AI-powered detection (beta): concepts and FAQs
This document provides additional context for Semgrep’s AI-powered detection. It covers what kinds of issues the feature is designed to uncover, known limitations during the beta period, and practical considerations such as scan quotas and data privacy.
If you’re looking for step-by-step instructions on enabling and running an AI-powered scan, see Scan with AI-powered detection.
Detection and scope FAQs
Q: What are business logic flaws? What can AI-powered detection uncover right now?
A business logic flaw is any weakness in an application’s design or workflow that makes its legitimate features vulnerable to malicious use. Semgrep’s AI-powered detection currently focuses on authorization flow gaps that fall outside standard vulnerability categories:
- IDOR and ownership gaps: accessing another user’s resource when ownership or tenant checks are missing, misplaced, or only client-side.
- Order and sequence mistakes: state changes or token resets happening after sensitive reads/writes, or actions allowed in the wrong state.
- Workflow abuse, or OWASP logic manipulation: skipping required steps, like shipping before checkout or refunds without a completed purchase.
Q: Can Semgrep find IDORs and other business logic bugs without AI Detection?
A: Traditional Semgrep SAST can be configured to catch IDORs. However, since this requires understanding how the app in question handles authorization and database access, it is hard to write generic rules that catch IDORs across all software applications. With Semgrep’s AI-powered detection, it is now possible to find IDORs and other business logic bugs without the need for extensive custom rule development.
Q: Are AI-powered detection findings deterministic?
Although AI scans are inherently non-deterministic, Semgrep's engine helps make them more reliable. Review and evaluate scan results carefully.
Setup, quotas, and integrations FAQs
Q: Which source code managers does AI-powered detection support?
A: AI-powered detection builds on Semgrep's existing integration framework, such as GitHub, GitLab, and Bitbucket. Specific integration details are being refined in beta.
Q: Do customers need to change their existing Semgrep setup?
A: Customers need to have Assistant turned on and Managed Scans enabled. See AI-detection prerequisites
Q: How many scans can I trigger?
A: Each full AI-powered scan counts as one scan. Paying customers can trigger 30 scans per month. Please contact your Semgrep account manager or Semgrep support to discuss increasing your quota.
Q:Can I use a different AI provider?
A: Yes. You can choose between OpenAI, Anthropic, and Bedrock keys.
Q: How are AI findings assigned a severity level?
A: Currently, all AI findings are assigned the same severity, which is high, and don’t have other attributes like confidence. This may change as the feature matures.
Q: How does Semgrep handle data privacy for AI-powered detection?
A: Semgrep Code’s AI-powered detection follows the same data privacy policy as Semgrep Assistant, with a few documented exceptions. See Privacy and legal considerations for Semgrep Assistant for details.
Known bugs and limitations
This feature is in beta. Here are some known issues:
Scan limitations:
- Only full scans are supported. Diff-aware scanning is currently in development.
Findings limitations:
- AI findings are not included in the Reporting/Dashboard.
- Jira integration doesn’t work for AI findings.
- Custom rules are not supported for AI-powered detection.
Troubleshooting and disclaimers
For help with AI-powered detection, contact your organization’s Semgrep account manager or Semgrep support.
Beta program notice:
- No formal uptime guarantees; service is best-effort during beta.
- Features, performance, and APIs may change without notice. Planned maintenance will be communicated in advance when possible.
- Any stated Service Level Objective (SLO) is not a commercial Service Level Agreement (SLA) and may be revised as the product evolves.
Not finding what you need in this doc? Ask questions in our Community Slack group, or see Support for other ways to get help.