Skip to main content
  • Semgrep Cloud Platform
  • Team & Enterprise Tier
  • Semgrep Code

Policies

The Policies page displays a visual representation of the rules that Semgrep Code uses for scanning. Rules can be categorized into various groups. The Policies page uses the following categorization criteria:

Policies page structure

Screenshot of the default state of the Policies page

The Policies page consists of a header and two main panes:

Policies header
The top header consists of:
  • Rule Modes button where you can view rule mode behavior and specify integrations for each rule mode. Modes define actions that occur when a rule detects a finding. The modes that you can edit are Monitor, Comment, Block. When you click the Rule Modes button, and then click Edit button of a mode, you can add integrations such as Email, Slack, and Webhook for each of the modes. When an integration has been added to a mode, you are notified through the integration when a rule with the assigned mode detects a finding.
  • Add rules button that takes you to the Semgrep Registry where you can add rules to the Policies page and assign their initial modes.
Filter pane
Left pane where you can use the following filters to display specific rules:
  • Category
  • Mode
  • Confidence
  • Severities
  • Source
  • Ruleset
  • Language
These filters are explained further below as they correspond to the Rule pane columns also.
Rule pane
The right pane displays a number of rules with the Matching Rules title. This pane visualizes the rules that are used in your Semgrep Cloud Platform organization and allows you to edit their assigned modes (Monitor, Comment, Block, and Disabled). You can make these edits either one by one or through bulk editing of many rules. You can also use the Search for rule names or ids search box. The individual columns are explained separately below in the Rule pane in detail section.

Rule pane in detail

This section explains columns in the rule pane of the Policies page in detail:

  • Rule name: Name of the rule that Semgrep Code uses for scanning.
  • Severity: The higher the severity, the more critical the issues are that a rule detects. The Policies page displays the high, medium, and low severities.
  • Confidence: Indicates confidence of the rule to detect true positives. There are rules with high, medium, and low confidence.
  • Source: Indicates whether the rule is a Pro, Community rule, or a Custom rule .
    • Pro: Authored by Semgrep with cross-file (interfile), and cross-function (interprocedural) analysis capabilities providing you with enhanced scan accuracy. For more information, see Pro rules documentation.
    • Community: Authored by Semgrep, Inc or external contributors such as Trail of Bits.
    • Custom: Rules created within your Semgrep organization. For more information, see Private rules documentation.
  • Ruleset: Rules are also organized in rulesets. Rulesets are groups of rules related through a programming language, OWASP category, or framework.
  • Mode: Specifies what happens when a rule detects a finding (sometimes called matching - when a rule matches a code). The mode indicates how the findings for each rule are reported to you and your developers. There are the three following modes:
    • Monitor: Display findings only on the Findings page of Semgrep Code.
    • Comment: Display findings on the Findings page of Semgrep Code and create comments in merge requests (MR) or pull requests (PR).
    • Block: Display findings on the Findings page of Semgrep Code, create comments in MR and PR, and fail the build to block merging where the finding was detected.
    • Disabled: Disabled rules do not scan your code or detect findings. This is helpful if rules are too noisy and detect many false positives that you otherwise need to ignore manually.
tip

To change assigned modes, select either the top Matching Rules checkbox to select all rules, or select individual checkboxes next to a rule, and then click (Number) Edit or click individual rules in the Mode column.

info

All of these columns correspond to the filters in the filter pane.

Adding rules

To add rules, follow these steps:

  1. On the Policies page, click Add Rules.
  2. You are redirected to the Semgrep Registry page. Explore the page, open cards of individual rules, and then click **Add to Policy.
  3. Specify the behavior of the rule that you are adding. Select either:
    • Monitor: Display findings only on the Findings page of Semgrep Code.
    • Comment: Display findings on the Findings page of Semgrep Code and create comments in MRs or PRs.
    • Block: Display findings on the Findings page of Semgrep Code, create comments in MRs or PRs, and block PRs or MRs where the finding was detected.

Disabling rules

To disable a rule, follow these steps:

  1. On the Policies page, select either:
    • The top Number Matching Rules checkbox to select all rules.
    • Select individual checkboxes next to a rule to disable rules one by one.
  2. Click (Number) Edit, and then click Disabled.

You can also select individual rules under the Mode column and disable them one by one.

Find what you needed in this doc? Join the Semgrep Community Slack group to ask the maintainers and the community if you need help, or check out other ways to get help.