• Quickstart
• Semgrep AppSec Platform

Quickstart for Semgrep Managed Scans

This quickstart guide will help you set up Semgrep and scan your first project using Semgrep Managed Scans.

info

A project is any codebase, repository, or folder within a monorepo that is added to Semgrep for scanning. This includes all the findings, history, and scan metadata for the project.

What are Semgrep Managed Scans?

Semgrep Managed Scans allow you to run Semgrep scans without needing to set up and maintain your own infrastructure. It provides a simple, scalable way to scan your code for security vulnerabilities, code quality issues, and other problems without setting up and maintaining separate configurations for each project.

Supported source code managers

You must be an existing Semgrep AppSec Platform user with one of the following plans:

• Bitbucket Cloud Premium plans or Bitbucket Data Center (v8.8 or above for diff-aware scans)
• Hosted GitHub (GitHub.com) and GitHub Enterprise Server plans
• GitLab Cloud and GitLab self-managed plans and a Premium or Ultimate subscription
• Azure DevOps Cloud repositories

Add projects to Semgrep Managed Scans

Azure DevOps

Prerequisites

You must have admin access to your Azure DevOps organization.

Read access is granted through an access token you generate on Azure DevOps. You can provide this token by adding Azure DevOps as a source code manager.

Semgrep recommends setting up and configuring Semgrep with an Azure DevOps service account, not a personal account. Regardless of whether you use a personal or service account, the account must be assigned the Owner or Project Collection Administrator role for the organization. During setup and configuration, you must provide a personal access token generated by this account. This token must be authorized with Full access. Once you have Semgrep Managed Scans fully configured, you can update the token provided to Semgrep to a more restrictive one. The scopes you must assign to the token include:

• Code: Read
• Code: Status
• Member Entitlement Management: Read
• Project and Team: Read & write
• Pull Request Threads: Read & write

Add a project

1. Sign in to Semgrep AppSec Platform
2. Navigate to Projects, and click Scan new project > Semgrep Managed Scan.
3. In the Enable Managed Scans for repos page, select the repositories you want to add to Semgrep Managed Scans.
4. Click Enable Managed Scans. The Enable Managed Scans dialog appears. By default, Semgrep runs both full and diff-aware scans.
5. Click Enable. You are taken to the Projects page as your scans begin.

Bitbucket

Prerequisites

You must have admin access to your GitHub organization.

To enable and use this feature, you must grant Semgrep Read access to your code. This is done by installing a private GitHub app that you create and register yourself. The steps to do so are provided in the subsequent section of this document. See Managed Scans > Security for more information on how Semgrep handles your code once you've provided read access.

Add a project

1. Go to Semgrep AppSec Platform, and sign up by clicking on Sign in with GitHub. Follow the on-screen prompts to grant Semgrep the necessary permissions and proceed.
2. Provide the Organization display name you'd like to use, then click Create new organization.
3. When asked Where do you want to scan? click GitHub.
4. Follow the steps in the Connect GitHub to Semgrep page. These steps install a public GitHub app to handle PR comments and a private GitHub app to handle code access. You can select which repositories these apps have access to, and remove or revoke their permissions at any time.
5. Click Set up projects. You are taken to the Enable Managed Scans for repos page.
6. Select all the repositories you want to add to Semgrep Managed Scans for scanning.
7. Click Enable Managed Scans. You are taken to the Projects page as your scans begin.

GitHub

Prerequisites

Semgrep Managed Scanning (SMS) requires one of the following plans:

• GitLab Premium
• GitLab Ultimate
• GitLab Self Managed

You must provide a GitLab group access token or personal access token to Semgrep. The token must have the api scope assigned to it.

During SMS onboarding, the group or user to which the token is assigned must have one of the following roles:

• Maintainer
• Owner
• Admin

This is because managed scans of GitLab repositories require the enablement of webhooks to facilitate diff-aware scans and the creation of pull request comments by Semgrep. The webhooks are enabled by default when you set up Managed Scans and add GitLab as a source code manager. Once onboarding is complete, you can downgrade the role assigned to the token to Developer.

Add a project

1. Navigate to Semgrep AppSec Platform, and sign up by clicking on Sign in with GitLab. Follow the on-screen prompts to proceed.
2. When prompted, click Scan new project > Semgrep Managed Scan.
3. In the Enable Managed Scans for repos page, select the repositories you want to add to Semgrep Managed Scans.
4. Click Enable Managed Scans. The Enable Managed Scans dialog appears. By default, Semgrep runs both full and diff-aware scans.
5. Click Enable. You are taken to the Projects page as your scans begin.

GitLab

Prerequisites

You must have admin access to your Bitbucket organization.

Bitbucket Cloud

• Read access is granted through a workspace access token you generate on Bitbucket. You can provide this token by adding Bitbucket as a source code manager.
• The user generating the workspace token must be a Product Admin for the workspace. The scopes you must assign to the token include:
  • webhook (read and write)
  • repository (read and write)
  • pullrequest (read and write)
  • project (admin)
  • account (read)

Bitbucket Data Center

• V8.8 or above for diff-aware scans. Additionally, project-level webhooks are required to support diff-aware scans.
• Read access is granted through an HTTP access token you generate on Bitbucket. You can provide this token by adding Bitbucket as a source code manager.
• The user generating the workspace token must be a Product Admin for the workspace. The token must be created with PROJECT_ADMIN permissions.

Add a project

1. Sign in to Semgrep AppSec Platform
2. Navigate to Projects, and click Scan new project > Semgrep Managed Scan.
3. In the Enable Managed Scans for repos page, select the repositories you want to add to Semgrep Managed Scans.
4. Click Enable Managed Scans. The Enable Managed Scans dialog appears. By default, Semgrep runs both full and diff-aware scans.
5. Click Enable. You are taken to the Projects page as your scans begin.

Semgrep now performs a full scan on all the projects that you added in batches.

You can view your projects in Semgrep AppSec Platform. All projects with a Managed Scan configuration are tagged with managed-scan, regardless of whether they are actively being scanned by Semgrep Managed Scans.

Next steps

Once a scan has finished, you can view your findings on the following Semgrep AppSec Platform pages:

• Code for SAST findings
• Secrets for secrets findings
• Supply Chain for SCA findings

See Semgrep Managed Scans to learn more about how Semgrep manages your scans.

---

Not finding what you need in this doc? Ask questions in our Community Slack group, or see Support for other ways to get help.