# Semgrep

Semgrep is an open-source static analysis tool used for identifying and fixing security issues in source code. It is designed to be fast, developer-friendly, and can be integrated into the development workflow. Semgrep uses a pattern-based approach to detect and fix security vulnerabilities, coding errors, and other issues in codebases.

### Usage of Semgrep in Delivery Shield

* Delivery Shield mandates source code scanning. It connects with Semgrep to identify if the scanning was performed on the repository and if not done it generates security issues.
* The scanned data is collected by Delivery Shield and used to analyse the overall image and application risk scoring. 
* The fetched results are available in the [Vulnerability Management](https://docs.opsmx.com/opsmx-secure-software-delivery-ssd-platform/user-guide/vulnerability-management) page, **Artifact** section of the [DBOM](https://docs.opsmx.com/opsmx-secure-software-delivery-ssd-platform/user-guide/delivery-bill-of-materials-dbom) page, and the [View Open Security Issues](https://docs.opsmx.com/opsmx-secure-software-delivery-ssd-platform/user-guide/view-security-posture/view-open-security-issues) page.
* Users can also create custom policies based on the SAST scan results, for example, users can create a policy that blocks images built from a repository that contains a critical SAST issue.

### To Integrate Semgrep:

1. Navigate to **Setup** > **Integrations**.
2. In the **Source** panel, click **Semgrep**.

<figure><img src="https://2047464521-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MBEa1hoX6SqpDj-ymNs%2Fuploads%2FZIpX2JSDBL3Rc55T3Z9m%2Fsemgrep%201.png?alt=media&#x26;token=4b5b2cb2-decf-4148-bda1-57348db61d23" alt=""><figcaption></figcaption></figure>

3. The Semgrep integration page is displayed. Click **+New Account**.&#x20;
4. In the popup that appears, enter the details for the following fields:

<figure><img src="https://2047464521-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MBEa1hoX6SqpDj-ymNs%2Fuploads%2FdnFJmR6vfkdWMN4O3QyZ%2Fsemgrep%202.png?alt=media&#x26;token=0563b14e-eec7-40dd-a4d7-954635976c46" alt=""><figcaption></figcaption></figure>

5. Enter the Account Name.
6. Select the **Mode :** Local or Cloud.&#x20;
   1. If **Local Mode** is selected, Semgrep is run as a CLI tool.
   2. If **Cloud Mode** is selected, SaaS version of Semgrep is run.&#x20;
7. Enter the token value to access the SemGrep account. (See [API Token](https://semgrep.dev/docs/semgrep-ci/running-semgrep-ci-with-semgrep-cloud-platform/#creating-a-semgrep_app_token) for details on how to generate a API token).&#x20;
8. Select the **Teams** and the corresponding **Environments** from the dropdown for which you want the integration to be available. The integration will be available for the selected teams and environment only.&#x20;

   <div data-gb-custom-block data-tag="hint" data-style="info" class="hint hint-info"><p>You can select up to 5 teams for the integration to be displayed. </p></div>

   * An example is given below for reference:

   <figure><img src="https://lh7-rt.googleusercontent.com/docsz/AD_4nXeuMZQzZsZQuulVdW9B9OuffNPoEXqbcpcAkYtKVyb7YiTQxbVIt1L4Gh-zshqX2J9MFKIat8x4oWFIGxdg3j1XVagyUNhUAlD_52soyMyd1cy53p6XiYi0LsTjIBfHcybRWl61?key=D9EXoOdGF7oYOBvYaW2GnRWJ" alt=""><figcaption></figcaption></figure>

   * In the example above,&#x20;
     * if **Team 1**, **Team 2**, and **Team 3** are selected, only applications associated with these teams can access the integration. Any applications belonging to other teams, such as **Team 4**, will not have access to this account.
     * Even if the user who created this account is also an admin for **Team 4**, the integration account remains restricted and is not available for **Team 4**.&#x20;
     * Access to the account is strictly limited to the specified **Teams** and **Environments** selected during account creation.
   * **For Organization Admins:**
     * When an **Organization Admin** creates an account without selecting specific **Teams** and **Environments**, the account will be universally applicable, granting access to **all teams** and **all environments** by default.
   * **For Team Admins with Multiple Teams:**<br>
     * If a **Team Admin** who manages multiple teams creates an account without specifying particular **Teams** and **Environments**, the account will only be accessible to the teams for which the logged-in user holds admin privileges.
9. Click **Save**. The tool is integrated in the source stage.&#x20;
10. To delete the integration, click the **Delete** button.&#x20;
11. You can edit the entered values by clicking the **Edit** option as shown below:
12. Enter the new values and click **Update**.&#x20;

The new values get updated.&#x20;

\
\
\ <br>