Because this feature involves sharing code snippets with a third party, we take extra steps to secure your data. First, code snippets are shared with OpenAI without identifying the customer or repository name. Second, we only share the amount of code necessary to enlist the help of GPT in automating resolution of each specific alert. Finally, Semgrep only accesses source code repositories on a file-by-file basis; we do not need or request org-level access to your codebase.

Yes, the Semgrep Assistant feature submits part of the file that has a finding in it to OpenAI for processing by a GPT model. OpenAI is not allowed to use the submitted code for training their models.

No personal information is shared with OpenAI as a part of the Semgrep Assistant feature. 

No. Your source code remains yours, and it will only be accessed by Semgrep or OpenAI to the limited extent necessary to provide the Semgrep Assistant service to you. Once results are returned to you, Semgrep will delete the snippets that were shared. OpenAI retains copies of the content sent to them for a maximum of 30 days for purposes of monitoring abuse, as indicated in their API Data Usage Policies.

No. Because Semgrep will be accessing OpenAI’s services via API, OpenAI will not use any of the content we provide to them for the purpose of improving their services (see Section 3(c) of their Terms of Use).

Yes, to a limited extent. Specifically, the sharing of code snippets with Semgrep as part of this feature expands the scope of the data to which you grant us a limited license in order to provide our services to you (see Section 5.1 of our Subscriber Agreement).