Rapidly deploy code scans across your organization with Semgrep managed scanning

You can now roll out Semgrep at ludicrous speed without any manual, per-repo CI/CD configuration. Whether you have one repo or thousands of repos, It Just Works.

Pablo Estrada
May 21st, 2024
Share

Adding code scanning into CI/CD is a very common practice, which Semgrep already makes easy by integrating with over a dozen CI/CD systems. However, a common refrain we have heard from AppSec professionals is that deploying and maintaining scan infrastructure is not how they want to be spending their limited time.

To help security engineers spend less time configuring infrastructure and more time securing their applications, we're announcing the public beta of Semgrep managed scanning, which lets you scan code without the need to change existing CI/CD configurations. This makes it super easy to add Semgrep to your projects and quickly benefit from security scanning for SAST, SCA, or secrets.

Roll out Semgrep across all of your repositories in minutes

Available in public beta for all Semgrep users on GitHub-hosted projects, Semgrep managed scanning is already enabling users to set up scans on hundreds or even thousands of repos with just a few clicks.

“Semgrep managed scanning made it easy for us to roll out Semgrep on hundreds of repositories in minutes,” says ClickUp Senior Security Engineer Szymon Wyrwiak. “This helps us feel more confident in our coverage and that we are scanning all the repos that we want to be. We also appreciate that it reduces the maintenance overhead of keeping scans running and up to date. We love that managed scanning just takes care of it for us.”

In the private beta, we have helped dozens of beta customers achieve full rollout of Semgrep in less than a week.


Semgrep takes care of the scans for you 

Semgrep managed scanning connects to your repositories through a GitHub application, which you can configure for access to only selected repositories or all repositories in your GitHub organization.

Instead of adding a Semgrep job or workflow to your CI/CD pipeline, your repositories are added to Semgrep AppSec Platform through its user interface. Code scans are run on the platform’s infrastructure instead of your CI/CD infrastructure. So there is no need for you to spend CI minutes or coordinate with other teams to set up scanning.

Once enabled, Semgrep managed scanning automatically runs full scans weekly and on every PR. Semgrep findings presented as PR comments are still available, and determined according to your policy settings for monitor, comment, or blocking modes.

To enable Semgrep managed scanning, you’ll need to grant Semgrep’s infrastructure the ability to read your source code. This is different from adding Semgrep in CI, in which case Semgrep’s infrastructure (or company) does not have access to your source code. By default, projects are configured with:

Diff-aware scans:

  • these scans run on every pull request and follow the settings in your policies, ensuring that developers are only notified of findings from high-signal rules you place in comment or block mode

Full scans:

  • these scans of the entire repository run weekly

To perform the scan and return findings, Semgrep’s infrastructure creates an ephemeral copy of your source code. Once the scan is completed, findings are sent to Semgrep AppSec Platform, and the copy of your source code is automatically deleted. If you’ve configured any rules to send findings as comments in pull requests, findings also will appear there.

In summary, Semgrep managed scanning lets you quickly and easily enable code scanning on your projects, even if you have hundreds or thousands of projects. With this introduction, you now have full flexibility on where to run code scans: locally on your machine, in your CI/CD infrastructure, or using Semgrep’s managed infrastructure.

Want to try Semgrep managed scanning? Check out our docs to get started today! 

About

Semgrep lets security teams partner with developers and shift left organically, without introducing friction. Semgrep gives security teams confidence that they are only surfacing true, actionable issues to developers, and makes it easy for developers to fix these issues in their existing environments.