Remove duplicate findings
Semgrep scans are performed on both mainline (trunk) and non-mainline branches. The scope of the scan can differ depending on if Semgrep is called on a mainline or non-mainline branch.
- Full scan
- Scans the repository in its entirety. It is recommended to perform full scans on mainline branches, such as
master
ormain
. This scan is performed on a scheduled basis. - Diff-aware scan
- Diff-aware scans are performed on non-mainline branches, such as in pull requests and merge requests. Diff-aware scans traverse the repository's files based on the commit where the branch diverged from the mainline branch (or diverged from the last commit that was fully scanned)
Remove duplicate findings using Semgrep AppSec Platform
Regardless of the scope of a scan, Semgrep correlates findings across branches based on their unique fingerprint, automatically deduplicating findings and making it simpler to triage.
If a finding is fixed in one branch (such as main
) but open in another (such as production
), and the code fixes are present in both branches, initiate a scan through your CI job or SCM tool on the branch(es) with open findings to have Semgrep mark the findings as fixed.
Remove duplicate findings using Semgrep API
Semgrep API does not automatically deduplicate findings. If you are using Semgrep API to receive or pull findings data, set the dedup
flag to true
to deduplicate findings across refs or branches. Refer to List all findings in the Semgrep API docs for more information.
Not finding what you need in this doc? Ask questions in our Community Slack group, or see Support for other ways to get help.