LogoLogo
Login to CortexBook a DemoCortex Academycortex.io
  • Cortex Docs
  • Cortex Quick Start
  • Ingesting data into Cortex
    • Managing Entities
      • Adding entities
        • Add services
        • Add domains
        • Add teams
        • Add custom entity types
        • Defining dependencies
      • Entity details page
      • Defining ownership
      • Defining relationship types
      • Grouping entities
      • Adding external documentation
      • Adding Deploy data
      • Adding custom data
      • Viewing discovered entities
      • Archiving entities
      • Relationship graph
      • Using On-call Assistant for incidents
      • Managing Terraform infra in Cortex
    • Managing Catalogs
    • Integrations
      • Internally hosted integrations
      • ArgoCD
      • AWS
      • Azure DevOps
      • Azure Resources
      • BambooHR
      • Bitbucket
      • BugSnag
      • Buildkite
      • Checkmarx
      • CircleCI
      • ClickUp
      • Codecov
      • Coralogix
      • Custom webhook integrations
      • Datadog
      • Dynatrace
      • Entra ID (Azure AD)
      • FireHydrant
      • GitHub
      • GitLab
      • Google
      • Grafana
      • incident.io
      • Instana
      • Jenkins
      • Jira
      • Kubernetes
      • LaunchDarkly
      • Lightstep
      • Mend
      • Microsoft Teams
      • New Relic
      • Okta
      • Opsgenie
      • PagerDuty
      • Prometheus
      • Rollbar
      • Rootly
      • Sentry
      • Semgrep
      • ServiceNow
      • Slack
      • Snyk
      • SonarQube
      • Splunk Observability Cloud (SignalFx)
      • Splunk On-Call (VictorOps)
      • Sumo Logic
      • Veracode
      • Wiz
      • Workday
      • xMatters
  • Scorecards
    • Initiatives and Action items
      • Creating issues based on Initiatives
    • Scorecard rule exemptions
    • Scorecard rule filters
    • Scorecard examples
    • Scorecards as code
  • Reports
    • Executive report
    • All Scorecards report
    • Bird's eye report
    • Progress report
    • Report card
  • Eng Intelligence
    • Custom Metrics
    • Jira Metrics
    • Metrics Explorer (Beta)
    • Velocity dashboard (Beta)
  • Cortex Query Language (CQL)
    • Running and saving CQL queries
    • Using CQL reports
    • Using JQ in Cortex
  • Workflows
    • Creating a Workflow
      • Workflows as code
    • Blocks
    • Running a Workflow
    • Registering a Scaffolder template
      • Scaffolder advanced usage
    • Using a Workflow to sync in ArgoCD
    • Kicking off a Jenkins pipeline in a Workflow
    • Calling internal service endpoints in a Workflow
  • Plugins
    • Creating a plugin
      • Creating a plugin proxy
    • Migrating Backstage plugins to Cortex
  • Engineering homepage
  • Workspace Settings
    • Using GitOps for Cortex
      • GitOps logs
    • Managing users
      • Roles and permissions
        • Custom roles
        • Team ownership entity editing
      • Configuring SSO
        • Microsoft Entra ID
        • Google
        • Other OIDC providers
        • Okta
          • Okta SCIM
      • Configuring identity mappings
      • Onboarding management
    • API keys, secrets, and tokens
      • Secrets
      • Personal tokens
    • Audit logs
    • Entity settings
      • Data verification
      • Auto archiving entities
    • IP allowlist
    • Notifications
      • Notification logs
    • Customizing your workspace
    • Using search in Cortex
  • Cortex API
    • REST API operations
      • API Keys
      • Audit Logs
      • Catalog Entities
      • Custom Data
        • Custom Data (Advanced)
      • Custom Events
      • Custom Metrics
      • Dependencies
      • Deploys
      • Discovery Audit
      • Docs
      • Eng Intel: User Labels
      • Entity Relationship Types (Beta)
      • Entity Relationships (Beta)
      • Entity Types
      • GitOps Logs
      • Groups
      • Initiatives
      • Integrations APIs
        • Azure Active Directory (Entra ID) API
        • Azure Resources API
        • AWS API
        • Azure DevOps API
        • CircleCI API
        • Coralogix API
        • Datadog API
        • GitHub API
        • GitLab API
        • incident.io API
        • LaunchDarkly API
        • New Relic API
        • PagerDuty API
        • Prometheus API
        • SonarQube API
      • IP Allowlist
      • Notification Logs
      • On call
      • Packages
      • Plugins
      • Queries
      • SCIM
      • Scorecards
      • Secrets
      • Team Hierarchies
      • Teams
      • Workflows
Powered by GitBook
On this page
  • How to configure Semgrep with Cortex
  • Prerequisites
  • Configure the integration in Cortex
  • How to connect Cortex entities to Semgrep
  • Match entity names to Semgrep projects
  • Editing the entity descriptor
  • Using the Semgrep integration
  • Viewing Semgrep information in Cortex
  • Scorecards and CQL
  • Still need help?​

Was this helpful?

Export as PDF
  1. Ingesting data into Cortex
  2. Integrations

Semgrep

Last updated 3 days ago

Was this helpful?

is static application security testing (SAST) tool that includes software composition analysis (SCA). It detects security vulnerabilities in your code and analyzes your open-source dependencies for vulnerabilities. You can use it to scan local repositories or integrate it into your CI/CD pipeline.

Integrating Semgrep with Cortex allows you to:

  • Display the latest scans and vulnerability data

  • Create that track progress and drive alignment on projects involving Semgrep security data, allowing you to address and remediate vulnerabilities more efficiently

How to configure Semgrep with Cortex

Prerequisites

Before getting started:

  • Create an with and permissions.

Configure the integration in Cortex

  1. In Cortex, navigate to the :

    1. In Cortex, click your avatar in the lower left corner, then click Settings.

    2. Under "Integrations", click Semgrep.

  2. Click Add configuration.

  3. Configure the Semgrep integration form:

    • Alias: Enter an alias for this integration.

    • API key: Enter the value of the API token you created in Semgrep.

    • Organization ID: Enter your organization ID for Semgrep.

    • Organization slug: Enter your organization slug for Semgrep.

  4. Click Save.

After saving your configuration, you are redirected to the Semgrep integration settings page in Cortex. In the upper right corner of the page, click Test configuration to ensure Semgrep was configured properly.

How to connect Cortex entities to Semgrep

Match entity names to Semgrep projects

If your Semgrep project names don’t cleanly match the Cortex entity name or tag, you can override this in the Cortex entity descriptor.

Editing the entity descriptor

x-cortex-semgrep:
  projects:
  - alias: my_org 
    projectId: 1234567
  - alias: other_org
    projectId: 7654321

Using the Semgrep integration

Viewing Semgrep information in Cortex

  • in the Code & security block in the entity's overview:

  • in the entity's sidebar in Code & security.

    • This page contains scan results and vulnerability metrics from Semgrep. Click Filter at the top of the vulnerability list to filter by severity.

Scorecards and CQL

With the Semgrep integration, you can create Scorecard rules and write CQL queries based on Semgrep projects.

Check if Semgrep project is set

Check if entity has a registered Semgrep project in its entity descriptor.

Definition: semgrep (==/!=) null: Boolean

Example

An initial level in a security Scorecard might include a rule to make sure entities are associated with a Semgrep project:

semgrep != null

Setting a semgrep != null rule can also serve as a secondary check to confirm an entity is synced properly with Semgrep and is reporting frequently.

List vulnerabilities

List of Semgrep vulnerabilities by severity or type.

Definition: semgrep.vulnerabilities()

Example

You can write a rule to verify an entity has fewer than 10 vulnerabilities:

semgrep.vulnerabilities().length < 10
Get scan results for an entity

Get Semgrep scan results for an entity.

Definition: semgrep.scans()

You could write a Scorecard rule to ensure an entity has fewer than 10 scans:

semgrep.scans().length < 10

You could write a rule to ensure an entity has had fewer than 10 new scans in the last week:

semgrep.scans("firstSeen:-1w") <= 10

The following options are available to get assistance from the Cortex Customer Engineering team:

  • Chat: Available in the Resource Center

  • Slack: Users with a connected Slack channel will have a workflow added to their account. From here, you can either @CortexTechnicalSupport or add a :ticket: reaction to a question in Slack, and the team will respond directly.

Don’t have a Slack channel? Talk with your Customer Success Manager.

By default, Cortex will use the (e.g. my-service) as the "best guess" for Semgrep projects. For example, if your entity name is "My Service" or your tag is my-service, then the corresponding project name in Semgrep should also be "My Service" or my-service.

Under the x-cortex-semgrep block in an , you can define the projects you want based on the Semgrep project ID. For example:

Semgrap vulnerabilities and scans appear on :

See more examples in the in Cortex.

Still need help?

Email: , or open a support ticket in the in app Resource Center

entity details pages
CQL Explorer
​
help@cortex.io
Semgrep
API token in Semgrep
GET scan details
GET List code or supply chain findings
Semgrep settings page
on entity details pages in Cortex
Scorecards
entity tag
entity's YAML
See Semgrep data on an entity's overview.
On an entity, click Code & security > Semgrep to view vulnerability details from Semgrep.