Skip to main content
  • Semgrep Cloud Platform
  • Community Tier
  • Team & Enterprise Tier

Alerts and notifications

Receive notifications in various channels, such as Slack and email, through Semgrep Cloud Platform. This document guides you through setup procedures and Semgrep's deduplication behavior. This ensures that you receive high-signal notifications and alerts in your preferred channels.

Semgrep Cloud Platform can send notifications through the following channels:

ToolTier availability
GitHub pull request (PR) commentsCommunity (Free)
GitLab merge request (MR) commentsCommunity (Free)
Bitbucket PR commentsCommunity (Free)
SlackCommunity (Free)
EmailCommunity (Free)
WebhooksTeam/Enterprise
info

Finding available alert and notification channels

To find available integrations for Semgrep Cloud Platform, follow these steps:

  1. Sign in to your Semgrep Cloud Platform account.
  2. Click Settings.
  3. Click Integrations. Screenshot of Semgrep's "Create New Integration Channel" menu
  4. Click Add Integration (or Setup First Integration if this is your first integration). Screenshot of Integrations page while adding the first integration.

Managing alerts and notifications

To view, add, remove, disable, or enable your saved channels:

  1. In the Settings > Integrations page, explore the options available for specific integration.
  2. In the Rule board, click the gear icon to enable or disable an integration. Screenshot of Semgrep's Rule board integration modal

Semgrep Autofix

Autofix is a Semgrep feature in which rules contain suggested fixes to resolve findings. Either metavariables or regex matches are replaced with a potential fix. Due to their complexity, not all rules make use of autofix, but for rules that use this feature, autofix allows you to quickly resolve findings as part of your code review workflow. Semgrep Code can suggest these fixes through PR or MR comments within GitHub or GitLab, thus integrating seamlessly with your review environment.

Autofix is free to use for all tiers.

In the following screenshot, Semgrep detects the use of a native Python XML library, which is vulnerable to XML external entity (XXE) attacks. The PR comment automatically suggests a fix by replacing import xml to import defusedxml.

Screenshot of a sample autofix PR suggestion

Enabling autofix for GitHub or GitLab

Autofix requires PR or MR comments to be enabled for your repository or organization. Follow the steps in GitHub pull request comments or GitLab merge request comments to enable this feature.

To enable autofix for all projects in your Semgrep Cloud Platform organization, follow these steps:

  1. In Semgrep Cloud Platform, click Settings on the left sidebar.
  2. Click Autofix toggle.

All scans performed after enabling autofix generate inline PR or MR comments with code suggestions for applicable rules.

Jira

Deprecation notice

Creating Jira tickets from Findings page has been deprecated. This feature may be reenabled in the future.

Jira integration is a feature available in Semgrep's Team tier and above.

This integration allows you to create Jira tickets directly from the Findings page with relevant information about a particular finding.

To set up Jira integration:

  1. Sign in to your Semgrep Cloud Platform account, and then go to Settings > Integrations..
    1. On the Integrations page, click Add Integration (or Setup First Integration if this is your first integration), and then select Jira.
  3. Enter a Name of the integration.
  4. Enter the email address used for the Atlassian account.
  5. Enter your Atlassian domain URL.
  6. Enter your Project key. This is the prefix for tasks created within a project. Semgrep creates issues to the project identified here.
  7. Enter the Issue type. This is the type of issue for Semgrep findings, for example, Bug.
  8. Enter the API Token.
    • Generate the API token by following instructions in the Create an API token section in the following documentation: Manage API Tokens.
    • Find existing API tokens in the API Tokens page.
  9. Click Save.

Notification and alert de-duplication

Notifications are sent only the first time a given finding is detected.

Because of Semgrep CI's diff-awareness, you will not be notified when a pull request has a finding that existed on the base branch already, even if that line is moved or re-indented.

Semgrep Cloud Platform also keeps track of notifications that have already been sent, so consecutive scans of the same changes in the same pull request won't send duplicate notifications.

Find what you needed in this doc? Join the Semgrep Community Slack group to ask the maintainers and the community if you need help.