Skip to main content

Core deployment

Semgrep can be set up to scan repositories of any size.

Deployment refers to the process of integrating Semgrep into your developer and infrastructure workflows. Completing the deployment process provides you with the Semgrep features that meet your security program's needs.

Deployment includes:

  • Running Semgrep scanners as part of your CI. These scans can be any combination of SAST (Static Application Security Testing), SCA (Software Composition Analysis), or Secrets, depending on your plan.
  • Managing team members' access and authentication.
  • Ensuring that Semgrep has sufficient access to your self-hosted source code manager (SCM), such as GitLab Self-Managed.

Semgrep does not require code access to complete the core deployment process. Your code is not sent anywhere.

Are these guides for you?
  • These guides outline procedures for the deployment of Semgrep as part of a security program. To try out Semgrep, refer to the Quickstart document.
  • Individual users can also use these guides to deploy Semgrep as part of their personal security.

Many deployment features are set up through Semgrep AppSec Platform.

Deployment does not include:

  • Customizing your SAST, SCA, or secrets scans
  • Custom rule writing
  • Triage

For these features, refer to the Scan and Triage section in the navigation bar.

All Semgrep deployment features

Semgrep supports many different technology stacks. Refer to the following table to evaluate which deployment features of Semgrep you can use based on your technologies.

Core deployment

These are the absolute minimum Semgrep features for any deployment.

Deployment featureNotes
SAST scanningCheck that Semgrep:
SCA scanningCheck that Semgrep supports your lockfile or package manager.
Secrets scanningCheck that your services, such as Slack or Twilio, can be validated by Semgrep. Semgrep Secrets is available through Semgrep Sales, so you must Book a demo.
SSOSemgrep supports:
  • OpenID Connect or OAuth 2
  • SAML 2.0
OrganizationsSemgrep can connect to orgs from GitHub and GitLab. Connecting an org enables Semgrep AppSec Platform to authenticate new users from the same org easily.

If you use Bitbucket or Azure Repos, you can use SSO to manage the authentication of your users, then add repositories for scanning through your CI provider.
Scanning remote repositories through CISemgrep fully supports many popular CI providers. See Add Semgrep to CI.
Managed scanning (beta): scanning remote repositories in bulk without CI changesAn alternative method of scanning many repositories with Semgrep that doesn't require integration with your CI. Requires read access to user-selected repositories. See Add repositories to Semgrep in bulk (beta).
PR or MR commentsSemgrep can post PR or MR comments in the following SCMs:
  • GitHub
  • GitLab
  • Bitbucket

Additional deployment features

Useful features that you can add based on your tech stack. You can integrate these features further into your security workflows after some initial testing of your core deployment.

Deployment featureNotes
NotificationsSemgrep can send notifications through the following channels:
  • Slack
  • Email
  • Webhooks
GPT-assisted triage and remediationSemgrep can give GPT-assisted recommendations on whether a finding is a true or false positive as well as suggest code fixes for true positive findings.
IDE integration

Encourage developers to run Semgrep in their IDE. Officially supported extensions include:

  • Microsoft Visual Studio Code
  • IntelliJ Ultimate IDEA
  • Emacs
APICheck that Semgrep's API meets your needs. See API docs.

Core deployment process

At the minimum, your deployment of Semgrep consists of the following steps:

  1. Creating a Semgrep account. Each user of Semgrep has one account.
  2. Setting up organizations (orgs). Each Semgrep account can have many orgs. Orgs are logical groupings of related repositories and users.
  3. Setting up membership:
    • For GitHub or GitLab users, you can connect your Semgrep org to the orgs in your source code manager (SCM). This means that any member of an org in your SCM can sign in to your Semgrep deployment.
    • You can also use SSO to manage user authentication.
  4. Adding Semgrep into your CI workflows. This step ensures that your Semgrep deployment is up and running and that you receive findings of security issues in Semgrep AppSec Platform.
  5. Enabling Semgrep to post PR or MR comments.

Core deployment steps

To manage a large volume of users and repositories, you may need to perform additional steps:

  • Role management
  • Tagging projects

These steps are covered in the section Deployment at scale.

Team size isn't necessarily indicative of deployment needs. Features for large teams can be deployed for smaller teams as well, and are available on the Semgrep Team Tier.

Deploy Semgrep in phases

It is recommended to finish the core deployment of Semgrep to a few repositories or departments in your organization first before attempting to deploy to the majority.

This initial phase prepares you to deploy Semgrep to the rest of the organization. Organizational infrastructure can vary greatly and the initial deployment can help you identify and address issues so that they do not recur in a wider deployment.

Next steps

Click Next to begin setting up your core deployment.


Not finding what you need in this doc? Ask questions in our Community Slack group, or see Support for other ways to get help.