Receive Slack notifications
The Semgrep Slack app enables Semgrep AppSec Platform to notify you of new findings after every scan. By receiving notifications within your Slack workspace, developers and security engineers can see findings without switching environments. This can lessen the friction between detecting a finding, triaging it, and resolving it.
You can select the channels in your Slack workspace that receive findings. You can also choose to receive findings only for certain repositories (projects) or Rule Modes. For example, you can choose to receive notifications only for findings generated by rules from the Blocking Rule Mode.
Install the Semgrep Slack App
- You must be a Slack Workspace Owner to set up the Semgrep Slack app.
To install the Semgrep Slack app, follow these steps:
- In Semgrep AppSec Platform, go to Settings > Integrations.
- On the Integrations page, click Add Integration (or Setup First Integration if this is your first integration), and then select Slack.
- Click Allow.
Set up notifications for findings in Slack
To set up or subscribe to notifications for findings in your Slack workspace, perform the following steps:
- In your Slack workspace, find or create a channel for Semgrep notifications.
- In the selected Slack channel, enter the following slash command:
/semgrep_subscribe. For private channels, first invite the Semgrep app by typing@Semgrepin the channel, then use the/semgrep_subscribecommand to start receiving notifications. - Optional: Enter the name of a specific project after
/semgrep_subscribeto receive findings for that specific project only, for example,/semgrep_subscribe acme-corp/vulnerable-repo. The project must be entered in the following format:
/semgrep_subscribe ACCOUNT_NAME/REPOSITORY_NAME - Choose an organization in the list under Select target organization. The dialog box expands with additional options.
- Optional: Set up additional filters.
- For Semgrep users that receive both Semgrep Code findings and Semgrep Supply Chain vulnerabilities, you can select target scan types to subscribe to either Semgrep Code, Semgrep Supply Chain, or both.
- Select any number of policies to receive findings for under the Selected Policies field. By default, you are subscribed to all policies, including the Monitor policy. This can potentially result in a noisy message.
- Click Subscribe. If you did not specify a project after
/semgrep_subscribe, the channel is subscribed to findings from all your repositories in Semgrep AppSec Platform. - Optional: To set up Slack notifications for additional workspaces, repeat steps 1 to 6. The Semgrep Slack integration is set up on a per-workspace basis.
You have successfully set up notifications for Semgrep findings. The Semgrep Slack app reports new findings after every scan but does not report findings that were previously discovered.
In your Slack workspace, create separate channels for either policies, repositories (projects), or types of findings depending on your business or development need. This ensures that developers receive only findings that are relevant to them.
Figure A sample Slack message with Semgrep findings.
Remove notifications for findings in Slack
This operation removes or unsubscribes a channel from notifications. To uninstall the Semgrep Slack App, refer to Uninstalling the Semgrep Slack App from your Slack workspace .
To remove or unsubscribe to notifications:
- In Slack, enter the channel that you want to unsubscribe from Semgrep findings.
- Type
/semgrep_unsubscribe. - Select the target organization to unsubscribe from.
- Click Unsubscribe.
You have unsubscribed from Semgrep finding notifications for that particular channel.
Change Slack notification settings
You can customize your notification settings at any time through the Semgrep App Home in your Slack workplace.
To view the Semgrep App Home:
- In your Slack workspace, click + Add apps, which can be found in the sidebar under the Apps header.
- Click Semgrep. The Semgrep app appears as a button on the sidebar.
To change the settings:
- In your Slack workspace, click Semgrep under Apps in the Slack sidebar. This displays the Semgrep App Home.
- Click the three-dot menu of the channel to update.
- Click Manage filters.
Notification and alert de-duplication
Notifications are sent only the first time a given finding is detected.
When running a diff-aware scan, Semgrep doesn't notify you when a pull request has a finding that existed on the base branch already, even if that line is moved or re-indented.
Semgrep also tracks notifications that have already been sent, so subsequent scans of the same changes in a pull request won't result in duplicate notifications.
See Findings in CI for more information about how Semgrep tracks a finding through its lifetime.
Uninstall the Semgrep Slack App
This removes all Semgrep notifications in all channels in your Slack workspace.
To uninstall the Semgrep Slack App entirely from your Slack workspace, perform the following steps:
- In Semgrep AppSec Platform, go to Settings > Integrations.
- On the Integrations page, find the Slack integration you want to remove.
- Click Remove integration > Remove.
Troubleshooting
Not receiving any findings
The following list describes possible ways to troubleshoot findings not appearing in your Slack workspace:
- Check if you have successfully set up your notifications.
- Check if your most recent scan has findings to send.
- Check your filters.
- Check if the channel is private. You must add the Semgrep App to the private channel to subscribe to notifications.
Check notifications
To check that your notifications are set up, receive a test message from Semgrep:
- In your Slack workspace, click Semgrep under Apps in the Slack sidebar.
- Click the three-dot menu > Send Test Notification.
Check your filters
If you have set up any filter, such as filtering for a specific policy or project, all conditions of that filter must be present for the notification to be sent. Review your filters by following the steps in Changing Slack notification settings.
Permissions not up-to-date
You may receive a message from Semgrep Slack app stating that your token does not have up-to-date permissions. Clicking the link provided in the message to update the permissions typically resolves this issue.
However, if after updating the token, you still receive the same message, perform the following steps to revoke and refresh your access token:
- In your Slack workspace, click Semgrep under Apps in the Slack sidebar.
- Click Uninstall. This revokes your token.
- Go to Semgrep AppSec Platform > Settings > Integrations.
- Find the Slack entry for the workspace you revoked in step 2 and click Refresh Token.
- Follow the steps in the authentication flow to complete the token refresh.
You have refreshed your access token and updated your permissions.
Fixing dispatch_failed error
There are many possible causes for this error. Try the following fixes:
- Re-enter your last command or operation after a few minutes.
- Uninstall, and then reinstall your Semgrep Slack integration.
Fixing operation_timeout error
This error occasionally appears due to connection or service issues. To fix this issue, retry your last command or operation after a few minutes.
Slack permissions
The following table describes the purpose for each permission required to use the Semgrep Slack app.
| Permission | Slack description | Purpose |
| app_mentions:read | View messages that directly mention | Enables the Semgrep Slack app to respond when users mention it in the chat. |
| channels:read | View basic information about public channels in a workspace. | Basic channel information such as channel_id is used to ensure that Semgrep findings (results) are sent to the appropriate channel. |
| chat:write | Send messages as | Enables the Semgrep Slack app to send findings to channels. |
| chat:write.customize | Send messages as @Semgrep with a customized username and avatar. | Helps users identify Semgrep Slack app messages through the use of an image and username. |
| chat:write.public | Send messages to channels @Semgrep isn't a member of. | Enables users to invoke Semgrep Slack app features in any public channel using the slash command. |
| commands | Add shortcuts or slash commands that people can use. | Enables the Semgrep Slack app to register custom slash commands such as /semgrep_subscribe used for notification subscription. |
| emoji:read | View custom emoji in a workspace. | Allows Semgrep to support a workspace's custom emojis. |
| im:write | Start direct messages with people. | Allows users to interact with the Semgrep Slack app and use the slash commands in direct messages. |
| links:write | Show previews of URLs in messages. | Enables Semgrep Slack app to include links in messages. |
| users:read | View profile details about people in a workspace. | Enables Semgrep Slack app to correctly address users in messages. |
| users:write | Set presence for Semgrep. | Used by the Semgrep Slack app to interact with the workspace and enables users to add the Semgrep Slack app to relevant channels. |
| workflow.steps:execute | Add steps that people can use in Workflow Builder. | Enables Semgrep to make use of modals and drop-down boxes when a user creates or updates their notifications. |
| groups:read | View basic information about private channels that your Slack app has been added to. | Semgrep Slack app uses channels_id_changed to update its notifications configuration if the channel that receives findings is updated. This ensures that you are able to receive findings ever renaming a channel. |
| team:read | View the name, email domain, and icon for workspaces your slack app is connected to. | Semgrep Slack app uses team_name_changed to update its notifications configuration if the team name is updated. This ensures that you are able to receive findings notifications even after renaming your team. |
| channels:read | View basic information about public channels in a workspace. | Enables Semgrep Slack app to monitor if channels that receive Semgrep findings have been deleted or archived. |
Additional resources
Not finding what you need in this doc? Ask questions in our Community Slack group, or see Support for other ways to get help.