URL where your project is viewable online.
These values do not have to be fixed or hardcoded. They can be variables passed to the job. For more information, see Sample CI configurations.
Configure comments for Semgrep CodeIn addition to setting up the connection between Semgrep and GitHub, you must assign rules to Comment or Block mode. This customization enables you to:
- Manage the amount of PR comments your developers receive.
- Ensure that only rules that meet your criteria, such as high severity or high confidence rules, produce comments visible to developers, reducing noise.
Set rules to Comment or Block mode
The following instructions let you customize what findings or security issues your developers see as comments in their PRs:
- In your SCP account, click Rules > Policies. You are taken to the Policies page. Under Modes , you can quickly see if you have existing rules in either Comment or Block mode.
- Optional: Use the filters to quickly find rules to set to Comment or Block.
- Click the checkbox of the rules you want to set. You can use Ctrl + Click to select rules in bulk.
- Click Change modes.
- Click either Block or Comment.
If you are using GitHub Actions to run Semgrep, no extra changes are needed to receive PR comments.
Receive comments in your VPN or on-premise SCM
To enable comments within self-hosted SCMs behind firewalls or VPNs (Virtual Private Networks):
- Add the following IP addresses to your VPN's ingress allowlist and egress allowlist, if you have one.
# These IP addresses are inbound and outbound:
- Test that you are able to receive findings by manually triggering a scan through your CI provider.
You've set up PR comments! Enable optional features provided in the following sections, or see Next steps.
Enable autofix in GitHub repositories
Autofix is a Semgrep feature in which rules contain suggested fixes to resolve findings.
To enable autofix for all projects in your Semgrep Cloud Platform organization, follow these steps:
- In Semgrep Cloud Platform, click Settings on the left sidebar.
- Click Autofix toggle.
Dataflow traces in PR comments
Figure An inline GitHub pull request comment with dataflow traces.
With dataflow traces, Semgrep Code can provide you with a visualization of the path of tainted, or untrusted, data in specific findings. This path can help you track the sources and sinks of the tainted data as they propagate through the body of a function or a method. For general information about taint analysis, see Taint tracking.
When running Semgrep Code from the command line, you can pass in the flag
--dataflow-traces to use this feature.
You can view dataflow traces in:
- Semgrep Cloud Platform by going to Semgrep Code's Findings page. For more details, see Path of tainted data in Semgrep Code.
- The PR or MR comments created by Semgrep Code running in your CI/CD system. To enable this feature, see:
Get cross-file findings
View the path of tainted data in PR comments
To enable dataflow traces feature in your CI pipeline, fulfill the following prerequisites:
- Set up Semgrep to post GitHub PR comments, as described on this page.
- To obtain meaningful results of dataflow traces in PR comments, use Semgrep Pro Engine while scanning your repositories to display cross-file (interfile) findings. To enable Semgrep Pro Engine, see Semgrep Pro Engine overview.
- Not all Semgrep rules or rulesets make use of taint tracking. Ensure that you have a ruleset that does, such as the default ruleset, added in your Policies. To add this ruleset, navigate to https://semgrep.dev/p/default, and then click Add to Policies.
- You can add additional rules that use taint tracking from Semgrep Registry.
Prevent developers from merging a PR with a reachable vulnerability
Both GitHub and GitLab provide features to prevent or block a PR or MR from merging based on certain conditions. Refer to the links below to prevent PRs or MRs from merging when a reachable finding is detected:
|Require conversation resolution before merging
|Prevent merge unless all threads are resolved
You've finished setting up a core deployment of Semgrep 🎉.
- Explore recommended tasks after deployment in Beyond core deployment.