Semgrep

Semgrep is static application security testing (SAST) tool that includes software composition analysis (SCA). It detects security vulnerabilities in your code and analyzes your open-source dependencies for vulnerabilities. You can use it to scan local repositories or integrate it into your CI/CD pipeline.

Integrating Semgrep with Cortex allows you to:

  • Display the latest scans and vulnerability data on entity details pages in Cortex

  • Create Scorecards that track progress and drive alignment on projects involving Semgrep security data, allowing you to address and remediate vulnerabilities more efficiently

How to configure Semgrep with Cortex

Prerequisites

Before getting started:

Configure the integration in Cortex

  1. In Cortex, navigate to the Semgrep settings page:

    1. In Cortex, click your avatar in the lower left corner, then click Settings.

    2. Under "Integrations", click Semgrep.

  2. Click Add configuration.

  3. Configure the Semgrep integration form:

    • Alias: Enter an alias for this integration.

    • API key: Enter the value of the API token you created in Semgrep.

    • Organization ID: Enter your organization ID for Semgrep.

    • Organization slug: Enter your organization slug for Semgrep.

  4. Click Save.

After saving your configuration, you are redirected to the Semgrep integration settings page in Cortex. In the upper right corner of the page, click Test configuration to ensure Semgrep was configured properly.

How to connect Cortex entities to Semgrep

Match entity names to Semgrep projects

By default, Cortex will use the entity tag (e.g. my-service) as the "best guess" for Semgrep projects. For example, if your entity name is "My Service" or your tag is my-service, then the corresponding project name in Semgrep should also be "My Service" or my-service.

If your Semgrep project names don’t cleanly match the Cortex entity name or tag, you can override this in the Cortex entity descriptor.

Editing the entity descriptor

Under the x-cortex-semgrep block in an entity's YAML, you can define the projects you want based on the Semgrep project ID. For example:

x-cortex-semgrep:
  projects:
  - alias: my_org 
    projectId: 1234567
  - alias: other_org
    projectId: 7654321

Using the Semgrep integration

Viewing Semgrep information in Cortex

Semgrap vulnerabilities and scans appear on entity details pages:

  • in the Code & security block in the entity's overview:

  • in the entity's sidebar in Code & security.

    • This page contains scan results and vulnerability metrics from Semgrep. Click Filter at the top of the vulnerability list to filter by severity.

Scorecards and CQL

With the Semgrep integration, you can create Scorecard rules and write CQL queries based on Semgrep projects.

See more examples in the CQL Explorer in Cortex.

Check if Semgrep project is set

Check if entity has a registered Semgrep project in its entity descriptor.

Definition: semgrep (==/!=) null: Boolean

Example

An initial level in a security Scorecard might include a rule to make sure entities are associated with a Semgrep project:

semgrep != null

Setting a semgrep != null rule can also serve as a secondary check to confirm an entity is synced properly with Semgrep and is reporting frequently.

List vulnerabilities

List of Semgrep vulnerabilities by severity or type.

Definition: semgrep.vulnerabilities()

Example

You can write a rule to verify an entity has fewer than 10 vulnerabilities:

semgrep.vulnerabilities().length < 10
Get scan results for an entity

Get Semgrep scan results for an entity.

Definition: semgrep.scans()

You could write a Scorecard rule to ensure an entity has fewer than 10 scans:

semgrep.scans().length < 10

You could write a rule to ensure an entity has had fewer than 10 new scans in the last week:

semgrep.scans("firstSeen:-1w") <= 10

Still need help?

The following options are available to get assistance from the Cortex Customer Engineering team:

  • Email: help@cortex.io, or open a support ticket in the in app Resource Center

  • Chat: Available in the Resource Center

  • Slack: Users with a connected Slack channel will have a workflow added to their account. From here, you can either @CortexTechnicalSupport or add a :ticket: reaction to a question in Slack, and the team will respond directly.

Don’t have a Slack channel? Talk with your Customer Success Manager.

Last updated

Was this helpful?