- Semgrep Cloud Platform
- Team & Enterprise Tier
Alerts and notifications
Receive notifications in various channels, such as Slack and email, through Semgrep Cloud Platform. This document guides you through setup procedures and Semgrep's deduplication behavior. This ensures that you receive high-signal notifications and alerts in your preferred channels.
Semgrep Cloud Platform can send notifications through the following channels:
| Tool | Tier availability |
|---|---|
| Slack | Team & Enterprise |
| Team & Enterprise | |
| Webhooks | Team & Enterprise |
Finding available alert and notification channels
To find available integrations for Semgrep Cloud Platform, follow these steps:
- Sign in to your Semgrep Cloud Platform account.
- Click Settings.
- Click Integrations.
- Click Add Integration (or Setup First Integration if this is your first integration).
Managing alerts and notifications
To view, add, remove, disable, or enable your saved channels:
- In the Settings > Integrations page, explore the options available for specific integrations.
- In the Policies page, click Rule modes. A menu appears.
- Click the Edit button of the mode for which mode you want to change notifications.
- Make any changes to the notification settings for the mode you selected.
Semgrep Autofix
Autofix is a Semgrep feature in which rules contain suggested fixes to resolve findings. Either metavariables or regex matches are replaced with a potential fix. Due to their complexity, not all rules make use of autofix, but for rules that use this feature, autofix allows you to quickly resolve findings as part of your code review workflow. Semgrep Code can suggest these fixes through PR or MR comments within GitHub or GitLab, thus integrating seamlessly with your review environment.
Autofix is free to use for all tiers.
In the following screenshot, Semgrep detects the use of a native Python XML library, which is vulnerable to XML external entity (XXE) attacks. The PR comment automatically suggests a fix by replacing import xml to import defusedxml.
Enabling autofix for GitHub or GitLab
Autofix requires PR or MR comments to be enabled for your repository or organization. Follow the steps in GitHub pull request comments or GitLab merge request comments to enable this feature.
To enable autofix for all projects in your Semgrep Cloud Platform organization, follow these steps:
- In Semgrep Cloud Platform, click Settings on the left sidebar.
- Click Autofix toggle.
All scans performed after enabling autofix generate inline PR or MR comments with code suggestions for applicable rules.
Notification and alert de-duplication
Notifications are sent only the first time a given finding is detected.
Because of Semgrep CI's diff-awareness, you will not be notified when a pull request has a finding that existed on the base branch already, even if that line is moved or re-indented.
Semgrep Cloud Platform also keeps track of notifications that have already been sent, so consecutive scans of the same changes in the same pull request won't send duplicate notifications.
Not finding what you need in this doc? Ask questions in our Community Slack group, or see Support for other ways to get help.