- Semgrep Cloud Platform
- Team & Enterprise Tier
Enabling GitLab merge request comments
- Pull request (PR) comments can only be enabled through Semgrep Cloud Platform (SCP). Create an account to set up Slack notifications.
- To receive alerts and notifications, you must add or onboard a project (repository) to Semgrep Cloud Platform for scanning.
This section documents how to enable Semgrep Cloud Platform to post comments on merge requests.
Automated comments on GitLab merge requests are displayed as follows:
Figure An inline GitLab merge request comment.
To enable GitLab merge request comments, follow these steps:
- In GitLab, go to Profile > Access Tokens, and then add a token with
apiscope. - Copy the token created in the previous step.
- Navigate to Your repository > Settings > CI/CD. The URL of the page where you are ends with:
/username/project/-/settings/ci_cd. - Under Variables click Expand, and then click Add variable.
- Enter PAT (change this placeholder name as necessary) in the Key field and paste the token value copied in step two to the Value field.
- Select the Mask variable checkbox option, and then clear the Protect variable checkbox option.
- Update your
.gitlab-ci.ymlfile with variableGITLAB_TOKENand value$PAT. Refer to the following example:
semgrep:
# A Docker image with Semgrep installed.
image: returntocorp/semgrep
# Run the "semgrep ci" command on the command line of the docker image.
script: semgrep ci
rules:
# Scan changed files in MRs, (diff-aware scanning):
- if: $CI_MERGE_REQUEST_IID
# Scan mainline (default) branches and report all findings.
- if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
variables:
# Connect to Semgrep Cloud Platform through your SEMGREP_APP_TOKEN.
# Generate a token from Semgrep Cloud Platform > Settings
# and add it as a variable in your GitLab CI/CD project settings.
SEMGREP_APP_TOKEN: $SEMGREP_APP_TOKEN
# Receive inline MR comments (requires Semgrep Cloud Platform account)
GITLAB_TOKEN: $PAT
Substitute the placeholder PAT with the name you created for this variable.
For more configuration options, see GitLab CI Sample.
Only rules in the Comment and Block columns of your Policies create MR comments.
Enabling autofix in GitLab repositories
Autofix is a Semgrep feature in which rules contain suggested fixes to resolve findings.
To enable autofix for all projects in your Semgrep Cloud Platform organization, follow these steps:
- In Semgrep Cloud Platform, click Settings on the left sidebar.
- Click Autofix toggle.
Dataflow traces in MR comments
Figure An inline GitLab pull request comment with dataflow traces.
Semgrep Code can provide you with a visualization of the path of untrusted (tainted) data in specific findings. Findings that display tainted data can help you to track the sources and sinks of the tainted data as they propagate through a body of a function or a method. For general information about taint analysis, see Taint tracking documentation.
With Semgrep Pro Engine, Semgrep Code can display findings that show the propagation of tainted data across multiple files. To get such findings, follow the required steps in Enabling Semgrep Pro Engine documentation.
This feature is also called dataflow traces, and an underlying CLI command is --dataflow-traces.
You can view dataflow traces in:
- The Findings page of Semgrep Code. For more details, see Path of tainted data in Semgrep Code.
- The PR or MR comments created by Semgrep Code running in your CI. To enable this feature, see the following documentation:
- To see dataflow traces in GitHub PR comments, see Dataflow traces in PR comments section.
- To see dataflow traces in GitLab MR comments, see Dataflow traces in MR comments section.
Viewing the path of tainted data in MR comments
To enable dataflow traces in your CI pipeline, fulfill the following prerequisites:
- Enable GitLab merge request Semgrep comments. For more details, see Enabling GitLab merge request comments section.
- To obtain meaningful results of dataflow traces in MR comments, use Semgrep Pro Engine while scanning your repositories to display cross-file (interfile) findings. To enable Semgrep Pro Engine, see Semgrep Pro Engine overview.
- Not all Semgrep rules or rulesets make use of taint tracking. Ensure that you have a ruleset, such as the default ruleset added in your Policies. If this ruleset is not added, go to https://semgrep.dev/p/default, and then click Add to Policy. You can add rules that use taint tracking from Semgrep Registry.
Find what you needed in this doc? Join the Semgrep Community Slack group to ask the maintainers and the community if you need help, or check out other ways to get help.