Semgrep Assistant overview
Semgrep Assistant provides GPT-4-powered security recommendations to help you review, triage, and remediate your Semgrep findings.
Figure. Semgrep Assistant detects a false positive.
Support and availability
Semgrep Assistant primarily supports findings generated by Semgrep Code. It requires the Semgrep AppSec Platform.
Semgrep Assistant is available to users of the following source code managers (SCMs):
- GitHub Cloud
- GitLab, including SaaS and self-managed plans
Semgrep Assistant does not support the use of GitHub Enterprise Server (self-hosted).
Language support
Semgrep Assistant supports the same languages as Semgrep Code.
Features
Component tags
Component tags use GPT-4 to categorize a finding based on its function, such as:
- Payments
- User authentication
- Infrastructure
By categorizing your code through component tags, Semgrep Assistant can help you prioritize high-risk issues, such as remediating a code finding related to payments or user authentication.
Component tags are available in Semgrep AppSec Platform's Findings page.
Auto-triage
Semgrep Assistant uses GPT-4's understanding of programming languages and libraries, and your code and triage history, to auto-triage findings and suggest whether a finding can safely be ignored. For every recommendation to ignore a finding, Semgrep also provides guidance with an explanation on why this is the case.
Auto-triage recommendations are available in Semgrep AppSec Platform's Findings page when you filter for findings that Assistant suggests should be ignored, and in the finding's details.
Figure. Semgrep Assistant auto-triage in the Findings page.
Assistant's suggestions to ignore findings are also surfaced in PR or MR comments, so developers can triage an issue without switching contexts, as well as being sent through Slack.
Figure. Semgrep Assistant auto-triage in a Slack notification.
Remediation
Semgrep Assistant can provide remediation advice and autofixes, or suggested fixes, for Semgrep Code findings.
Guidance
With Assistant enabled, every PR or MR comment Semgrep pushes includes remediation guidance with information on fixing the issue. Assistant's remediation guidance provides step-by-step instructions on how to remediate the finding identified by Semgrep Code.
Figure. PR comment displaying the rule message followed by a comment that contains Assistant-generated remediation guidance.
Semgrep also displays remediation information on Semgrep AppSec Platform's Findings page under Your code in the finding's details.
Figure. PR comment displaying the rule message followed by a comment that contains Assistant-generated remediation guidance.
Autofix
Semgrep Assistant can suggest autofix code snippets for Semgrep Code findings when it identifies a true positive. Assistant only suggests an autofix if the rule doesn't have a human-written autofix. You can set the minimum autofix confidence level required to display autofix suggestions from Semgrep Assistant on Semgrep AppSec Platform's Settings page. To receive as many Assistant suggestions as are available, set the minimum to low confidence.
Assistant customizes the code snippets it provides based on previous feedback, if any, and your rule customizations. For example, if you have a custom rule recommending a specific sanitizer, Assistant can recommend its use in the autofix suggestion for the issue in your code.
Autofixes are available in PR and MR comments, so developers can review and verify Semgrep's generated fixes before applying them.
Figure. Semgrep Assistant generates a potential fix in a PR comment.
Autofixes are also available on Semgrep AppSec Platform's Findings page under Your code in the finding's details.
Figure. Semgrep Assistant showing a potential fix in Semgrep AppSec Platform.
The finding's details include a link to the PR or MR with the autofix, so you can go directly to the PR or MR to commit the autofix.
If many new issues are found in a given scan, Assistant auto-triage and autofix may not run on every issue.
Priority inbox
Semgrep sends weekly emails with information on Assistant's top three backlog tasks across all findings. Unlike other Assistant features, these suggestions can include information for all Semgrep products that you have enabled. The emails are sent out on Monday to all organization admins.
This information is also available in Semgrep AppSec Platform on the Dashboard page under Assistant recommended tasks.
Figure. Semgrep Assistant's priority inbox Dashboard view.
Custom rules editor (beta)
Semgrep Assistant can help you write custom rules to find patterns and vulnerabilities specific to your codebase. The only information you need to provide is a prompt describing what you want the rule to do in English. However, if you provide an example of bad code and an example of good code, Semgrep uses this information for you to test the generated rule and provide context to the language model (LLM).
Privacy and legal considerations
Semgrep uses API permissions to access code on your pre-selected GitHub or GitLab repositories.
- Semgrep Assistant logs and stores the GPT prompts and responses for the sake of performance evaluation, which includes source code snippets.
- Semgrep Assistant sends relevant lines of code to OpenAI's API, where currently, the "relevant lines of code" means lines that are part of the Semgrep finding, plus 30 lines of context on each side. Semgrep, Inc. is likely to expand this, potentially to the entire file, as we learn how to pass more useful context.
- Semgrep stores and retains GPT's responses based on these code snippets for up to 6 months. Semgrep, Inc. will update you with at least a 30-day notice if we make any changes to the retention policy.
- Semgrep, Inc. is a paying customer of OpenAI and has a Data Protection Agreement signed with them (provided upon request by contacting support. The code snippets we upload are persisted by OpenAI temporarily, following their data usage policies at Enterprise privacy at OpenAI.
- Semgrep, Inc. takes the following steps to protect data that is processed by AI since Assistant requires the sharing of code snippets with a third party:
- Semgrep shares code snippets with OpenAI without identifying the customer or repository name.
- Semgrep only shares the code necessary to enlist the help of GPT in automating the resolution of each specific alert.
- Semgrep only accesses source code repositories on a file-by-file basis; it does not need or request org-level access to your codebase.
- When using Semgrep Assistant, source code does leave your repository; Assistant submits part of the file with a finding to OpenAI for processing by a GPT model. OpenAI is not allowed to use the submitted code to train its models.
- Regarding your data privacy, none of your personal information is shared with OpenAI as a part of the Semgrep Assistant feature.
- Semgrep, Inc. and OpenAI do not obtain any rights to your source code. Your source code remains yours, and Semgrep or OpenAI accesses it to the limited extent necessary to provide the Semgrep Assistant service. Once the results are returned to you, Semgrep Assistant deletes the shared snippets. OpenAI retains copies of the content sent to them for a maximum of 30 days to monitor for abuse, as indicated in their API Data Usage Policies.
- Because Semgrep Assistant accesses OpenAI's services through the API, OpenAI does not use any of the code provided to them to improve their services (see Section 3(c) of their Terms of Use).
- To a limited extent, using Semgrep Assistant changes the terms of your agreement with Semgrep, Inc. Specifically, sharing code snippets with Semgrep Assistant as part of this feature expands the scope of the data to which you grant Semgrep, Inc. a limited license to provide services to you (see Section 5.1 of our Subscriber Agreement).
For more details, see the Semgrep Assistant FAQ.
Provide feedback
Semgrep Assistant prompts you for feedback whenever it suggests that a finding is a false positive. Because Assistant content is generated by language models (LLMs), your feedback helps the Semgrep team improve Assistant.
- In Semgrep AppSec Platform, the Assistant recommendation appears under Activity for a finding, along with Agree and ignore or Disagree buttons.
- In Slack notifications, Agree and Disagree buttons appear under the Assistant recommendation message.
- In GitHub pull requests, you can leave feedback using
/semgrep assistant agree|disagree
.
If Semgrep Assistant suggests that a finding is a true positive and supplies an autofix suggestion, there is no automated mechanism to leave feedback on this outcome. Feel free to contact the Semgrep team using one of the methods below to let us know your thoughts!
Next steps
Learn how to enable Semgrep Assistant for your deployment.
Not finding what you need in this doc? Ask questions in our Community Slack group, or see Support for other ways to get help.