• Deployment
• Semgrep Multimodal

Enable Semgrep Multimodal

This article walks you through enabling Semgrep Multimodal for your deployment.

Prerequisites

• You have completed a Semgrep core deployment.
• You have set rules to Comment or Block mode in your Policies page.

Azure DevOps Cloud

Semgrep Multimodal extends standard Semgrep capabilities by providing contextually aware AI-generated suggestions. Building that context requires Azure DevOps permissions, specifically code access granted through an access token you generate through Azure DevOps. Ensure that the token has the following scopes:

• Code: Read & write
• Pull Request Threads: Read & write

You can provide this token to Semgrep by adding Azure DevOps as a source code manager.

Semgrep recommends using a service account, not a personal account, to generate the personal access token provided to Semgrep. Regardless of whether you use a personal or service account, the account must be assigned the Owner or Project Collection Administrator role for the organization.

Enable Multimodal

1. Sign in to Semgrep AppSec Platform.
2. Go to Settings > Global, and click the Semgrep Multimodal toggle to enable.
3. The Set up Semgrep Multimodal dialog appears. Click Accept & Enable Semgrep Multimodal to proceed.
4. Once you've enabled Semgrep Multimodal, you can change the AI provider used and enable additional features, including:
   1. Weekly priority emails: Enable weekly emails to all organization admins with information on the top three backlog tasks across all findings.
   2. Noise filter for Code PR/MR comments: Enable the filtering of findings flagged as false positives. You can choose to suppress any PR or MR comments Semgrep might push, or you can choose to show developers information regarding false positives using PR or MR comments.
   3. Suggested fix: Enable Multimodal-generated autofix suggestions in comments from Multimodal. You can also set the minimum confidence level for Multimodal-written fixes if the Semgrep rule doesn't include a human-written autofix.
   4. Upgrade Guidance & Autofix: Enable analysis of dependency upgrades for breaking changes. Semgrep displays safe-to-upgrade and breaking-change indicators on Supply Chain findings when enabled.

Bitbucket Cloud

Semgrep Multimodal extends standard Semgrep capabilities by providing contextually aware AI-generated suggestions. Building that context requires Bitbucket permissions, specifically code access granted through an access token you generate through Bitbucket. Your token must be a Workspace Access Token, which are available to users with a Bitbucket Cloud Premium plan or higher. The token must have the following scopes:

• Projects: Read
• Repositories: Read
• Pull requests: Read & Write
• Webhooks: Read and write

You can provide this token to Semgrep by adding Bitbucket as a source code manager.

Enable Multimodal

1. Sign in to Semgrep AppSec Platform.
2. Go to Settings > Global, and click the Semgrep Multimodal toggle to enable.
3. The Set up Semgrep Multimodal dialog appears. Click Accept & Enable Semgrep Multimodal to proceed.
4. Once you've enabled Semgrep Multimodal, you can change the AI provider used and enable additional features, including:
   1. Weekly priority emails: Enable weekly emails to all organization admins with information on the top three backlog tasks across all findings.
   2. Noise filter for Code PR/MR comments: Enable the filtering of findings flagged as false positives. You can choose to suppress any PR or MR comments Semgrep might push, or you can choose to show developers information regarding false positives using PR or MR comments.
   3. Suggested fix: Enable Multimodal-generated autofix suggestions in comments from Multimodal. You can also set the minimum confidence level for Multimodal-written fixes if the Semgrep rule doesn't include a human-written autofix.
   4. Upgrade Guidance & Autofix: Enable analysis of dependency upgrades for breaking changes. Semgrep displays safe-to-upgrade and breaking-change indicators on Supply Chain findings when enabled.

GitHub

Semgrep Multimodal extends normal Semgrep capabilities by providing contextually aware AI-generated suggestions. In order to build that context, it requires GitHub permissions in addition to the standard permissions required for Semgrep.

Semgrep Multimodal requires read access to your code in GitHub. This is done through a private Semgrep GitHub app that you install. This private Semgrep GitHub app:

• Is fully under your control so you can revoke access or specific permissions at any time by visiting Settings > Applications in GitHub.
• Only accesses source code repositories on a file-by-file basis; it does not need or request org-level access to your codebase.
• Can be configured to limit its scope to specific repositories. You do not need to give read access to all repositories in your GitHub organization.

To verify that you have the private app installed:

1. In Semgrep AppSec Platform, go to Settings > Source Code Managers.
2. Find the entry for GitHub. If you have the Private app installed, Semgrep displays a message underneath this label that reads Enables Autotriage, Managed Scans, and Auto-scan.
3. If you don't have the Private app installed, the Install button is shown to you. To install the private app:
   1. Click Install to launch the Add GitHub App page.
   2. Review the information provided, and click Register GitHub App to proceed.
   3. The Continue to SCM dialog appears, since you must finish installing the app with GitHub. Click Continue to proceed.
   4. Follow the prompts provided by GitHub to finish creating the app.
   5. When done, GitHubs redirect you back to Semgrep AppSec Platform.

Enable Multimodal

1. Sign in to Semgrep AppSec Platform.
2. Go to Settings > Global, and click the Semgrep Multimodal toggle to enable.
3. The Set up Semgrep Multimodal dialog appears. Click Accept & Enable Semgrep Multimodal to proceed.
4. Once you've enabled Semgrep Multimodal, you can change the AI provider used and enable additional features, including:
   1. Weekly priority emails: Enable weekly emails to all organization admins with information on the top three backlog tasks across all findings.
   2. Autofix PR: Enable the creation of AI-generated pull requests (PR) that fix findings.
   3. Noise filter for Code PR/MR comments: Enable the filtering of findings flagged as false positives. You can choose to suppress any PR or MR comments Semgrep might push, or you can choose to show developers information regarding false positives using PR or MR comments.
   4. Suggested fix: Enable Multimodal-generated autofix suggestions in comments from Multimodal. You can also set the minimum confidence level for Multimodal-written fixes if the Semgrep rule doesn't include a human-written autofix.
   5. Upgrade Guidance & Autofix: Enable analysis of dependency upgrades for breaking changes. Semgrep displays safe-to-upgrade and breaking-change indicators on Supply Chain findings when enabled.

GitLab

Semgrep Multimodal extends normal Semgrep capabilities by providing contextually aware AI-generated suggestions. In order to build that context, Semgrep Multimodal requires the API scope to run in both GitLab SaaS and GitLab self-managed instances. This can be specified at either the project access token level or personal access token level.

• You can revoke project access tokens or personal access tokens at any time.
• Semgrep Multimodal only accesses source code repositories (projects) on a file-by-file basis; it does not need or request org-level access to your codebase.
• The token can be configured to limit its scope to specific projects or individuals. You do not need to give read access to all projects in your GitLab organization.

Enable Multimodal

1. Sign in to Semgrep AppSec Platform using your GitLab account.
2. Go to Settings > Global, and click the Semgrep Multimodal toggle to enable.
3. The Set up Semgrep Multimodal dialog appears. Click Accept & Enable Semgrep Multimodal to proceed.
4. Once you've enabled Semgrep Multimodal, you can change the AI provider used and enable additional features, including:
   1. Weekly priority emails: Enable weekly emails to all organization admins with information on the top three backlog tasks across all findings.
   2. Noise filter for Code PR/MR comments: Enable the filtering of findings flagged as false positives. You can choose to suppress any PR or MR comments Semgrep might push, or you can choose to show developers information regarding false positives using PR or MR comments.
   3. Suggested fix: Enable Multimodal-generated autofix suggestions in comments from Multimodal. You can also set the minimum confidence level for Multimodal-written fixes if the Semgrep rule doesn't include a human-written autofix.
   4. Upgrade Guidance & Autofix: Enable analysis of dependency upgrades for breaking changes. Semgrep displays safe-to-upgrade and breaking-change indicators on Supply Chain findings when enabled.

---

Not finding what you need in this doc? Ask questions in our Community Slack group, or see Support for other ways to get help.