Skip to main content

Triage and remediate findings

This article shows you how to triage and manage findings identified by Semgrep Code using Semgrep AppSec Platform, including:

  • Fixing the issue detected. This is Semgrep's primary goal. If the rule produces a true positive finding, such as a security issue, developers must change or address the code so that the rule no longer matches it.
  • Removing the rule or code that generated the finding. There are cases where Semgrep scans a file it should ignore or scans the file with an irrelevant rule. You can disable the rule from the Policies page or add the file to the ignore list.
  • Triaging the finding. Deprioritize a finding if it's not useful or important through triage. Triage actions include ignoring and reopening a finding that was previously ignored. Triaging a finding to ignore is one method to handle false positives without changing a rule or your code.

Triage statuses

Triage is the prioritization of a finding based on policies or criteria set by your team or organization, such as severity, coding standards, business goals, and product goals.

Semgrep AppSec Platform uses the logic specified in the table below to automatically mark findings as either fixed or removed when a finding is no longer present in the code. You can also manually ignore findings in Semgrep AppSec Platform directly through triage or bulk triage.

The triage statuses are as follows:

StatusDescription
OpenFindings are open by default. A finding is open if it was present the last time Semgrep scanned the code and has not been ignored. An open finding represents a match between the code and a rule enabled in the repository. Open findings require action, such as rewriting the code to eliminate the detected vulnerability.
ReviewingIndicates that the finding requires investigation to determine what the next steps in the triage process should be.
FixingFindings for which you have decided to fix. Commonly used to indicate that these findings are tracked in Jira or assigned to developers for further work.
FixedFixed findings were detected in a previous scan but are no longer detected in the most recent scan of that same branch due to changes in the code.
IgnoredFindings that are ignored are present in the code but have been labeled as unimportant. Ignore findings that are false positives or deprioritized issues. Mark findings as ignored through Semgrep AppSec Platform or by adding a nosemgrep code comment. You can also provide a reason for why you are ignoring a finding: False positive, Acceptable risk, No time to fix.

Removed findings

Findings can also be removed. Semgrep considers a finding removed if it is not found in the most recent scan of the branch where Semgrep initially detected it due to any of the following conditions:

  • The rule that detected the finding isn't enabled in the policy anymore.
  • The rule that detected the finding was updated such that it no longer detects the finding.
  • The file path where the finding appeared is no longer found. The file path was deleted, renamed, added to a .semgrepignore file, added to a .gitignore file, or added to the list of ignored paths in Semgrep AppSec Platform.
  • For GitHub organization accounts: the PR or MR where the finding was detected has been closed without merging.

Your removed findings do not count toward the fix rate or the number of findings. The removed findings also do not appear in Semgrep AppSec Platform.

Findings triaged across refs

Findings triaged (ignored, reopened) in a specific branch, PR, or MR are also triaged in all other branches, PRs, and MRs of a particular repository. Additionally, if you filter for Git references (refs) on the Findings page, then triage a finding, the finding is also automatically triaged in all other branches, PRs, MRs, and refs.

Manage findings

The following sections show you have to manage your findings by:

  • Fixing the underlying code
  • Disabling a rule or a ruleset
  • Ignoring a finding
  • Reopening a finding

Note that some actions, such as ignoring and reopening findings, require different steps based on whether you have chosen Group by Rule or No Grouping when viewing your results on the Findings page.

Screenshot of Semgrep AppSec Platform triage menu

Fix a finding

To fix a finding, update or refactor the code such that the Semgrep rule pattern no longer matches the code.

Disable a ruleset or a rule

You can disable a specific rule or ruleset to prevent Semgrep Code from using it when scanning your codebase.

info

When you disable a rule, existing findings from that rule remains open until you re-scan your code.

Disable rules using the Policies page

To disable a rule, follow these steps:

  1. On the Policies page, select either:
    • The top Number Matching Rules checkbox to select all rules.
    • Select individual checkboxes next to a rule to disable rules one by one.
  2. Click (Number) Edit, and then click Disabled.

You can also select individual rules under the Mode column and disable them one by one.

To disable a ruleset using the Policies page:

  1. In Semgrep AppSec Platform, click Rules > Policies.
  2. From the Ruleset drop-down box, click the ruleset to remove.
  3. Click the Matching rules.
  4. Click Change modes > Disabled.
Disable a rule using the Findings page while in Group by rule view

Follow these steps to remove a rule in the Group by rule view:

  1. Go to the Semgrep AppSec Platform Findings page.
  2. Next to a finding with status Open, click Details.
  3. Click Open > Disable rule....
  4. Click the Disable from policy checkbox.
  5. Click Ignore.
Disable a rule using the Findings page while in No grouping view

To remove a rule in the No grouping view, perform the following steps:

  1. Go to the Semgrep AppSec Platform Findings page.
  2. Next to a finding with status Open, click Open > Disable rule... > Disable from policy.
  3. Click Ignore.

Ignore findings

One way to handle false positives without changing the rule or your code is to set the finding's triage status to ignore.

Ignore findings in Group by Rule view

To ignore findings in the Group by Rule view:

  1. On the Findings page, click the Status filter, and then select Open status to see all open findings.
  2. Perform one of these steps:
    • To select more findings from the same rule, click the Triage button on the card of the finding.
    • To select individual findings reported by a rule, fill in the checkboxes of the finding, and then click the Triage button on the card of the finding.
  3. Optional: Write a reason to describe why the finding was ignored.
  4. Click Ignore.
Ignore findings in No grouping view

To ignore individual finding in the No grouping view, follow these steps:

  1. On the Semgrep Code Findings page, click the Status filter, and then select the Open status to see all open findings.
  2. Next to a finding you want to ignore, click Open.
  3. Optional: Select Ignore reason. Choose either: False positive, Acceptable risk, No time to fix.
  4. Click Done.

To ignore multiple findings in the No grouping view, follow these steps:

  1. On the Findings page, click the Status filter, and then select Open status to see all open findings.
  2. Perform one of these steps:
    • Select all findings by clicking on the header row checkbox that states Showing X open findings. You can navigate to succeeding pages and add other results to the current selection.
    • Select more findings by clicking on their checkboxes.
  3. Click the Triage button.
  4. Optional: Select a reason of why you are ignoring a finding. Choose one of the following options: False positive, Acceptable risk, No time to fix.
  5. Select Ignored from the dropdown menu.
  6. Click Save.

Reopen findings

You can reopen a finding that you previously marked as ignore at any time.

Reopen findings in Group by Rule view

To reopen findings in the Group by Rule view, follow these steps:

  1. On the Findings page, click the Status filter, and then select the Ignored or Fixed status to see all ignored or fixed findings.
  2. Perform one of these steps:
    • To select more findings from the same rule, click the Triage button on the card of the finding.
    • To select individual findings reported by a rule, fill in the checkboxes for the finding, and then click the Triage button on the finding card.
  3. Optional: Write a reason to describe why the finding was ignored.
  4. Click Reopen.
Reopen findings in No grouping view

To reopen individual findings in the No grouping view, follow these steps:

  1. On the Findings page, click the Status filter, and then select Ignored or Fixed status to see all ignored or fixed findings.
  2. Next to a finding you want to ignore, click the Reopen .
  3. Optional: Add a note.
  4. Click Save.

To reopen multiple findings in the No grouping view, follow these steps:

  1. On the Findings page, click the Status filter, and then select the Ignored or Fixed status to see all ignored or fixed findings.
  2. Perform one of these steps:
    • Select all findings by clicking on the header row checkbox that states Showing X open findings. You can navigate to succeeding pages and add other results to the current selection.
    • Select relevant findings one by one by clicking on their checkboxes.
  3. Click the Triage button.
  4. In the Triage state dropdown menu, select Reopened.
  5. Click Save.

Triage findings through PR and MR comments

Triage your Semgrep AppSec Platform findings displayed as comments in GitHub PRs and GitLab MRs by replying with another comment.

note

This feature is currently in private beta. It expands on the existing ignore-by-PR-comment workflow by supporting additional commands such as adding to Assistant memories and enabling developers to include triage reasons.

Prerequisites

  • A private GitHub Free or Team cloud-hosted repository. This feature is not enabled for public GitHub repositories or GitHub Enterprise public and private repositories.
  • You have completed a Semgrep core deployment.

Enable triage through GitHub PR comments:

To enable triage through comments:

  1. In Semgrep AppSec Platform, go to your organization's Settings page.
  2. Under Code (SAST), click the Triage via code review comments toggle to turn on this feature.

To triage a finding:

  1. Find an open comment created by Semgrep AppSec Platform in your pull request or merge request: Screenshot of Semgrep AppSec Platform comment in GitHub

  2. In a subsequent comment, reply with the action you want to take. If necessary, ensure that you substitute the colored placeholder <REASON> with text to help the reader understand why the finding has been triaged as ignored:

    CommentDescription
    /fp <REASON>Triage a finding as Ignored with the triage reason false positive.
    /ar <REASON>Triage a finding as Ignored with the triage reason acceptable risk.
    /other <REASON>Triage a finding as Ignored without specifying the reason; the triage reason value is set to No triage reason.
    /open <REASON>Reopen a finding that has been triaged as Ignored. The comment is optional.
    /remember <REASON>Add Assistant Memories.

Semgrep is backward compatible with the following commands:

  • /semgrep ignore <REASON> - triage a finding as Ignored.
  • /semgrep open <REASON> - reopen a finding that has been triaged as Ignored.

Triaging a finding as Ignored through a comment in GitHub changes the status of the finding to Ignored in the Semgrep AppSec Platform. However, the GitHub conversation itself is not automatically resolved by this process.

Triage findings in bulk through the Semgrep API

Semgrep provides an API endpoint you can use to triage findings in bulk, either by passing a list of issue_ids or filter query parameters to select findings. You must also specify an issue_type, such as sast or sca, and either new_triage_state or new_note. Refer to Bulk triage API documentation.

Reduce the number of false positive findings

  • One way to address false positives is to improve the rule. Create test cases to ensure that the rule performs as intended.
  • If a rule from Semgrep Registry is useful, but it captures too many false positives, you can reach out to support@semgrep.com. This helps Semgrep's rule-writing efforts and improves the quality of rules that you run.
  • You can report rules with a high false positive rate from your source code manager (SCM) if you enable Semgrep AppSec Platform to leave comments in PRs or MRs. Semgrep AppSec Platform provides a link after each comment for users to indicate if the finding is a false positive.

Not finding what you need in this doc? Ask questions in our Community Slack group, or see Support for other ways to get help.