Semgrep is an open-source static analysis tool used for identifying and fixing security issues in source code. It is designed to be fast, developer-friendly, and can be integrated into the development workflow. Semgrep uses a pattern-based approach to detect and fix security vulnerabilities, coding errors, and other issues in codebases.

Usage of Semgrep in SSD

• SSD mandates source code scanning. It connects with Semgrep to identify if the scanning was performed on the repository and if not done it generates security issues.

• The scanned data is collected by SSD and used to analyse the overall image and application risk scoring.

• The fetched results are available in the Vulnerability Management page, Artifact section of the DBOM page, and the View Open Security Issues page.

• Users can also create custom policies based on the SAST scan results, for example, users can create a policy that blocks images built from a repository that contains a critical SAST issue.

To Integrate Semgrep:

1. Navigate to Config > Integrations.

2. In the Source panel, click Semgrep.

3. The Semgrep integration page is displayed.

4. Enter the Token value of your SemGrep account. (See API Token for details on how to generate a API token).

5. Click the Sast/ Dast scan toggle button if you need to enable this scan.

6. Click Save. The tool is integrated in the source stage.

7. You can edit the entered values by clicking the Edit option as shown below:

8. Enter the and new token value and click Update.

The new values get updated.