Semgrep Assistant

Automated recommendations for triage and code remediation using Semgrep assisted by GPT-4

Works with 30+ languages

Python Logojava iconGo-logoRuby LogoJS-logoTypescript-logoPHP ThumbnailC#Swift_logoKotlin_Icon

Auto-triage findings

Semgrep Assistant uses GPT's understanding of programming languages and libraries to point out when a Semgrep finding is wrong or not applicable to a line of code.

Auto-fix code

When Semgrep Assistant finds a true positive finding, it recommends an autofix to remediate the code.

See Semgrep Assistant in action

Reduced alert fatigue

  • Gives developers more context about a finding so that they can triage better

  • Developers are likely to take true positives more seriously with the reduced alert fatigue

Faster code remediation

  • Provides recommendations for code remediation to help developers fix issues faster

  • Shows fixes in the developer's workflow (as a pull request comment) so that they can accept or reject the recommendation

autofix-Semgrep Assistant

Frequently asked questions

Because this feature involves sharing code snippets with a third party, we take extra steps to secure your data. First, code snippets are shared with OpenAI without identifying the customer or repository name. Second, we only share the amount of code necessary to enlist the help of GPT in automating resolution of each specific alert. Finally, Semgrep only accesses source code repositories on a file-by-file basis; we do not need or request org-level access to your codebase.

Yes, the Semgrep Assistant feature submits part of the file that has a finding in it to OpenAI for processing by a GPT model. OpenAI is not allowed to use the submitted code for training their models.

No personal information is shared with OpenAI as a part of the Semgrep Assistant feature. 

No. Your source code remains yours, and it will only be accessed by Semgrep or OpenAI to the limited extent necessary to provide the Semgrep Assistant service to you. Once results are returned to you, Semgrep will delete the snippets that were shared. OpenAI retains copies of the content sent to them for a maximum of 30 days for purposes of monitoring abuse, as indicated in their API Data Usage Policies.

No. Because Semgrep will be accessing OpenAI’s services via API, OpenAI will not use any of the content we provide to them for the purpose of improving their services (see Section 3(c) of their Terms of Use).

Yes, to a limited extent. Specifically, the sharing of code snippets with Semgrep as part of this feature expands the scope of the data to which you grant us a limited license in order to provide our services to you (see Section 5.1 of our Subscriber Agreement).

Get Started With Semgrep Assistant

AI-assisted secure coding is just a click away!