Semgrep
Last updated
Was this helpful?
Last updated
Was this helpful?
Semgrep is an open-source static analysis tool used for identifying and fixing security issues in source code. It is designed to be fast, developer-friendly, and can be integrated into the development workflow. Semgrep uses a pattern-based approach to detect and fix security vulnerabilities, coding errors, and other issues in codebases.
Delivery Shield mandates source code scanning. It connects with Semgrep to identify if the scanning was performed on the repository and if not done it generates security issues.
The scanned data is collected by Delivery Shield and used to analyse the overall image and application risk scoring.
The fetched results are available in the Vulnerability Management page, Artifact section of the DBOM page, and the View Open Security Issues page.
Users can also create custom policies based on the SAST scan results, for example, users can create a policy that blocks images built from a repository that contains a critical SAST issue.
Navigate to Setup > Integrations.
In the Source panel, click Semgrep.
You can use the toggle button provided below the integration tile to enable or disable it as needed.
The Semgrep integration page is displayed. Click +New Account.
In the popup that appears, enter the details for the following fields:
Enter the Account Name.
Select the Mode : Local or Cloud.
If Local Mode is selected, Semgrep is run as a CLI tool.
If Cloud Mode is selected, SaaS version of Semgrep is run.
Enter the token value to access the SemGrep account. (See API Token for details on how to generate a API token).
Select the Teams and the corresponding Environments from the dropdown for which you want the integration to be available. The integration will be available for the selected teams and environment only.
You can select up to 5 teams for the integration to be displayed.
An example is given below for reference:
In the example above,
if Team 1, Team 2, and Team 3 are selected, only applications associated with these teams can access the integration. Any applications belonging to other teams, such as Team 4, will not have access to this account.
Even if the user who created this account is also an admin for Team 4, the integration account remains restricted and is not available for Team 4.
Access to the account is strictly limited to the specified Teams and Environments selected during account creation.
For Organization Admins:
When an Organization Admin creates an account without selecting specific Teams and Environments, the account will be universally applicable, granting access to all teams and all environments by default.
For Team Admins with Multiple Teams:
If a Team Admin who manages multiple teams creates an account without specifying particular Teams and Environments, the account will only be accessible to the teams for which the logged-in user holds admin privileges.
Click Save. The tool is integrated in the source stage.
To delete the integration, click the Delete button.
You can edit the entered values by clicking the Edit option as shown below:
Enter the new values and click Update.
The new values get updated.
