Triage and remediate Semgrep Code findings in Semgrep AppSec Platform
This article shows you how to triage and manage findings identified by Semgrep Code using Semgrep AppSec Platform, including:
- Fixing the issue detected. This is Semgrep's primary goal. If the rule produces a true positive finding, such as a security issue, developers must change or address the code so that the rule no longer matches it.
- Removing the rule or code that generated the finding. There are cases where Semgrep scans a file it should ignore or scans the file with an irrelevant rule. You can disable the rule from the Policies page or add the file to the ignore list.
- Triaging the finding. Deprioritize a finding if it's not useful or important through triage. Triage actions include ignoring and reopening a finding that was previously ignored. Triaging a finding to ignore is one method to handle false positives without changing a rule or your code.
Triage statuses
Triage is the prioritization of a finding based on policies or criteria set by your team or organization, such as severity, coding standards, business goals, and product goals.
Semgrep AppSec Platform uses the logic specified in the table below to automatically mark findings as either fixed or removed when a finding is no longer present in the code. You can also manually ignore findings in Semgrep AppSec Platform directly through triage or bulk triage.
The triage statuses are as follows:
| Status | Description |
|---|---|
| Open | Findings are open by default. A finding is open if it was present the last time Semgrep scanned the code and has not been ignored. An open finding represents a match between the code and a rule enabled in the repository. Open findings require action, such as rewriting the code to eliminate the detected vulnerability. |
| Ignored | Findings that are ignored are present in the code but have been labeled as unimportant. Ignore findings that are false positives or deprioritized issues. Mark findings as ignored through Semgrep AppSec Platform or by adding a nosemgrep code comment. |
| Fixed | Fixed findings were detected in a previous scan but are no longer detected in the most recent scan of that same branch due to changes in the code. |
Remove findings
You can remove findings. Semgrep considers a finding removed if it is not found in the most recent scan of the branch where Semgrep initially detected it due to any of the following conditions:
- The rule that detected the finding isn't enabled in the policy anymore.
- The rule that detected the finding was updated such that it no longer detects the finding.
- The file path where the finding appeared is no longer found. The file path was deleted, renamed, added to a
.semgrepignorefile, added to a.gitignorefile, or added to the list of ignored paths in Semgrep AppSec Platform. - For GitHub organization accounts: the PR or MR where the finding was detected has been closed without merging.
Your removed findings do not count toward the fix rate or the number of findings. The removed findings also do not appear in Semgrep AppSec Platform.
Findings triaged (ignored, reopened) in a specific branch, PR, or MR are also triaged in all other branches, PRs, and MRs of a particular repository. Additionally, if you filter for Git references (refs) on the Findings page, then triage a finding, the finding is also automatically triaged in all other branches, PRs, MRs, and refs.
Manage findings
The following sections show you have to manage your findings by:
- Fixing the underlying code
- Disabling a rule or a ruleset
- Ignoring a finding
- Reopening a finding
Note that some actions, such as ignoring and reopening findings, require different steps based on whether you have chosen Group by Rule or No Grouping when viewing your results on the Findings page.
Fix a finding
To fix a finding, update or refactor the code such that the Semgrep rule pattern no longer matches the code.
Disable a ruleset or a rule
You can disable a specific rule or ruleset to prevent Semgrep Code from using it when scanning your codebase.
When you disable a rule, existing findings from that rule remains open until you re-scan your code.
Disable a ruleset using the Policies page
- In Semgrep AppSec Platform, click Rules > Policies.
- From the Ruleset drop-down box, click the ruleset to remove.
- Click the Matching rules.
- Click Change modes > Disabled.
Disable a rule using the Findings page while in Group by rule view
Follow these steps to remove a rule in the Group by rule view:
- Go to the Semgrep AppSec Platform Findings page.
- Next to a finding with status Open, click Details.
- Click Open > Disable rule....
- Click the Disable from policy checkbox.
- Click Ignore.
Disable a rule using the Findings page while in No grouping view
To remove a rule in the No grouping view, perform the following steps:
- Go to the Semgrep AppSec Platform Findings page.
- Next to a finding with status Open, click Open > Disable rule... > Disable from policy.
- Click Ignore.
Ignore findings
One way to handle false positives without changing the rule or your code is to set the finding's triage status to ignore.
Ignore findings in Group by Rule view
To ignore findings in the Group by Rule view:
- On the Findings page, click the Status filter, and then select Open status to see all open findings.
- Perform one of these steps:
- To select more findings from the same rule, click the Triage button on the card of the finding.
- To select individual findings reported by a rule, fill in the checkboxes of the finding, and then click the Triage button on the card of the finding.
- Optional: Write a reason to describe why the finding was ignored.
- Click Ignore.
Ignore findings in No grouping view
To ignore individual finding in the No grouping view, follow these steps:
- On the Semgrep Code Findings page, click the Status filter, and then select the Open status to see all open findings.
- Next to a finding you want to ignore, click Open.
- Optional: Select Ignore reason. Choose either: False positive, Acceptable risk, No time to fix.
- Click Done.
To ignore multiple findings in the No grouping view, follow these steps:
- On the Findings page, click the Status filter, and then select Open status to see all open findings.
- Perform one of these steps:
- Select all findings by clicking on the header row checkbox that states Showing X open findings. You can navigate to succeeding pages and add other results to the current selection.
- Select more findings by clicking on their checkboxes.
- Click the Triage button.
- Optional: Select a reason of why you are ignoring a finding. Choose either: False positive, Acceptable risk, No time to fix
- Select Ignored from the dropdown menu.
- Click Save.
Reopen findings
You can reopen a finding that you previously marked as ignore at any time.
Reopen findings in Group by Rule view
To reopen findings in the Group by Rule view, follow these steps:
- On the Findings page, click the Status filter, and then select the Ignored or Fixed status to see all ignored or fixed findings.
- Perform one of these steps:
- To select more findings from the same rule, click the Triage button on the card of the finding.
- To select individual findings reported by a rule, fill in the checkboxes for the finding, and then click the Triage button on the finding card.
- Optional: Write a reason to describe why the finding was ignored.
- Click Reopen.
Reopen findings in No grouping view
To reopen individual findings in the No grouping view, follow these steps:
- On the Findings page, click the Status filter, and then select Ignored or Fixed status to see all ignored or fixed findings.
- Next to a finding you want to ignore, click the Reopen .
- Optional: Add a note.
- Click Save.
To reopen multiple findings in the No grouping view, follow these steps:
- On the Findings page, click the Status filter, and then select the Ignored or Fixed status to see all ignored or fixed findings.
- Perform one of these steps:
- Select all findings by clicking on the header row checkbox that states Showing X open findings. You can navigate to succeeding pages and add other results to the current selection.
- Select relevant findings one by one by clicking on their checkboxes.
- Click the Triage button.
- In the Triage state dropdown menu, select Reopened.
- Click Save.
Ignore findings through GitHub PR comments
Triage your Semgrep AppSec Platform findings displayed as comments in GitHub PRs by replying with another comment.
- A private GitHub.com repository. This feature is not enabled for public GitHub.com repositories or GitHub Enterprise public and private repositories.
- You have completed a Semgrep core deployment.
To enable triage through comments:
- In Semgrep AppSec Platform, go to your organization's Settings page.
- Enable the Triage via comment toggle.
To triage a finding in GitHub:
Find an open comment created by Semgrep AppSec Platform in GitHub PR:
In a subsequent comment, reply with:
/semgrep ignore <reason>Substitute the colored placeholder
<reason>with text to help the reader understand why the status of a comment is ignored. Alternatively, you can reopen a finding that was previously ignored:/semgrep open <reason>
Ignoring a finding through a comment in GitHub changes the status of the finding to ignored in the Semgrep AppSec Platform. The GitHub conversation itself is not automatically resolved by this process.
You can also reopen a finding that was previously ignored. To do so, in step 2. of the preceding procedure, use /semgrep open. For /semgrep open the reason field is optional.
Reduce the number of false positive findings
- One way to address false positives is to improve the rule. Create test cases to ensure that the rule performs as intended.
- If a rule from Semgrep Registry is useful, but it captures too many false positives, you can reach out to support@semgrep.dev. This helps Semgrep's rule-writing efforts and improves the quality of rules that you run.
- You can report rules with a high false positive rate from your source code manager (SCM) if you enable Semgrep AppSec Platform to leave comments in PRs or MRs. Semgrep AppSec Platform provides a link after each comment for users to indicate if the finding is a false positive.