- Semgrep Cloud Platform
- Team & Enterprise Tier
Alerts and notifications
Receive notifications in various channels, such as Slack and email, through Semgrep Cloud Platform. This document guides you through setup procedures and Semgrep's deduplication behavior. This ensures that you receive high-signal notifications and alerts in your preferred channels.
Semgrep Cloud Platform can send notifications through the following channels:
|GitHub pull request (PR) comments||Team & Enterprise|
|GitLab merge request (MR) comments||Team & Enterprise|
|Bitbucket PR comments||Team & Enterprise|
|Slack||Team & Enterprise|
|Team & Enterprise|
|Webhooks||Team & Enterprise|
Finding available alert and notification channels
To find available integrations for Semgrep Cloud Platform, follow these steps:
- Sign in to your Semgrep Cloud Platform account.
- Click Settings.
- Click Integrations.
- Click Add Integration (or Setup First Integration if this is your first integration).
Managing alerts and notifications
To view, add, remove, disable, or enable your saved channels:
- In the Settings > Integrations page, explore the options available for specific integrations.
- In the Policies page, click Rule modes. A menu appears.
- Click the Edit button of the mode for which mode you want to change notifications.
- Make any changes to the notification settings for the mode you selected.
Autofix is a Semgrep feature in which rules contain suggested fixes to resolve findings. Either metavariables or regex matches are replaced with a potential fix. Due to their complexity, not all rules make use of autofix, but for rules that use this feature, autofix allows you to quickly resolve findings as part of your code review workflow. Semgrep Code can suggest these fixes through PR or MR comments within GitHub or GitLab, thus integrating seamlessly with your review environment.
Autofix is free to use for all tiers.
In the following screenshot, Semgrep detects the use of a native Python XML library, which is vulnerable to XML external entity (XXE) attacks. The PR comment automatically suggests a fix by replacing
import xml to
Enabling autofix for GitHub or GitLab
To enable autofix for all projects in your Semgrep Cloud Platform organization, follow these steps:
- In Semgrep Cloud Platform, click Settings on the left sidebar.
- Click Autofix toggle.
All scans performed after enabling autofix generate inline PR or MR comments with code suggestions for applicable rules.
Creating Jira tickets from Findings page has been deprecated. This feature may be reenabled in the future.
Jira integration is a feature available in Semgrep's Team tier and above.
This integration allows you to create Jira tickets directly from the Findings page with relevant information about a particular finding.
To set up Jira integration:
- Sign in to your Semgrep Cloud Platform account, and then go to Settings > Integrations..
- On the Integrations page, click Add Integration (or Setup First Integration if this is your first integration), and then select Jira.
- Enter a Name of the integration.
- Enter the email address used for the Atlassian account.
- Enter your Atlassian domain URL.
- Enter your Project key. This is the prefix for tasks created within a project. Semgrep creates issues to the project identified here.
- Enter the Issue type. This is the type of issue for Semgrep findings, for example, Bug.
- Enter the API Token.
- Click Save.
Notification and alert de-duplication
Notifications are sent only the first time a given finding is detected.
Because of Semgrep CI's diff-awareness, you will not be notified when a pull request has a finding that existed on the base branch already, even if that line is moved or re-indented.
Semgrep Cloud Platform also keeps track of notifications that have already been sent, so consecutive scans of the same changes in the same pull request won't send duplicate notifications.