Semgrep
Semgrep is static application security testing (SAST) tool that includes software composition analysis (SCA). It detects security vulnerabilities in your code and analyzes your open-source dependencies for vulnerabilities. You can use it to scan local repositories or integrate it into your CI/CD pipeline.
Integrating Semgrep with Cortex allows you to:
Display the latest scans and vulnerability data on entity details pages in Cortex
Create Scorecards that track progress and drive alignment on projects involving Semgrep security data, allowing you to address and remediate vulnerabilities more efficiently
How to configure Semgrep with Cortex
Prerequisites
Before getting started:
Create an API token in Semgrep with
GET scan details
andGET List code or supply chain findings
permissions.
Configure the integration in Cortex
In Cortex, navigate to the Semgrep settings page:
In Cortex, click your avatar in the lower left corner, then click Settings.
Under "Integrations", click Semgrep.
Click Add configuration.
Configure the Semgrep integration form:
Alias: Enter an alias for this integration.
API key: Enter the value of the API token you created in Semgrep.
Organization ID: Enter your organization ID for Semgrep.
Organization slug: Enter your organization slug for Semgrep.
Click Save.
After saving your configuration, you are redirected to the Semgrep integration settings page in Cortex. In the upper right corner of the page, click Test configuration to ensure Semgrep was configured properly.
How to connect Cortex entities to Semgrep
Match entity names to Semgrep projects
By default, Cortex will use the entity tag (e.g. my-service
) as the "best guess" for Semgrep projects. For example, if your entity name is "My Service" or your tag is my-service
, then the corresponding project name in Semgrep should also be "My Service" or my-service
.
If your Semgrep project names don’t cleanly match the Cortex entity name or tag, you can override this in the Cortex entity descriptor.
Editing the entity descriptor
Under the x-cortex-semgrep
block in an entity's YAML, you can define the projects you want based on the Semgrep project ID. For example:
x-cortex-semgrep:
projects:
- alias: my_org
projectId: 1234567
- alias: other_org
projectId: 7654321
Using the Semgrep integration
Viewing Semgrep information in Cortex
Semgrap vulnerabilities and scans appear on entity details pages:
in the Code & security block in the entity's overview:
in the entity's sidebar in Code & security.
This page contains scan results and vulnerability metrics from Semgrep. Click Filter at the top of the vulnerability list to filter by severity.
Scorecards and CQL
With the Semgrep integration, you can create Scorecard rules and write CQL queries based on Semgrep projects.
See more examples in the CQL Explorer in Cortex.
Still need help?
The following options are available to get assistance from the Cortex Customer Engineering team:
Email: help@cortex.io, or open a support ticket in the in app Resource Center
Chat: Available in the Resource Center
Slack: Users with a connected Slack channel will have a workflow added to their account. From here, you can either @CortexTechnicalSupport or add a
:ticket:
reaction to a question in Slack, and the team will respond directly.
Don’t have a Slack channel? Talk with your Customer Success Manager.
Last updated
Was this helpful?