Skip to main content

Semgrep Code product terms

The terms and definitions provided here are specific to Semgrep Code.

For rule-writing and SAST (static application security testing) terms, see the Rule-writing glossary.

Default branch

Also known as a mainline or trunk branch. Semgrep AppSec Platform recognizes certain branch names as default branches.

  • develop
  • development
  • main
  • master
  • trunk
  • staged
  • dev
  • production
  • prod
  • staging
  • HEAD
  • origin/stage
  • origin/master

Diff-aware scan

A diff-aware scan is a type of scan that shows only the findings that have been caused by changes in files starting from a specific Git baseline. It is typically performed on feature branches when a pull or merge request is opened.

Full scan

A full scan scans the entire codebase or Git repository in its current state. It is typically performed on trunk or mainline branches, such as main. Semgrep, Inc. recommends performing full scans on a recurring basis, such as daily or weekly.

Policy

A policy refers to the set of rules that Semgrep runs and the workflow actions undertaken when a rule from the policy generates a finding.

A workflow action is an action that is performed by Semgrep when a finding is detected, such as notifying Slack channels or posting a comment in the PR or MR that generated the finding.

Not to be confused with policy-as-code.

Registry (Semgrep Registry)

A collection of publicly available SAST rules that you can download. Rules can be filtered by language, OWASP bug class, severity, and so on. Many of these rules are open source, and you can view the license of the rule you are using. Contributions are welcome.

Rules are frequently organized by rulesets, enabling you to find related rules by framework and language.

Ruleset

Rulesets are rules related through a programming language, OWASP category, or framework. Rulesets are curated by the team at Semgrep and updated as new rules are added to the Semgrep Registry.

Scan target

A scan target is any file, or collection of files and directories that Semgrep can scan. While Semgrep can scan any text file through generic mode, Semgrep primarily scans the following:

Codebase

Any code files within a specified directory and its subdirectories.

Project

A repository or codebase that you have added to Semgrep Cloud Platform for scanning along with finding metadata and other Semgrep data and resources.

Repository

A location, typically remote, for source code, including metadata relating to the source code. Semgrep supports Git repositories.


Not finding what you need in this doc? Ask questions in our Community Slack group, or see Support for other ways to get help.