Enable and use Semgrep Assistant

This article walks you through enabling Semgrep Assistant for your deployment and using its features.

Prerequisites

• You have completed a Semgrep core deployment.
• You have set rules to Comment or Block mode in your Policies page.

GitHub

Semgrep Assistant extends normal Semgrep capabilities by providing contextually aware AI-generated suggestions. In order to build that context, it requires GitHub permissions in addition to the standard permissions required for Semgrep.

Semgrep Assistant requires read access to your code in GitHub. This is done through a private Semgrep GitHub app that you install during Assistant setup. This private Semgrep GitHub app:

• Is fully under your control so you can revoke access or specific permissions at any time by visiting Settings > Applications in GitHub.
• Only accesses source code repositories on a file-by-file basis; it does not need or request org-level access to your codebase.
• Can be configured to limit its scope to specific repositories. You do not need to give read access to all repositories in your GitHub organization.

Enable Assistant

1. Sign in to Semgrep AppSec Platform.
2. Click Settings.
3. In the Assistant section, click the Allow code snippets in AI prompts toggle. This launches the Set up Semgrep Assistant prompt.
4. Select a source code manager (SCM) by clicking github.com.
5. Semgrep provides you with information on why Assistant requires access to your source code. Click Accept & Enable Assistant to proceed.
6. You are redirected to the page where you can add a GitHub Private App that grants Semgrep read access to your code.
   1. Enter your GitHub information. Select whether you're installing the app on an organization or Personal Account, and provide its name.
   2. Click Review permissions to see the permissions requested by Semgrep.
   3. Click Register GitHub App to proceed.
   4. When prompted, click Continue to allow redirection to GitHub to finalize app creation. Follow the instructions to finish creating and installing a private semgrep-app.
7. You are redirected to Semgrep AppSec Platform's Source Code Managers page. Navigate back to the Deployment page. Under the Assistant section, verify that all of the features are enabled:
   1. Allow code snippets in AI prompts: Required for Semgrep to auto-triage findings, provide AI remediation guidance, and tag findings with code context.
   2. Autofix suggestions for Code: Enable autofix suggestions in comments from Assistant. You can also set the minimum confidence level for Assistant-written fixes if the Semgrep rule doesn't include a human-written autofix.
   3. Auto-triage for Code: Enable notifications whenever Assistant suggests that a finding may be safe to ignore. You can include notifications in your PR and MR comments, or you can receive them through Slack notifications.

GitLab

Semgrep Assistant extends normal Semgrep capabilities by providing contextually aware AI-generated suggestions. In order to build that context, it requires GitLab permissions in addition to the standard permissions required for Semgrep.

Semgrep Assistant requires the API scope to run in both GitLab SaaS and GitLab self-managed instances. This can be specified at either the project access token level or personal access token level.

• You can revoke project access tokens or personal access tokens at any time.
• Semgrep Assistant only accesses source code repositories (projects) on a file-by-file basis; it does not need or request org-level access to your codebase.
• The token can be configured to limit its scope to specific projects or individuals. You do not need to give read access to all projects in your GitLab organization.

Enable Assistant

1. Sign in to Semgrep AppSec Platform using your GitLab account.
2. Click Settings.
3. In the Assistant section, click the Allow code snippets in AI prompts toggle. This launches the Set up Semgrep Assistant prompt.
4. Follow the on-screen instructions to complete the setup process.
5. Navigate back to the Deployment page. Under the Assistant section, verify that all of the features are enabled:
   1. Allow code snippets in AI prompts: Required for Semgrep to auto-triage findings, provide AI remediation guidance, and tag findings with code context.
   2. Autofix suggestions for Code: Enable autofix suggestions in comments from Assistant. You can also set the minimum confidence level for Assistant-written fixes if the Semgrep rule doesn't include a human-written autofix.
   3. Auto-triage for Code: Enable notifications whenever Assistant suggests that a finding may be safe to ignore. You can include notifications in your PR and MR comments, or you can receive them through Slack notifications.
   4. Weekly priority emails: Get weekly emails with information on your top backlog tasks according to Assistant. Semgrep sends these emails to organization admins every Monday.

Enable autofix suggestions

Autofix allows you to receive code snippets to remediate true positives. Perform the following to enable it:

1. Sign in to Semgrep AppSec Platform, and navigate to Settings > Deployment.
2. In the Assistant section, click the Autofix suggestions for Code if it is not yet enabled.
3. Optional: Select a confidence level in the drop-down box. This value determines the level of quality at which the autofix code appears as a suggestion. A lower confidence level means that Semgrep Assistant displays the autofix suggestion even when the code quality may be incorrect.
   tip

   Semgrep recommends setting a low confidence level since even incorrect suggestions may be useful starting points for triage and remediation.

Enable auto-triage

If auto-triage, which allows you to get notifications whenever Assistant indicates a finding may be safe to ignore, isn't enabled for your deployment, you can do so as follows:

1. Sign in to Semgrep AppSec Platform, and navigate to Settings > Deployment.
2. In the Assistant section, click the Auto-triage for Code if it is not yet enabled.
3. Select whether you want alerts included in your PR/MR comments and Slack notifications.

Figure. MR comment from Semgrep Assistant in GitLab.

Missing PR and comments

Semgrep Assistant messages only appear in your PR comments for rules that are set to Comment or Block mode on the Rule Management page. Ensure that:

• You have set rules to Comment or Block mode.
• You have selected PR/MR comments in Semgrep AppSec Platform > Settings > Deployment in the Code section.

Enable priority inbox

If priority inbox, which allows organization admins to receive information on top backlog tasks according to Assistant, isn't enabled for your deployment, you can do so as follows:

1. Sign in to Semgrep AppSec Platform, and navigate to Settings > Deployment.
2. In the Assistant section, click the Weekly priority emails if it is not yet enabled.

Analyze findings

Once you've enabled Assistant, you can use the Analyze button on the Findings page to trigger all Assistant functions, including autofix, auto-triage, and component tagging, on existing findings.

To analyze your findings with Assistant:

1. On the Findings page, select the findings that you want Assistant to analyze.
2. Click Analyze.
3. In the confirmation window that appears, confirm that you want to analyze your findings with Assistant.

After Assistant performs these functions, you can see your results on the Findings page using the Recommendation or Component filters. When viewing your findings, you can see false positive and true positive recommendations when viewing the finding details pages if you choose No Grouping instead of Group by Rule.

The amount of time required to analyze your findings varies, but the UI displays a notification that provides an estimated wait time.

info

There is a cap of 250 Assistant runs per month using the Analyze button. Assistant runs against pull requests and merge requests do not count against this limit.

View recommendations

You can view all of Semgrep Assistant's recommendations by going to the Semgrep Findings page and filtering by Recommendation or Component.

Write custom rules (beta)

Semgrep Assistant can help you write custom rules to find issues specific to your codebase.

To do so:

1. Sign in to Semgrep AppSec Platform.
2. Navigate to Rules > Editor.
3. Click the plus button, and under Generate with AI, click ...with Semgrep Assistant.
4. In the Generate rule with Semgrep Assistant pop-up window:
   1. Select the language of your codebase.
   2. Provide a prompt describing what you want the rule to do in English.
   3. Optional: provide an example of bad code.
   4. Optional: provide an example of good code.
5. Click Generate to proceed. You'll be redirected to a screen where you can view and copy your rule and test it against the sample bad code snippet you provided.