Skip to main content

Manage Semgrep Secrets rules using the Policies page

The Policies page visually represents the rules Semgrep Secrets uses for scanning.

Overview of Semgrep Secrets policies view

To access the policies page for Semgrep Secrets:

  1. Log in to Semgrep AppSec Platform and navigate to Rules > Policies.
  2. Click Secrets.

Policies page structure

The Policies page consists of the following elements:

Policies header

The top header contains the Validation State Policies button, which lets you define how Semgrep handles findings that it categorizes as invalid or results in a validation error.

Filter pane

Displays filters to select and perform operations on rules in bulk quickly. See Filters for more information.

Rules pane

The rules pane displays the rules that Semgrep scans use to detect leaked secrets and allows you to edit their assigned rule modes. You can make these edits either one by one or through the bulk editing of many rules. You can also use the Search for rule names or ids box. See Filters for more information.

Filters

The filter pane displays filters to select and perform operations on rules in bulk. The following filters are available:

FilterDescription
ModesFilter by the workflow action Semgrep performs when a rule detects a finding. An additional filter, Disabled, is provided for rules you have turned off and are no longer included for scanning.
ValidationFilter by whether the rule includes a validator or not.
TypeFilter by the type of secret the rule addresses. Examples: AWS, Adobe, DigitalOcean, GitHub, GitLab.
SourceFilter by Pro rules (authored by Semgrep) or by Custom rules (rules created by your organization)
SeveritiesFilter by the severity level of the secret:
  • Low: low privilege; for example, write-only access like a webhook
  • Medium: may have read and write access depending on what scope the account has
  • High: has access to critical resources or full account access
Analysis methodFilter based on whether Semgrep used Semantic or Generic analysis

Rule entry reference

This section defines the columns of the rule entries in the Policies page:

FilterDescription
Rule nameName of the rule Semgrep Secret uses for scanning.
LabelsMetadata describing the rule, including the service for which the rule is applicable.
Open findingsThe number of open findings the rule detected across all scans.
Fix rateThe percentage of findings that are fixed through changes to the code.
SeverityThe higher the severity, the more critical the issues that a rule detects.
ConfidenceIndicates confidence of the rule to detect true positives.
SourceIndicates the origin of a rule.
  • Pro: Authored by Semgrep.
  • Custom: Rules created within your Semgrep organization.
RulesetThe name of the ruleset the rule belongs to.
ModeSpecifies what workflow action Semgrep performs when a rule detects a finding. An additional filter, Disabled, is provided for rules you have turned off and are no longer included for scanning.

Rule modes

Semgrep Secrets provides three rule modes. These can be used to trigger workflow options whenever Semgrep Secrets identifies a finding based on the rule:

Rule modeDescription
MonitorRules in Monitor mode display findings only in:
  • Semgrep AppSec Platform
  • User-defined notifications
Set rules to this mode to evaluate their true positive rate and other criteria you may have. By keeping rules in Monitor, developers do not receive potentially noisy findings in their PRs or MRs.
CommentRules in Comment mode display findings in:
  • Developers' PRs or MRs
  • Semgrep AppSec Platform
  • User-defined notifications
Set rules that have met your performance criteria to this mode when you are ready to display findings to developers.
BlockRules in Block mode cause the scan job to fail with an exit code of 1 if Semgrep Secrets detects a finding from these rules. You can use this result to enforce a block on the PR or MR. For example, GitHub users can enable branch protection and set the PR to fail if the Semgrep step fails.
These rules display findings in:
  • Developers' PRs or MRs
  • Semgrep AppSec Platform
  • User-defined notifications
These are typically high-confidence, high-severity rules.

If you're encountering issues getting PR comments for Semgrep Secrets:

Validation state policies

You can define how Semgrep handles findings that it categorizes as invalid or results in a validation error.

  • Invalid findings: include secrets that, during validation, were identified as revoked, or were never functional.
  • Validation errors: occur when there are difficulties reaching the secrets provider or when Semgrep receives an unexpected response from the API.

To set the rule mode for invalid findings and validation errors:

  1. Log in to Semgrep AppSec Platform, and navigate to Rules > Policies.
  2. Switch to the Secrets page.
  3. Click Validation State Policies.
  4. Set the rule mode for Invalid findings and Validation errors by choosing the option you'd like from the drop-down menu on the right.

Block a PR or MR through rule modes

Semgrep enables you to set a workflow action based on the presence of a finding. Workflow actions include:

  • Failing a CI job. Semgrep returns exit code 1, and you can use this result to set up additional checks to enforce a block on a PR or MR.
  • Leaving a PR or MR comment.
  • Notifying select channels, such as private Slack channels or webhooks.

You can trigger these actions based on the rule mode set for the rule.

Add custom rules

To add custom rules, use the Semgrep Editor. See Semgrep Secrets rule structure and sample.

Disable rules

To disable rules:

  1. On the Policies page, select either:
    • The top Number Matching Rules checkbox to select all rules.
    • Select individual checkboxes next to a rule to disable rules one by one.
  2. Click Change modes(Number), and then click Disabled.

You can also select individual rules under the Mode column and disable them individually.


Not finding what you need in this doc? Ask questions in our Community Slack group, or see Support for other ways to get help.