Semgrep Product Update

New triage reason workflows + filter by triage reason in platform

Developers are now able to specify triage reasons (false positive, acceptable risk, and other) in the PR comment flow, and AppSec teams can now filter findings based on these reasons in the Semgrep UI.

Developers will be able to access the following PR commands in Github, and all instructions will be clearly provided to developers as part of the PR comment:

  • /fp <comment> For triaging a finding to ignored with the triage reason "false positive"

  • /ar <comment> For triaging a finding to ignored with the reason "acceptable risk"

  • /other <comment> For triaging a finding to ignored without any specific reason "No triage reason"

    • Note: These are the same as the previous /semgrep ignore functionality

  • /open To re-open a finding

    • Note: This is the same as the previous /semgrep open functionality

  • /remember <comment> For adding Assistant memories.

    • Note: This is the same as the previous /semgrep remember functionality

Please note that all previous commands are still supported for backwards compatibility. For example: previous commands /semgrep ignore , /semgrep open , /semgrep remember will continue to be available, and developers may continue to use these commands.

Support is currently limited to Github, but is coming soon for Gitlab customers!

Triage reason

Chushi Li